Re: Adding Vendor Specific Attribute to the Access-Accept
Sorry for the late reply. I found the reason why the attributes I added where not included in the reply list. Those attributes are used by the servers internally (Range: 1000-1199) They do not go to the reply attributes list. When I tried the attributes from other vendors like 3Com it worked. The reply attributes were included in the Access-Accept message. My new question is can you suggest an attribute that I can use to internally control access to features in my application? I planned to use User-Category and define a list of categories that can only access certain features. But since this is not listed in the reply attributes list I cannot use it. Regards, From: Josip Almasi j...@vrspace.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, April 28, 2011 8:28:10 PM Subject: Re: Adding Vendor Specific Attribute to the Access-Accept normal ozone wrote: Hello, I want to be able to receive the Vendor Specific Attribute that I set in a user. For example I added the following attribute to my user using daloradius: Vendor: dictionary.freeradius.internal Attribute: User-Category Value: MyCategory Better check dictionary file. In the Oreilly Manual it mentions that Access-Accept can send Optional attributes. Is there a way to setup freeradius so that this attribute can be included in the Access-Accept message? Sure, just add them to users file, same as any other attributes. FR will complain if you add some attributes which are not in the dictionary. By the way I'm using the installer version of freeradius for my radius server. And my radius client is also a pc (I use a java library named TinyRadius) I use TiniRadius too, mighty fine. Regards... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik-Rate-Limit issue
The value for my test user is the follow: 512k/2048k 512k/2048k 192k/960k 8/8 1 128k/128k The mikrotik documentation say: Mikrotik-Rate-Limit - Datarate limitation for clients. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min from the point of view of the router (so rx is client upload, and tx is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mikrotik-Rate-Limit-issue-tp4363178p4364161.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Vendor Specific Attribute to the Access-Accept
normal ozone wrote: I found the reason why the attributes I added where not included in the reply list. Those attributes are used by the servers internally (Range: 1000-1199) They do not go to the reply attributes list. This is documented, yes. My new question is can you suggest an attribute that I can use to internally control access to features in my application? I planned to use User-Category and define a list of categories that can only access certain features. But since this is not listed in the reply attributes list I cannot use it. You need to use a vendor-specific dictionary. See the existing dictionaries for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik-Rate-Limit issue
speedlnx wrote: Hello, i'm migrating from freeradius 1.x to freeradius 2.1.10 on debian. I've replicated all the configuration i have on the old radius to the new and I import a dump of the mysql database on the new mysql server but i've an issue when i try to authenticate my users: Edit /usr/local/share/freeradius/dictionary Add a line $INCLUDE dictionary.mikrotik Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 WARNING: Internal sanity check failed
I have grabbed the 2.1.11 from git.freeradius.org, and unfortunally I get the same warning: Debug: WARNING: !! Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish! Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Debug: WARNING: !! I have tried with several EAP types, such PEAP-MSCHAPv2, TTLS, TLS with Windows, Cisco and Intel supplicants and always get the same warning. I always install the CA on Windows client, even the server.crt and server.p12 with no success. Has anyone face with this issue? Thanks a lot. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-sanity-check-failed-tp3340058p4364390.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR in the EAP/PEAP test of eapol_test
