Example configuration that proxy PEAP MSCHAPv2 to an IAS server
I using radiusd: FreeRADIUS Version 2.1.11. I cannot seem to get the RHEL5 (2.6.18-238.9.1.el5) ntlm_auth program to properly authenticate the challenge and nt-response packets. If I set the password using clear-text and also set MS-CHAP-Use-NTLM-Auth, the authentication works fine. The version of ntlm_auth is Version 3.5.4-0.83.el5 So my next step is to try to filter PEAP MSCHAPv2 requests and proxy them off to an IAS server. However I still want PEAP GTC packets handled on this server. Anyone doing such a thing? If so can you tell me how you set up eap.conf, sites-enabled/inner-tunnel and sites-enabled/default, or any other configuration files? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm parsing and \r => =0D
I found the documentation of what needs to be done to support both NTDOMAIN\ and @realm styles in the same vhost. In sites-available/inner-tunnel, it says: # If you are using multiple kinds of realms, you probably # want to set "ignore_null = yes" for all of them. # Otherwise, when the first style of realm doesn't match, # the other styles won't be checked. What this fails to say is where ignore_null needs to be set. Despite the comments to the effect that modules/suffix is deprecated and no longer used by freeradius 2, editing modules/suffix appears to work. Is there a non-deprecated fix? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello Arran and Alan, Arran is right. Yes! Thanks guys for yours patience. I would love to send you guy a tarball of my configs. Currently, I away from my server for the next 2 days. And I will send u guys once I am back in office. :) Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4738057.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql and xlat in authorize section
Of course!
Didnt instantiate it properly!
Thanks!
On Fri, Aug 26, 2011 at 9:31 AM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:
>
> >
> > Here is the module:
> > sql sql_local {
> > database = "mysql"
> > driver = "rlm_sql_${database}"
> > server = "localhost"
> > login = "radius"
> > password = ""
> > radius_db = "radius-MAB"
> > read_groups = no
> > sqltrace = yes
> > sqltracefile = ${logdir}/sqltrace.sql
> > num_sql_socks = 5
> > connect_failure_retry_delay = 5
> > lifetime = 0
> > max_queries = 0
> > }
> >
> > Can this be version related? i'm running 2.1.10 ...
>
> That should be fine. Could you post the full debug output, just including
> the file doesn't mean SQL got instantiated.
>
> -Arran
>
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> RADIUS - Half the complexity of Diameter
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A trick for configuring freerad to authenticate multiple NASwithdynamic IPs
Grace M. wrote: > A quick reading about radsec (http://wiki.freeradius.org/RadSec) shows > that its not supported by freeradius?? The git "master" branch has RadSec support. See http://git.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet Fence web interface and freeradius users
Jake, I sent a same message on Packet Fence list. Tks Marlon 2011/8/25 Sallee, Stephen (Jake) > I just finished a deployment that did exactly that! This may be a > subject more suited for their mailing list (which I am on as well). > > ** ** > > Message me on that list and I bet we can get you working. I only say this > because from what you say FreeRADIUS is sending the correct radius > attributes back, if that is the case then FR is doing its job perfectly and > the problem likely lies with your NAS. > > ** ** > > ** ** > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton, Texas > > 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > ** ** > > *From:* > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org[mailto: > freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] *On > Behalf Of *Marlon Bastida > *Sent:* Thursday, August 25, 2011 9:16 PM > *To:* freeradius-users@lists.freeradius.org > *Subject:* Packet Fence web interface and freeradius users > > ** ** > > Hi, > > ** ** > > I have 3 radius users working on freeradius. I will give one sample: > > ** ** > > On /etc/raddb/users > > ** ** > > testCleartext-Password:="test" > > Service-Type = Framed-User, > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-ID = "2" > > ** ** > > When I enter with this user credentials on Xp client 802.1X auth they give > to the proper VLAN assigned. For example I have VLAN-ID = 2 - registration, > 3 - isolation, 5 - guests, 10 - normal. > > ** ** > > So with the statement Tunnel-Private-Group-ID = VLAN-ID, I can't get > succesfully put a user on the proper VLAN, in this case above entered on > registration VLAN. > > ** ** > > If anyone has acknowledge with Packet Fence solution I would like some help > to integrate these users with web interface of Packet Fence 2.1.0. So I can > get on the Violation Tab (isolation VLAN) an user or Node Tab (guests VLAN). > > > ** ** > > ** ** > > Tks in advance, > > Marlon > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
On 26 Aug 2011, at 12:38, Alan Buxey wrote:
> Hi,
>
>> I think he's saying he created a directory to put all the dynamic clients
>> files, and that he's symlinked the virtual server correctly.
