Config for proxying based on auth-protocol
Hello , I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). My config for (1) is already working (eap.conf below) and FreeRADIUS is properly doing ms-chapv2 auth with another RADIUS server. However, I tried many changes in config, but could not configure it to do (2). FreeRADIUS itself tries to handle LEAP and EAP-FAST requests. Please guide me in configuring FreeRADIUS for (2) above. My eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 2048 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${certdir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } leap { } mschapv2 { } } -- //Nitin Bhardwaj|//**//** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
I may be misunderstanding you, but FR still auths against a centralized AD (ntlm_auth). I will look into this further though, because it obviously won't honor any DVLAN assignments we have in AD if it's not asking for / expecting them. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, May 09, 2011 5:11 PM To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 Hi, >I should note, it appears the Aruba gear is terminating the PEAP - FR only >sees an MSCHAP request. I would change that behaviour with a quick reconfig - its possible because we have sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if the remote client was presented with the local sites RADIUS server or EAP termination. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Hi, >I should note, it appears the Aruba gear is terminating the PEAP – FR only >sees an MSCHAP request. I would change that behaviour with a quick reconfig - its possible because we have sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if the remote client was presented with the local sites RADIUS server or EAP termination. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/MSCHAPv2 failing with Windows 7
Hello, We use Aruba Wireless gear. We're using 802.1x PEAP, MSCHAPv2, use windows credentials. Everything is working great with this setup until we started testing / trying Windows 7 clients. They fail with: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. The same exact username / password works great on XP. What really weird is this: In the PEAP properties, EAP-MSCHAP v2, if you DISABLE "automatically use my windows logon name and password" and instead enter the credentials manually it works. It appears to me this is some sort of bug in the Windows7 PEAP/EAPcode that grabs the credentials from "windows" that was previously entered and passes them to the EAP/PEAP process. Somewhere along the way they're getting mashed or something? I should note, it appears the Aruba gear is terminating the PEAP - FR only sees an MSCHAP request. Anyone else having a similar issue? TIA G "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: > I do not rewrite the User-name attribute I rewrite only the > Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The "inner-tunnel" virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it. > The User-Name attribute is untouch. You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
James J J Hooper wrote: > It now seems to create a *directory* with the name that should be the > detail *file*... I've pushed a fix. The change missed one line.. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = "(\.nw2\.test\.local)" searchin = packet new_attribute = no replacewith = "" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^(host/.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "^(.*[\\/]+)" replacewith = "" max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/ldap: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote: > The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one > problem with Windows XP clients, I get a " [mschap] ERROR: User-Name > (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from > EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. > Windows 7 clients work fine because they send only the username. I do > some rewrites so I can get the username for the LDAP authentication and > the computers name for computer account authentication (I'm not familiar > with unlang yet). We use FR 2.1.10. > > Any idea how to fix this ? > You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := "%{2}" } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will "just work" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