Hi ! I meet a ERROR in the test of EAP/PEAP radtest sqluser 123 localhost 1812 testing123 is OK ,I just delete the # before 'eap' in radiusd.conf and default files. the test eapol_test -c peap.txt -s testing123 my peap.txt is network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity=sqluser password=123 ca_cert=/usr/local/freeradius/etc/raddb/certs/ca.pem phase2=auth=MSCHAPV2 anonymous_identity=anonymous } The result is(too long I cut it,all the messages which contain 'fail'and'warning' are here) rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=0, length=126 User-Name = anonymous NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020e01616e6f6e796d6f7573 Message-Authenticator = 0x028746a6804037ea96543cd3853748ca # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = anonymous, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} - anonymous [sql] sql_set_user escaped user -- 'anonymous' rlm_sql (sql): Reserving sql socket id: 3 …… [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/freeradius/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 40004 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x2e0cc3a22f0eda51cc2cadc82e7658db Finished request 2. Going to the next request …… Found Auth-Type = EAP # Executing group from file /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: sqluser [mschap] Told to do MS-CHAPv2 for sqluser with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \010E=691 R=1 EAP-Message = 0x04080004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 40004 EAP-Message = 0x0109003b190017030100302ab43a32e6ec7ff42289efbdfda591f3a3562799d9559589146b128457125284645e7d72ef66bb121d8dbb003bdab8ab Message-Authenticator = 0x State = 0x2e0cc3a22605da51cc2cadc82e7658db Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 40004, id=9, length=226 User-Name = anonymous NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0209006019001703010020b314a72f4acdfaf2dd08dcf94fd6c7082929e8fd0472499fb3f0ba7b79cae39517030100300bbd73ce8691181df7af8f7caabe39c7c75fa967f055a40ba68caf2780dbcf60a2f6b8be08e9d789e433758deacb3e88 State = 0x2e0cc3a22605da51cc2cadc82e7658db Message-Authenticator = 0x6b7fca3ade7064bc39fb78dc05a9d319 # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = anonymous, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP
EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL
Hi ! I meet a ERROR in the test of PEAP eapol_test -c peap.txt -s testing123 my peap.txt is network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity=sqluser password=123 ca_cert=/usr/local/freeradius/etc/raddb/certs/ca.pem phase2=auth=MSCHAPV2 anonymous_identity=anonymous } the result: RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00 TLS: using phase1 config options TLS: Trusted root certificate(s) loaded CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0x) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 95 bytes pending from ssl_out SSL: 95 bytes left to be sent out (of total 95 bytes) EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp …… RADIUS packet matching with station decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE I am a *freshman ,I do not know how to fix it. * *THANK YOU!* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple MACs per Network
wow i totally overlooked that, many thanks Aaran! I have it setup and working perfectly! Many many thanks again. The sql was wrong in your post, missing some quotes or something so the working code was, my complete authorize section: authorize { preprocess rewrite_calling_station_id rewrite_called_station_id if(%{sql:SELECT COUNT(*) FROM `SSIDMACAUTH` WHERE macaddress = '%{Calling-Station-ID}' AND SSID = '%{Called-Station-SSID}'} = 1){ ok update control { Auth-Type := Accept } } else{ reject } } Obviously this can be optimized, the sql line, so that the update control section doesn't need to be referenced, it can be pulled from the table but the original sql i have is just counting the amount of rows returned and if its more then or equal to 1, it accepts the user. Thanks again. On Fri, Apr 29, 2011 at 2:48 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: John, To be honest its probably easier to use SQL xlat then calling the SQL module if you're just trying to determine whether a mac address is allowed to access an SSID. SQL module is meant for more complex configurations. Create a new table with two fields 'ssid' and 'macaddress' authorize { preprocess if(%{sql:SELECT COUNT(*) FROM `my_mac_table` WHERE macaddress = '%{Calling-Station-ID}' AND ssid = '%{Called-Station-SSID}'} = 1}{ ok } else{ reject } rewrite_calling_station_id rewrite_called_station_id } FYI in your example you listed sql and sql.authorize, in the authorize section they do the same thing. Modules generally perform different actions depending in the section from which they're called adding a suffix of .section_name overrides this and explicitly sets a section name. -Arran On Apr 29, 2011, at 11:24 AM, John Corps wrote: Do you have an example of how to accomplish this? I have tried a lot of things but can't seem to get it to work. I have this in my authorize