>
> at which point I would ask, WHY bother with the dynamic-client
> VS at all?? if all that is happening is that standard client {}
> entries are going into it, then just add them to clients.conf instead
> as the server will need reloading to read new content of those
> files anyway..
>
If you read back through the thread you'll see the reason.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A trick for configuring freerad to authenticate multiple NASwithdynamic IPs
Again thanks Arran. This is quite a handful! A quick reading about radsec (http://wiki.freeradius.org/RadSec) shows that its not supported by freeradius?? What about the "encrypted tunnel" way, can you lead me to a tutorial or MAN page that may help me? Many thanks. Grace. - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Friday, August 26, 2011 3:23 PM Subject: Re: A trick for configuring freerad to authenticate multiple NASwithdynamic IPs On 26 Aug 2011, at 12:08, Grace M. wrote: Thank you Arran for quick reply. Since the NAS(s) will be in other networks, they will appear to my server as dynamic *public ips* and sometimes the NAS(s) will be multiple in one external NATed network (such will appear as from 1 public ip). In this case I will need to specify a range of puplic ips?? Yes, either that or use the dynamic-clients virtual server in raddb/sites-available to just accept any client. Then use the same shared secret for all external clients. If you're using an EAP method with some kind of TLS layer then the shared secret doesn't really do anything useful, other than providing crude protection against DoS attacks (even then that won't always work). Incidentally if you are doing PAP or CHAP then you should not be sending the RADIUS packets over a public network without using RADSEC or running them through some sort of encrypted tunnel. -Arran Don't know am making sense. Grace - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Friday, August 26, 2011 2:55 PM Subject: Re: A trick for configuring freerad to authenticate multiple NAS withdynamic IPs On 26 Aug 2011, at 11:49, Grace M. wrote: Guyz, I have FreeRADIUS Version 2.1.10 working with mysql to authenticate uses connected to a number of NAS(s). Now, I would like to authenticate NAS(s) which should connect to my freerad from other networks (outside my lan) which have dynamic IPs. Anyone with a trick on how to configure clients.conf for that? You can specify IP ranges for clients? Would this help? Or are the dynamic clients extra dynamic? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hi,
> I think he's saying he created a directory to put all the dynamic clients
> files, and that he's symlinked the virtual server correctly.
at which point I would ask, WHY bother with the dynamic-client
VS at all?? if all that is happening is that standard client {}
entries are going into it, then just add them to clients.conf instead
as the server will need reloading to read new content of those
files anyway..
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello Alan,
Yes, this 'dynamic-clients' is a file, the original and default file as you
mentioned in the previous message. The content is as follows. If you
noticed? the directory was assigned with a dynamic-clients folder resides in
raddb folder.