On 09/05/2011 12:22, Alan DeKok wrote: Alexander Clouter wrote: Updating to git's v2.1.x to go on a post-Easter bughunt and found the following accounting packet[1] seems to segfault freeradius: ... #1 0x403075d8 in fnmatch () from /lib/libc.so.6 #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, packet=0x43446dd8, compat=) at rlm_detail.c:301 Hmm... calling fnmatch() when the packet was *not* read from the detail file is a bad idea. Oops. On closer inspection, much of the logic in rlm_detail is broken. If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker to get on a production box... :) Nah. I think the Feynman method is fine. 1) look at problem 2) think hard 3) write down solution Give me a bit and I'll push a change to "git". It now seems to create a *directory* with the name that should be the detail *file*... custard radius # find ./ -type d ./ ./radacct ./radacct/eduroamalien-soh-bsql ./radacct/vpi-soh-bsql ./radacct/eduroamlocal-soh-bsql ./radacct/nomadicvpn-bsql ./radacct/uobgear ./radacct/eduroamlocal-inner ./radacct/eduroamlocal-bsql ./radacct/vpi ./radacct/eduroamalien-inner ./radacct/eduroamlocal ./radacct/vpi-inner ./radacct/eduroamalien ./radacct/nomadicvpn custard radius # killall -9 radiusd ; /usr/local/sbin/radiusd custard radius # tail -n 0 -f radius*.log ==> radiusd-eduroamlocal.log <== Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory ls -la also shows that radiusd has indeed created a directory with what should have been the file name. module config: custard radius # cat /usr/local/etc/serviceraddb/modules/detail-bsql | grep '[[:print:]]' | grep -v '#' detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = "%t" } -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous logins
I got it working by changing the query to count if the MAC requesting access is different than the one that got access cranted. Another question I had was if a user is allowed access only for let say 5 hours a Day, if he is connected just for 1 hour and decides to connect 3 hours later, I think the counter will have count 4 hours, is there a way to make the counter just pick up where it left off? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Simultaneous-logins-tp4380660p4381821.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
Alan Buxey wrote: > >> NAS Port Attribute (5), length: 6, Value: 0 > > NAS-Port 0 > > are you serious? ;-) > Hey, *you* are the proxying it ;P >> Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown >> (14823) >> Vendor Attribute: 2, Length: 4, Value: > > ..thats an interesting one. > >> Unknown Attribute (103), length: 6, Value: > > as is that. unpopulated/corrupt attributes. > Just unprintable, check the pcap file linked to in the original email for and giggles. > what are you doing with this accounting packet when it arrives? 'detail' > module? SQL ? > Journalled accounting, it's picked up by decoupled account virtual server. Cheers -- Alexander Clouter .sigmonster says: Generic Fortune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Nexus Configurations
Hello, Is the user you are testing with configured on the switch? No, this is my username that is allowed to access the switches. It authenticates me with AD and makes sure I belong to a certain group within AD. If so, as what type of user? Admin user. Have you tried a username which is not configured on the switch? Yes mine, and my colleagues, all work on 6500, 2960, 2950 3524, etc etc. Rgds Darren Shaw The Network Team Computing Services University of Huddersfield Queensgate Huddersfield HD1 3DH TEL: 01484 471317 MOBILE: 07792 773807 -Original Message- From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On Behalf Of David Mitchell Sent: 06 May 2011 15:34 To: FreeRadius users mailing list Subject: Re: Nexus Configurations On May 6, 2011, at 2:50 AM, Darren Shaw wrote: > Good morning David, > > To answer your questions > > We do have a local username; all our switches have, 500 of them. Is the user you are testing with configured on the switch? If so, as what type of user? Have you tried a username which is not configured on the switch? > > I have traced the request and response between the FreeRadius server and the > N5K, the server returns a service-type (6) AVP of Shell user (6) which > according to the Free Radius documentation at > http://freeradius.org/rfc/attributes.html is an Administrative user. Is the Cisco-AVPair also in that response packet? Also, I put the syntax for adding those attributes into the 'users' file. It's probably possible to get them crammed in via the 'default' configuration but it's not necessarily the right place. It may also be the case that you need to make sure you are *not* sending the Cisco-AVPair 'shell:priv-lvl=15'. I know that I needed to put my IOS and NX-OS devices into different huntgroups so that I could assign different AVPair's. I tried just sending both values to both types