section: authorize { preprocess rewrite_calling_station_id rewrite_called_station_id sql sql.authorize if(notfound){ reject } else{ ok } } Do i have to add anything else here or where do I do the check attribute? I have created a new table in my db called just macauth that has the same structure as the radacct table except for the exception of adding an SSID field. I have tried to modify the original sql for checking the radacct table to reflect the ssid table, so check ssid table where macaddress is the macaddress and ssid is the ssid. I am stuck here as when connecting it just shows up in debug as the user was not found... [sql] expand: SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = '%{Called-Station-SSID}' AND macaddress ='%{Calling-Station-ID}' ORDER BY id - SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = 'SSID' AND macaddress ='00-11-22-33-44-55' ORDER BY id rlm_sql_mysql: query: SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = 'RADIUSTEST' AND macaddress ='00-11-22-33-44-55' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '00-11-22-33-44-55' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '00-11-22-33-44-55' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User 00-11-22-33-44-55 not found I think I am missing something here as the user is found in the db, but i think it is trying to read the results from like username and not macaddress. Any insight would be great, thanks. On Thu, Apr 28, 2011 at 4:29 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 28, 2011, at 1:13 PM, John Corps wrote: Thank you Aaran. It does indeed work. Is there an easy way of implementing the same functionality to work with calling the SSID.00-11-22-33-44-55 pulling from the radcheck sql table? Sure, you can use Calling-Station-SSID as a check attribute for both users and groups -Arran On Thu, Apr 28, 2011 at 3:27 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 28, 2011, at 11:54 AM, John Corps wrote: I have done a testing environment with the Mac-Auth section from the Wiki. http://wiki.freeradius.org/Mac-Auth Not to sure what module you would be referring to...only thing I could think of is the files module? Updated the wiki page with an example, let me know if it works for you. -Arran Arran Cudbard-Bell RM-RF Limited -
Re: ERROR in the EAP/PEAP test of eapol_test
Hi, Hi ! I meet a ERROR in the test of EAP/PEAP radtest sqluser 123 localhost 1812 testing123 is OK �,I just delete the # before 'eap' in radiusd.conf and default files. the test �eapol_test -c peap.txt -s testing123 you are using SQL as the user storage? you havent enabled the sql in the inner-tunnel virtual server (which gets used when EAP is active) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Vendor Specific Attribute to the Access-Accept
Hi, I found the reason why the attributes I added where not included in the reply list. Those attributes are used by the servers internally (Range: 1000-1199) They do not go to the reply attributes list. When I tried the attributes from other vendors like 3Com it worked. The reply attributes were included in the Access-Accept message. you need to use attributes that your NAS understands and will use - check your NAS documentation and the dictionary files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth - Timeout Connecting WiFi
I am still racking my brains over this...I am pointing more and more at the AP but not sure why for some reason it works on a test ubuntu server and not my debian server...I have been testing it based on ethernet mac auth using the radius section on a switch and the debian server and ubuntu server work perfectly for that, but still the debian server is sending out the access-accept messages to the wifi clients but it still just sits there connecting and eventually times outany one with any insight would be good. On Thu, Apr 28, 2011 at 10:04 AM, John Corps env...@gmail.com wrote: I was blaming the access point but it doesn't make sense that it works fine on my ubuntu test server. It's as if its not sending the request fast enough to the AP to send to the client to be accepted. I am racking my brains over this one, its very strange... I am using mac auth so it is an open network and only authorized macs are allowed to get on. This is the way they want it setup here so that there is nothing to be done on the client side. I am in agreement with you but I have to do what they want, not what I think is best. On Thu, Apr 28, 2011 at 3:37 AM, Alan DeKok al...@deployingradius.com wrote: John Corps wrote: ... I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out Then blame the access point. Also, MAC auth for WiFi sounds strange. Why not EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple MACs per Network