client dynamic {
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_client_server
directory = ${confdir}/dynamic-clients/
lifetime = 3600
}
Alex
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4737651.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
On 26 Aug 2011, at 12:10, Alan Buxey wrote: > Hi, > >> [root@server sites-enabled]# pwd >> /usr/local/etc/raddb/sites-enabled >> [root@server sites-enabled]# ls -al >> total 0 >> lrwxrwxrwx 1 root root 33 2011-08-22 15:58 control-socket -> >> ../sites-available/control-socket >> lrwxrwxrwx 1 root root 26 2011-08-22 15:58 default -> >> ../sites-available/default >> lrwxrwxrwx 1 root root52 2011-08-24 16:27 dynamic-clients -> >> /usr/local/etc/raddb/sites-available/dynamic-clients > > this 'dynamic-clients' should be a file, not a directory I think he's saying he created a directory to put all the dynamic clients files, and that he's symlinked the virtual server correctly. Could you just send us a tarball of your config with the sensitive bits removed? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A trick for configuring freerad to authenticate multiple NAS withdynamic IPs
On 26 Aug 2011, at 12:08, Grace M. wrote: > Thank you Arran for quick reply. > > Since the NAS(s) will be in other networks, they will appear to my server as > dynamic *public ips* and sometimes the NAS(s) will be multiple > in one external NATed network (such will appear as from 1 public ip). In this > case I will need to specify a range of puplic ips?? Yes, either that or use the dynamic-clients virtual server in raddb/sites-available to just accept any client. Then use the same shared secret for all external clients. If you're using an EAP method with some kind of TLS layer then the shared secret doesn't really do anything useful, other than providing crude protection against DoS attacks (even then that won't always work). Incidentally if you are doing PAP or CHAP then you should not be sending the RADIUS packets over a public network without using RADSEC or running them through some sort of encrypted tunnel. -Arran > > Don't know am making sense. > > Grace > - Original Message - > From: Arran Cudbard-Bell > To: FreeRadius users mailing list > Sent: Friday, August 26, 2011 2:55 PM > Subject: Re: A trick for configuring freerad to authenticate multiple NAS > withdynamic IPs > > > On 26 Aug 2011, at 11:49, Grace M. wrote: > >> Guyz, >> >> I have FreeRADIUS Version 2.1.10 working with mysql to authenticate uses >> connected to a number of NAS(s). >> >> Now, I would like to authenticate NAS(s) which should connect to my freerad >> from other networks (outside my lan) which have dynamic IPs. >> >> Anyone with a trick on how to configure clients.conf for that? > > You can specify IP ranges for clients? Would this help? Or are the dynamic > clients extra dynamic? > > -Arran > > Arran Cudbard-Bell > a.cudba...@freeradius.org > > RADIUS - Half the complexity of Diameter > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
On 26 Aug 2011, at 11:39, Alexander Clouter wrote: > Arran Cudbard-Bell wrote: >> * Tunnel-Private-Group-Id:0 = "5"* >>> string != integer >>> >>> Tunnel-Private-Group-Id is a string. >> >> Eww gross. Ok I thought unlang did the conversions automagically >> But obviously not >> > Apparently it does work, the OP seems to neglected to mention that one > chunk of the debug was for the outer layer, the other the inner auth :-/ Indeed. *stabby stabby* *sigh*. I thought it was weird, because I remembered reading the code that did the automagical conversions :) -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hi, > [root@server sites-enabled]# pwd > /usr/local/etc/raddb/sites-enabled > [root@server sites-enabled]# ls -al > total 0 > lrwxrwxrwx 1 root root 33 2011-08-22 15:58 control-socket -> > ../sites-available/control-socket > lrwxrwxrwx 1 root root 26 2011-08-22 15:58 default -> > ../sites-available/default > lrwxrwxrwx 1 root root52 2011-08-24 16:27 dynamic-clients -> > /usr/local/etc/raddb/sites-available/dynamic-clients this 'dynamic-clients' should be a file, not a directory alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
Arran Cudbard-Bell wrote: > >>> * Tunnel-Private-Group-Id:0 = "5"* >>> >> string != integer >> >> Tunnel-Private-Group-Id is a string. > > Eww gross. Ok I thought unlang did the conversions automagically > But obviously not > Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Cheers -- Alexander Clouter .sigmonster says: Misfortunes arrive on wings and leave on foot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A trick for configuring freerad to authenticate multiple NAS withdynamic IPs