of devices and did not get the desired effect. -David Mitchell > > The syntax that I have placed into the following file > > Cisco-AVPair += "shell:roles=network-admin", >> Service-Type := Administrative-User, > > I have also tried > > Hint == "XX", Auth-Type := Accept >Reply-Message = "ACCEPT: Authorizing enable access", >Cisco-AVPair = "shell:roles*\"network-admin\"", >Cisco-AVPair += "shell:priv-lvl=15", >Service-Type = Administrative-User, >Fall-Through = No > > Cisco-AVPair = "shell:roles=\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-operator vdc-admin\"" >>> Cisco-AVPair = "shell:roles=\"network-admin vdc-admin\"" >>> Cisco-AVPair = "shell:roles*\"network-admin\"" > > The configuration I have on the 5K > > radius-server host key 7 "XX" authentication accounting > aaa group server radius FreeRadius >server x >use-vrf management > aaa authentication login default group FreeRadius > source address x > > It looks as though the 5K is not interpreting the attribute correctly, or I > am not editing the correct file. Whatever syntax I use I get the same > results, I get authenticated but the nexus places me as an operator. > > The file I am editing is /usr/local/etc/raddb/sites-available/default > > Rgds > Darren Shaw > The Network Team > Computing Services > University of Huddersfield > Queensgate > Huddersfield > HD1 3DH > > TEL: 01484 471317 > MOBILE: 07792 773807 > > > -Original Message- > From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org > [mailto:freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org] On > Behalf Of David Mitchell > Sent: 05 May 2011 15:35 > To: FreeRadius users mailing list > Subject: Re: Nexus Configurations > > > On May 5, 2011, at 4:47 AM, Darren Shaw wrote: > >> Hello David, >> >> Thanks for the syntax. Sadly this still does not work. The free radius >> server will authenticate me as a user but the 5K wants me as an operator and >> not admin. >> >> If you have the 5K working, could I be cheeky and ask if you could mail me >> the radius config on your 5K > > There isn't anything in the radius config that enables this as far as I can > tell. Do you have a > local account on the 5K? That might override the info from the RADIUS server. > Run the command > 'show user-account' after logging in. For me, it indicates that the account > was created via remote > authentication. I assume you have run the radius server in debug mode to > verify that the attributes > are actually in the access accept packets sent back to the switch? > > > -David Mitchell > >> >> thanks >> >> Rgds >> Darren Shaw >> The Network Team >> Computing Services >> University of Huddersfield >> Queensgate >> Huddersfield >> HD1 3DH >> >> TEL: 01484 471317 >> MOBILE: 07792 773807 >> >> -Original Message- >> From: freeradius-users-bounces+d.shaw=hud.ac...@lists.freeradius.org >> [mailto:freeradius-users-bounces+d.shaw=hud
Re: acct segfault in git v2.1.x
Alexander Clouter wrote: > Updating to git's v2.1.x to go on a post-Easter bughunt and found the > following accounting packet[1] seems to segfault freeradius: ... > #1 0x403075d8 in fnmatch () from /lib/libc.so.6 > #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, > packet=0x43446dd8, compat=) at rlm_detail.c:301 Hmm... calling fnmatch() when the packet was *not* read from the detail file is a bad idea. Oops. On closer inspection, much of the logic in rlm_detail is broken. > If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker > to get on a production box... :) Nah. I think the Feynman method is fine. 1) look at problem 2) think hard 3) write down solution Give me a bit and I'll push a change to "git". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
Hi, > NAS Port Attribute (5), length: 6, Value: 0 NAS-Port 0 are you serious? ;-) > Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown > (14823) > Vendor Attribute: 2, Length: 4, Value: ..thats an interesting one. > Unknown Attribute (103), length: 6, Value: as is that. unpopulated/corrupt attributes. what are you doing with this accounting packet when it arrives? 'detail' module? SQL ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct segfault in git v2.1.x