Yeah I missed out a bunch of things, well done for figuring it out . Would you mind dumping out the schema of your table, and I can add it and the below snippet to the wiki for future users? Thanks, Arran On May 2, 2011, at 6:51 AM, John Corps wrote: wow i totally overlooked that, many thanks Aaran! I have it setup and working perfectly! Many many thanks again. The sql was wrong in your post, missing some quotes or something so the working code was, my complete authorize section: authorize { preprocess rewrite_calling_station_id rewrite_called_station_id if(%{sql:SELECT COUNT(*) FROM `SSIDMACAUTH` WHERE macaddress = '%{Calling-Station-ID}' AND SSID = '%{Called-Station-SSID}'} = 1){ ok update control { Auth-Type := Accept } } else{ reject } } Obviously this can be optimized, the sql line, so that the update control section doesn't need to be referenced, it can be pulled from the table but the original sql i have is just counting the amount of rows returned and if its more then or equal to 1, it accepts the user. Thanks again. On Fri, Apr 29, 2011 at 2:48 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: John, To be honest its probably easier to use SQL xlat then calling the SQL module if you're just trying to determine whether a mac address is allowed to access an SSID. SQL module is meant for more complex configurations. Create a new table with two fields 'ssid' and 'macaddress' authorize { preprocess if(%{sql:SELECT COUNT(*) FROM `my_mac_table` WHERE macaddress = '%{Calling-Station-ID}' AND ssid = '%{Called-Station-SSID}'} = 1}{ ok } else{ reject } rewrite_calling_station_id rewrite_called_station_id } FYI in your example you listed sql and sql.authorize, in the authorize section they do the same thing. Modules generally perform different actions depending in the section from which they're called adding a suffix of .section_name overrides this and explicitly sets a section name. -Arran On Apr 29, 2011, at 11:24 AM, John Corps wrote: Do you have an example of how to accomplish this? I have tried a lot of things but can't seem to get it to work. I have this in my authorize section: authorize { preprocess rewrite_calling_station_id rewrite_called_station_id sql sql.authorize if(notfound){ reject } else{ ok } } Do i have to add anything else here or where do I do the check attribute? I have created a new table in my db called just macauth that has the same structure as the radacct table except for the exception of adding an SSID field. I have tried to modify the original sql for checking the radacct table to reflect the ssid table, so check ssid table where macaddress is the macaddress and ssid is the ssid. I am stuck here as when connecting it just shows up in debug as the user was not found... [sql] expand: SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = '%{Called-Station-SSID}' AND macaddress ='%{Calling-Station-ID}' ORDER BY id - SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = 'SSID' AND macaddress ='00-11-22-33-44-55' ORDER BY id rlm_sql_mysql: query: SELECT id, macaddress, attribute, value, op FROM SSIDMACAUTH WHERE SSID = 'RADIUSTEST' AND macaddress ='00-11-22-33-44-55' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = '00-11-22-33-44-55' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '00-11-22-33-44-55' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 [sql] User 00-11-22-33-44-55 not found I think I am missing something here as the user is found in the db, but i think it is trying to read the results from like username and not macaddress. Any insight would be great, thanks. On Thu, Apr 28, 2011 at 4:29 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 28, 2011, at 1:13 PM, John Corps wrote: Thank you Aaran. It does indeed work. Is there an easy way of implementing the same functionality to work with calling the SSID.00-11-22-33-44-55 pulling from the radcheck sql table? Sure, you can use Calling-Station-SSID as a check attribute for both users and groups -Arran On Thu, Apr 28, 2011 at 3:27 PM, Arran Cudbard-Bell a.cudba...@gmail.com wrote: On Apr 28, 2011, at 11:54 AM, John Corps wrote: I have done a testing environment with the Mac-Auth
Help with freeradius 2.1 with Mikrotik parameter