Thank you Arran for quick reply. Since the NAS(s) will be in other networks, they will appear to my server as dynamic *public ips* and sometimes the NAS(s) will be multiple in one external NATed network (such will appear as from 1 public ip). In this case I will need to specify a range of puplic ips?? Don't know am making sense. Grace - Original Message - From: Arran Cudbard-Bell To: FreeRadius users mailing list Sent: Friday, August 26, 2011 2:55 PM Subject: Re: A trick for configuring freerad to authenticate multiple NAS withdynamic IPs On 26 Aug 2011, at 11:49, Grace M. wrote: Guyz, I have FreeRADIUS Version 2.1.10 working with mysql to authenticate uses connected to a number of NAS(s). Now, I would like to authenticate NAS(s) which should connect to my freerad from other networks (outside my lan) which have dynamic IPs. Anyone with a trick on how to configure clients.conf for that? You can specify IP ranges for clients? Would this help? Or are the dynamic clients extra dynamic? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello Alan,
Very thankful for your reply and correct my understanding.
(Shown below) I actually did the symlink to dynamic-clients file. This file
allows me to indicate the directory where client definitions are stored. I
uncommented this -> directory = ${confdir}/dynamic-clients/ <- however this
dynamic-clients does not exist, so i did a mkdir dynamic-clients under
$confdir (which is raddb). This folder is empty so after i started the
radiusd -X -x, I will add a client definition file to this newly created
folder (dynamic-clients/). Am I right to do that? Did i miss out any steps?
Hope this is clearer.
[root@server sites-enabled]# pwd
/usr/local/etc/raddb/sites-enabled
[root@server sites-enabled]# ls -al
total 0
lrwxrwxrwx 1 root root 33 2011-08-22 15:58 control-socket ->
../sites-available/control-socket
lrwxrwxrwx 1 root root 26 2011-08-22 15:58 default ->
../sites-available/default
lrwxrwxrwx 1 root root52 2011-08-24 16:27 dynamic-clients ->
/usr/local/etc/raddb/sites-available/dynamic-clients
lrwxrwxrwx 1 root root 31 2011-08-22 15:58 inner-tunnel ->
../sites-available/inner-tunnel
Alex
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4737604.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A trick for configuring freerad to authenticate multiple NAS with dynamic IPs
On 26 Aug 2011, at 11:49, Grace M. wrote: > Guyz, > > I have FreeRADIUS Version 2.1.10 working with mysql to authenticate uses > connected to a number of NAS(s). > > Now, I would like to authenticate NAS(s) which should connect to my freerad > from other networks (outside my lan) which have dynamic IPs. > > Anyone with a trick on how to configure clients.conf for that? You can specify IP ranges for clients? Would this help? Or are the dynamic clients extra dynamic? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A trick for configuring freerad to authenticate multiple NAS with dynamic IPs
Guyz, I have FreeRADIUS Version 2.1.10 working with mysql to authenticate uses connected to a number of NAS(s). Now, I would like to authenticate NAS(s) which should connect to my freerad from other networks (outside my lan) which have dynamic IPs. Anyone with a trick on how to configure clients.conf for that? Regards Grace- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate realm no matter what username is
On 26 Aug 2011, at 11:16, Barry Murphy wrote: > Hey guys, > > We're an ISP providing ADSL services ourselves and on behalf of our > wholesalers. I have a bunch of realms that are LOCAL and proxied which work > with no issues. I'm trying to add realms of competitors to our radius so when > customers are migrated from our competitors to our network they get > authenticated and I drop them into a VRF displaying to them they need to > change their login details. I've already got the VRF working, the forwarder > page etc, I just can't seem to get users to authenticate with a wildcard > *@dsl.competitor.co.nz > > I have tried the following varies in users file… > > DEFAULT User-Name =~ "~*\\.xnet\\.co\\.nz$" > Surely you want User-Name =~ ".*\\.xnet\\.co\\.nz$" ? Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hi,
> Hello,
>
> I have manually moved the 192.168.169.74 file into raddb/dynamic-clients
> folder after i start radius daemon. (radiusd -X -x)
>
> I did make sure that raddb/sites-available/dynamic_clients contains
> directory = /usr/local/etc/raddb/dynamic-clients
>
> I sent a packet to the server yet i still received the following error.