Updating to git's v2.1.x to go on a post-Easter bughunt and found the following accounting packet[1] seems to segfault freeradius: tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:30:34.398885 IP6 (hlim 51, next-header UDP (17) payload length: 258) 2001:630:1:128::185.42390 > 2001:630:1b:6003:90c0:802a:d873:c284.1813: [bad udp cksum 51b1!] RADIUS, length: 250 Accounting Request (4), id: 0x1b, Authenticator: 44b81fb81af404cb48816ad0c2afc497 NAS IP Address Attribute (4), length: 6, Value: 128.86.129.105 Accounting Status Attribute (40), length: 6, Value: Stop Username Attribute (1), length: 19, Value: 223...@soas.ac.uk NAS Port Attribute (5), length: 6, Value: 0 NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 Accounting Session ID Attribute (44), length: 27, Value: 223313@s7CC5376FE7E3-C189 Accounting Input Octets Attribute (42), length: 6, Value: 42426 Accounting Output Octets Attribute (43), length: 6, Value: 351596 Accounting Input Packets Attribute (47), length: 6, Value: 301 Accounting Output Packets Attribute (48), length: 6, Value: 379 Accounting Termination Cause Attribute (49), length: 6, Value: Idle Timeout Framed IP Address Attribute (8), length: 6, Value: 128.86.184.37 Calling Station Attribute (31), length: 14, Value: 7CC5376FE7E3 Called Station Attribute (30), length: 14, Value: 000B860E5100 Accounting Session Time Attribute (46), length: 6, Value: 06:40 min Accounting Delay Attribute (41), length: 6, Value: 00 secs Vendor Specific Attribute (26), length: 15, Value: Vendor: Unknown (14823) Vendor Attribute: 5, Length: 7, Value: eduroam Vendor Specific Attribute (26), length: 11, Value: Vendor: Unknown (14823) Vendor Attribute: 6, Length: 3, Value: N/A Vendor Specific Attribute (26), length: 20, Value: Vendor: Unknown (14823) Vendor Attribute: 1, Length: 12, Value: pre-employee Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (14823) Vendor Attribute: 2, Length: 4, Value: Unknown Attribute (103), length: 6, Value: Proxy State Attribute (33), length: 20, Value: OSC-Extended-Id=27 The gdb backtrace is: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x42b7b470 (LWP 9963)] 0x402dc2bc in strnlen () from /lib/libc.so.6 (gdb) where #0 0x402dc2bc in strnlen () from /lib/libc.so.6 #1 0x403075d8 in fnmatch () from /lib/libc.so.6 #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, packet=0x43446dd8, compat=) at rlm_detail.c:301 #3 0x00022110 in call_modsingle (component=3, c=, request=0x43443240) at modcall.c:297 #4 modcall (component=3, c=, request=0x43443240) at modcall.c:670 #5 0x0001ec94 in indexed_modcall (comp=3, idx=0, request=0x43443240) at modules.c:737 #6 0xeefc in rad_accounting (request=0x43443240) at acct.c:93 #7 0x0002f16c in radius_handle_request (request=0x43443240, fun=0xee60 ) at event.c:3780 #8 0x00026a4c in request_handler_thread (arg=) at threads.c:525 #9 0x400818cc in start_thread () from /lib/libpthread.so.0 #10 0x40330bdc in clone () from /lib/libc.so.6 #11 0x40330bdc in clone () from /lib/libc.so.6 Backtrace stopped: previous frame identical to this frame (corrupt stack?) If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker to get on a production box... :) Cheers [1] http://stuff.digriz.org.uk/freeradius-acct-segfault.pcap -- Alexander Clouter .sigmonster says: Preserve the old, but know the new. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Database
Thank you -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-Database-tp4375341p4381272.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous logins
The query is ok for my purpose, when I execute it it returns 1 when a session is active and 0 when no session is available. However when i uncomment the simul query, all logins are terminated by User-Error afer 10 seconds and not Session-Timeout after x time as it's supposed to be, if a commented the simul query, all work ok again. Do I need a specific configuration in authorize section? On Mon, May 9, 2011 at 2:49 AM, Fajar A. Nugraha wrote: > On Mon, May 9, 2011 at 12:46 PM, Franz wrote: > > What I meant on the second part is that i am using localhost on > > clients.conf, > > Please don't top-post. > > > so now when i am just checking session with sql > > simul_count_query, and as soon as the request is received by server it > says > > the user is already logged in, even is is not logged in: > > checkrad: No NAS type, or type "other" not checking > > if you only store session on sql, you don't need checkrad. You can > just comment-out radutmp from session sectoin. > > > rlm_sql (sql): Released sql socket id: 1 > > ++[sql] returns ok > > expand: good -> good > > Multiple logins (max 1) [MPP attempt]: [C8P7G6/C8P7G6] (from client > > localhost port 7 cli 192.168.0.7) good > > Using Post-Auth-Type Reject > > # Executing group from file /usr/local/etc/raddb/sites-enabled/default > > +- entering group REJECT {...} > > You can try executing the query manually and see if the query is doing > the right thing. > Also, the query is customizable, so if you know that all acct entries > from localhost are dummy entries you can just modify the query to > exclude them. > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html