Hello people, I just did an installation with debian squeeze freeradius / freeradius-mysql 2.1.10 + dfsg-2. He had previously debian Etch with freeradius 1.1.1-3 installed and running normally. I made corrections to the layout settings in the current package, the service starts normally. But when I radtest a user with a connection to the Mikrotik get the following error: Failed to create the pair: Invalid octet string 2M/2M for attribute name Mikrotik-Rate-Limit. Mikrotik-Rate-Limit in the dictionary of my radius server. I use this setting usually in version 1.x. I've made several changes to this field and all I return the same error. Removing this information from the user table radgroupreply normally connects. Any suggestions? I thank the attention and help from you. - Mon May 2 17:11:56 2011: Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql # 4 Mon May 2 17:11:56 2011: Info: rlm_sql_mysql: Starting connect to MySQL server for # 4 Mon May 2 17:11:56 2011: Info: rlm_sql (sql): Connected new DB handle, # 4 Mon May 2 17:11:56 2011: Info: Loaded virtual server default Mon May 2 17:11:56 2011: Info: Ready to process requests. Mon May 2 17:12:04 2011: Error: rlm_sql: Failed to create the pair: Invalid octet string 2M/2M for attribute name Mikrotik-Rate-Limit Mon May 2 17:12:04 2011: Error: rlm_sql (sql): Error getting date from database Mon May 2 17:12:04 2011: Error: [sql] SQL query error; Rejecting user Mon May 2 17:12:04 2011: Auth: Invalid user: [User @ domain / password] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with freeradius 2.1 with Mikrotik parameter
Sorry ... yet answered this same question yesterday. Re: Mikrotik-Rate-Limit issue - http://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg8.html I added the $INCLUDE dictionary.mikrotik and resolved this error. Thanks! 2011/5/2 Michell bill.c...@gmail.com Hello people, I just did an installation with debian squeeze freeradius / freeradius-mysql 2.1.10 + dfsg-2. He had previously debian Etch with freeradius 1.1.1-3 installed and running normally. I made corrections to the layout settings in the current package, the service starts normally. But when I radtest a user with a connection to the Mikrotik get the following error: Failed to create the pair: Invalid octet string 2M/2M for attribute name Mikrotik-Rate-Limit. Mikrotik-Rate-Limit in the dictionary of my radius server. I use this setting usually in version 1.x. I've made several changes to this field and all I return the same error. Removing this information from the user table radgroupreply normally connects. Any suggestions? I thank the attention and help from you. - Mon May 2 17:11:56 2011: Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql # 4 Mon May 2 17:11:56 2011: Info: rlm_sql_mysql: Starting connect to MySQL server for # 4 Mon May 2 17:11:56 2011: Info: rlm_sql (sql): Connected new DB handle, # 4 Mon May 2 17:11:56 2011: Info: Loaded virtual server default Mon May 2 17:11:56 2011: Info: Ready to process requests. Mon May 2 17:12:04 2011: Error: rlm_sql: Failed to create the pair: Invalid octet string 2M/2M for attribute name Mikrotik-Rate-Limit Mon May 2 17:12:04 2011: Error: rlm_sql (sql): Error getting date from database Mon May 2 17:12:04 2011: Error: [sql] SQL query error; Rejecting user Mon May 2 17:12:04 2011: Auth: Invalid user: [User @ domain / password] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, bind addresses, and multihoming
Dear All why radius is not bind auto MAC from user in first time use?like mikrotik user manager have this option... is there any way? Thanks in Advance On Tue, May 3, 2011 at 3:20 AM, Gary T. Giesen gie...@snickers.org wrote: I've compiled freeradius with the --with-udpfromto directive. Everything works as expected when I bind to all IPs: listen { ipaddr = * port = 1812 type = auth } listen { ipaddr = * port = 1813 type = acct } However, if I specify multiple IPs to bind to (rather than just one or all), it reverts to the the behaviour of responding to all requests with a source IP of the first bind directive listed. For example: listen { ipaddr = 192.168.1.250 port = 1812 type = auth } listen { ipaddr = 192.168.1.250 port = 1813 type = acct } listen { ipaddr = 1.2.3.4 port = 1812 type = auth } listen { ipaddr = 1.2.3.4 port = 1813 type = acct } In this configuration, freeradius will always respond from 192.168.1.250, even if the initial request was sent to 1.2.3.4. This is obviously breaking things for me, as I'd rather not have freeradius listen on every interface on the server (and there are a number of them). Am I doing something wrong? Am I expecting the wrong behaviour? Or is this a bug? GG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Syed Tanjil Ahmed Chairman Netgate Online Ltd Oval Communication Ltd. SNS CNG Convertion Ltd Network Solution Ltd. ARSHI (Non Government Organizations) 20,Siddeswari Lane,1st Floor,Dhaka 483/a,DIT Road,Dhaka-1217 Ph:815,9352029,9350458 Ph:9361083,9346890,9342514 Email:i...@tanjil.net,tan...@email.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap server connection timeout