> Error: Ignoring request to authentication address * port 1812 from unknown
> client 192.168.169.74 port 56181
>
> Is there any mistakes i did in the above?
>
> In case, you are curious.. my file 192.168.169.74 contains the following.
>
> client 192.168.169.74 {
> ipaddr = 192.168.169.74
> secret = secret
> }
huh??? what are you doing with that config?
just take the default file 'dynamic-clients', either put a COPY of that into
raddb/sites-enabled/ directory, or put a symlink to it
then edit dynamic-clients file for your purpose
you have instead done some wierd things, you have a file in sites-available
whoich will never be read by the main server - its sites-AVAILABLE - if you
read the output of radiusd -X you will cearly see that the file is never read
or used.
cheers
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate realm no matter what username is
Hey guys, We're an ISP providing ADSL services ourselves and on behalf of our wholesalers. I have a bunch of realms that are LOCAL and proxied which work with no issues. I'm trying to add realms of competitors to our radius so when customers are migrated from our competitors to our network they get authenticated and I drop them into a VRF displaying to them they need to change their login details. I've already got the VRF working, the forwarder page etc, I just can't seem to get users to authenticate with a wildcard *@dsl.competitor.co.nz I have tried the following varies in users file… DEFAULT User-Name =~ "~*\\.xnet\\.co\\.nz$" Auth-Type := Accept, Pool-Name := un-auth, Service-Type = Framed-User, Framed-Protocol = PPP, Cisco-Avpair += "ip:vrf-id=Suspended", Cisco-Avpair += "ip:ip-unnumbered=Loopback 1000", Cisco-Avpair += "ip:dns-servers=14.1.33.1 120.136.0.25" DEFAULT Realm == "ihug.co.nz", Auth-Type := Accept None work and all look for a username. So in the above scenarios I want anyth...@dsl.xnet.co.nz or whate...@ihug.co.nz to authenticate and be assigned an IP address from the pool and dropped into the vrf Suspended where I do my tricks based on their IP address to display a splash page advising the customer its time to modify their username & password on their router. I've found many examples based on MAC authentication but none that work unfortunately. Any help would be much appreciated Thanks Barry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to connect FreeRADIUS uding JAVA
Look Into Jradius On Fri, Aug 26, 2011 at 1:02 PM, Rajkumar Balaji < rajkumar.balaj...@gmail.com> wrote: > Hi, > > If anyone knows how to connect FreeRADIUS using JAVA > Please help me to solve this > > Thanks > > Regards > Rajkumar > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to store group ID into radius and retrieve it back
Hi everyone, I am new to FreeRADIUS. I have a requirement to store and retrieve it back to java to Authorize the user Please help me to resolve this. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to connect FreeRADIUS uding JAVA
Hi, If anyone knows how to connect FreeRADIUS using JAVA Please help me to solve this Thanks Regards Rajkumar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql and xlat in authorize section
>
> Here is the module:
> sql sql_local {
> database = "mysql"
> driver = "rlm_sql_${database}"
> server = "localhost"
> login = "radius"
> password = ""
> radius_db = "radius-MAB"
> read_groups = no
> sqltrace = yes
> sqltracefile = ${logdir}/sqltrace.sql
> num_sql_socks = 5
> connect_failure_retry_delay = 5
> lifetime = 0
> max_queries = 0
> }
>
> Can this be version related? i'm running 2.1.10 ...