My new wireless network tested great, but now that I have rolled it out to the entire building, I get error messages like: Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. And when these trigger, nearly everyone gets disconnected for about 5 seconds. Possible relevant code from ldap module: ldap { #private stuff ldap_connections_number = 15 timeout = 10 timelimit = 10 net_timeout = 5 } The only existing firewalls are on the machines themselves and the ip range of the servers are open with each other. Any ideas? Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik-Rate-Limit issue
Thank you. It works now! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mikrotik-Rate-Limit-issue-tp4363178p4365873.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius proxy implementation
Hello... I am new to freeradius and I am hoping someone can give me some help with a little project. The architecture is as follows: RADIUS SERVER -freeRadius-Radius client The radius client is sending Authentications and accounting requests to freeRadius. For Authentication, the freeRadius must receive the access_requests, add a couple of AVPs to it, and then send it to the RADIUS SERVER, this server will respond with either accept/reject and the freeRadius must forward that to the client. Once authentication is done, the Radius client will start sending accounting messages to freeRadius. The freeRadius must count the number of octets sent and received (information which is inside the accounting message) and once a certain number of packets are reached it should trigger and access_reject to the Radius client. I this possible with freeRadius? I would appreciate some help on this. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-proxy-implementation-tp4366233p4366233.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius proxy implementation
On Tue, May 3, 2011 at 9:45 AM, d...@hotmail.com d...@hotmail.com wrote: Hello... I am new to freeradius and I am hoping someone can give me some help with a little project. The architecture is as follows: RADIUS SERVER -freeRadius-Radius client The radius client is sending Authentications and accounting requests to freeRadius. For Authentication, the freeRadius must receive the access_requests, add a couple of AVPs to it, and then send it to the RADIUS SERVER, It should be possible using pre_proxy section. See sites-available/default. You could also use unlang there. this server will respond with either accept/reject and the freeRadius must forward that to the client. Once authentication is done, the Radius client will start sending accounting messages to freeRadius. The freeRadius must count the number of octets sent and received (information which is inside the accounting message) and once a certain number of packets are reached it should trigger and access_reject to the Radius client. I don't think this one is possible. What might be possible: - store accounting info in sql - use the information from sql to filter access-request packets in pre-proxy and post-proxy sections. You should be able to add some reply items (like Session-Timeout), or reject it when the user exceeds quota -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius proxy implementation
Thanks for your quick reply... In order to store the accounting information, do I need to execute an external script? With my little knowledge of freeRadius at the moment, I have a vague idea on how to forward the packets, but I have no clue yet on how to do the mysql part you mentioned. Could you please elaborate a bit more. Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-proxy-implementation-tp4366233p4366262.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius proxy implementation
On Tue, May 3, 2011 at 10:08 AM, d...@hotmail.com d...@hotmail.com wrote: Thanks for your quick reply... In order to store the accounting information, do I need to execute an external script? No With my little knowledge of freeRadius at the moment, I have a vague idea on how to forward the packets, but I have no clue yet on how to do the mysql part you mentioned. Could you please elaborate a bit more. Start by reading proxy.conf. You should be able to select what packets to proxy. From what you wrote, I think you only need to proxy auth packets, while processing acct packets locally. Then read sites-available/default Then read sql.conf and sql/mysql/* , as well as doc/rlm_mysql Then read http://freeradius.org/radiusd/man/unlang.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html