That should be fine. Could you post the full debug output, just including the
file doesn't mean SQL got instantiated.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql and xlat in authorize section
hi
thought so at the beginning but I did :)
The startup of freeradius shows that the module is loaded (called
local-sql.conf):
...
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/modules/files
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/modules/policy
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/modules/local-sql.conf
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/modules/smbpasswd
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/eap.conf
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/policy.conf
Thu Aug 25 16:26:48 2011 : Debug: including files in directory
/etc/raddb/sites-enabled/
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/sites-enabled/default
Thu Aug 25 16:26:48 2011 : Debug: including configuration file
/etc/raddb/sites-enabled/control-socket
Thu Aug 25 16:26:48 2011 : Debug: main {
Here is the module:
sql sql_local {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = ""
radius_db = "radius-MAB"
read_groups = no
sqltrace = yes
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 5
lifetime = 0
max_queries = 0
}
Can this be version related? i'm running 2.1.10 ...
On Thu, Aug 25, 2011 at 5:29 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:
> Means you haven't instantiated your SQL module with the correct instance
> name.
>
> Check that the config block for your SQL is :
>
> sql sql_local {
>
> }
>
> -Arran
>
>
> On 25 Aug 2011, at 16:57, Sébastien Barbereau wrote:
>
> Hi,
> I am trying to do mac authorization as per
> http://wiki.freeradius.org/Mac-Auth#Mac-Auth+authorisation+by+SSID+SQL
> In fact my attempt is much simpler as I just have a very simple table
> containing the mac address of system to accept. My conf looks like that:
>
> authorize {
> ...
> # newer authorized macs
> if("%{sql_local:SELECT COUNT(mac) FROM authorized_macs WHERE mac
> ='%{Calling-Station-ID}'}" > 0){
> update control {
> Auth-Type := Accept
> }
> ok = return
> }
>
> ...
> }
>
> But when doing an authentication attemp I get the following in the debug
> logs :
> ...
> Thu Aug 25 16:52:56 2011 : Info: ++? if (ok) -> FALSE
> Thu Aug 25 16:52:56 2011 : Info: ++? if ("%{sql_local:SELECT COUNT(mac)
> FROM authorized_macs WHERE mac ='%{Calling-Station-ID}'}" > 0)
> Thu Aug 25 16:52:56 2011 : Info: WARNING: Unknown module "sql_local" in
> string expansion "%"
> Thu Aug 25 16:52:56 2011 : Info: ? Evaluating ("%{sql_local:SELECT
> COUNT(mac) FROM authorized_macs WHERE mac ='%{Calling-Station-ID}'}" > 0) ->
> FALSE
> Thu Aug 25 16:52:56 2011 : Info: ++? if ("%{sql_local:SELECT COUNT(mac)
> FROM authorized_macs WHERE mac ='%{Calling-Station-ID}'}" > 0) -> FALSE
> ...
>
> As far as I can understand the documentation this should be working (
> http://wiki.freeradius.org/Rlm_sql#SQL+xlat). Any helpful hand which can
> bring some light to the darkness of my intellect?
>
>
> Cheers,
> seb.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> RADIUS - Half the complexity of Diameter
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radmin del client error
Hello,
I have manually moved the 192.168.169.74 file into raddb/dynamic-clients
folder after i start radius daemon. (radiusd -X -x)
I did make sure that raddb/sites-available/dynamic_clients contains
directory = /usr/local/etc/raddb/dynamic-clients
I sent a packet to the server yet i still received the following error.
Error: Ignoring request to authentication address * port 1812 from unknown
client 192.168.169.74 port 56181
Is there any mistakes i did in the above?
In case, you are curious.. my file 192.168.169.74 contains the following.
client 192.168.169.74 {
ipaddr = 192.168.169.74
secret = secret
}
Regards,
Alex
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/radmin-del-client-error-tp4725176p4737256.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
