RE: How to update a MySql table after successfully WIFI
Arran, /:includetail Thanks a lot again./:includetail /:includetail It works./:includetail /:includetail As what you advised,/:includetail /:includetail 1. edit /:includetail/usr/local/etc/raddb/sites-available/default, uncomment below sql line./:includetail post-auth {/:includetail .. #sql ../:includetail }/:includetail 2. edit /:includetail/usr/local/etc/raddb/sql/mysql/dialup.conf/:includetail updae postauth_query defination./:includetail /:includetail Very busy these days. So reply late./:includetail /:includetail Tom -- Original -- From: freeradius-usersfreeradius-users-requ...@lists.freeradius.org; Date: Fri, Sep 2, 2011 06:11 AM To: freeradius-usersfreeradius-users@lists.freeradius.org; Subject: Freeradius-Users Digest, Vol 77, Issue 5 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. How to update a MySql table after successfully WIFI authentication? ( 2394263740 ) 2. Re: How to update a MySql table after successfully WIFI authentication? (Arran Cudbard-Bell) 3. Re: Example configuration that proxy PEAP MSCHAPv2 to an IAS server (Jacob Dawson) 4. Using encrypted passwords in users file (sundoo) 5. cisco 3825 authentication error (Dom) 6. Re: Using encrypted passwords in users file (Paul Bartell) 7. Re: Pre release of 2.1.12 (Alan Buxey) -- Message: 1 Date: Thu, 1 Sep 2011 22:29:11 +0800 From: 2394263740 2394263...@qq.com Subject: How to update a MySql table after successfully WIFI authentication? To: freeradius-users freeradius-users@lists.freeradius.org Message-ID: tencent_3b36e2af6f7d0370683c1...@qq.com Content-Type: text/plain; charset=iso-8859-1 Hello, I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql I got a WIFI network, using one radius server. The whole thing works fine. I got a requirement, which is, after each successful WIFI connection, one record need be added into connectionlog table. CREATE TABLE connectionlog ( radacctid bigint(21) NOT NULL auto_increment, acctsessionid varchar(64) NOT NULL default '', acctuniqueid varchar(32) NOT NULL default '', username varchar(64) NOT NULL default '', groupname varchar(64) NOT NULL default '', realm varchar(64) default '', nasipaddress varchar(15) NOT NULL default '', nasportid varchar(15) default NULL, nasporttype varchar(32) default NULL, acctstarttime datetime NULL default NULL, acctstoptime datetime NULL default NULL, acctsessiontime int(12) default NULL, acctauthentic varchar(32) default NULL, connectinfo_start varchar(50) default NULL, connectinfo_stop varchar(50) default NULL, acctinputoctets bigint(20) default NULL, acctoutputoctets bigint(20) default NULL, calledstationid varchar(50) NOT NULL default '', callingstationid varchar(50) NOT NULL default '', acctterminatecause varchar(32) NOT NULL default '', servicetype varchar(32) default NULL, framedprotocol varchar(32) default NULL, framedipaddress varchar(15) NOT NULL default '', acctstartdelay int(12) default NULL, acctstopdelay int(12) default NULL, xascendsessionsvrkey varchar(10) default NULL, PRIMARY KEY (radacctid), KEY username (username), KEY framedipaddress (framedipaddress), KEY acctsessionid (acctsessionid), KEY acctsessiontime (acctsessiontime), KEY acctuniqueid (acctuniqueid), KEY acctstarttime (acctstarttime), KEY acctstoptime (acctstoptime), KEY nasipaddress (nasipaddress) ) ; Can you please kindly advise how to do this? Which file should be edited? Where is the context to put in the script? What is the script? Thanks! Tom -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110901/440326d6/attachment.html -- Message: 2 Date: Thu, 1 Sep 2011 16:36:40 +0200 From: Arran Cudbard-Bell a.cudba...@freeradius.org Subject: Re: How to update a MySql table after successfully WIFI authentication? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: c781bd59-4f30-48c4-b6cc-ff4790379...@freeradius.org Content-Type: text/plain; charset=iso-8859-1 Look in raddb/sql/mysql/dialup.conf The postauth query is the one you need to edit. Then
which one to use - Radgroupcheck or Radgroupreply
Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600Idle-Timeout = 600 Acct-Interim-Interval = 60WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? Thanks lucio === The Home CCTV Security System made easy! http://www.kaduco.com/our-list-products-services/cctv-security-camera-systems-digital-wired-wireless-home-commercial-uk.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
On 4 Sep 2011, at 14:28, Lucio Godoy wrote: Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600 Idle-Timeout = 600 Acct-Interim-Interval = 60 WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800 WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which one to use - Radgroupcheck or Radgroupreply
Thank you very much My biggest wish is make sure of the Acct-Interim-Interval feature Thanks Lucio -Original Message- From: Arran Cudbard-Bell a.cudba...@freeradius.org Date: Sun, 4 Sep 2011 12:45:02 To: freeradius-users@lists.freeradius.org Subject: Re: which one to use - Radgroupcheck or Radgroupreply On 4 Sep 2011, at 14:28, Lucio Godoy wrote: Hi All; I am using chillispor on a router with dd-wrt and I wanted to use the follwoing parameters, but dont know where to load them in my Freeradius Mysql config, pls: Session-Timeout = 3600 Idle-Timeout = 600 Acct-Interim-Interval = 60 WISPr-Redirection-URL = http://www.google.com/ WISPr-Bandwidth-Max-Up = 12800 WISPr-Bandwidth-Max-Down = 25600 And also if i should use = or any other opertator pls? radreply, and either = or := operators. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org mailto:a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alexander Clouter wrote: Would be handy to change Acct-Interim-Interval to something like: update reply { Acct-Interim-Interval := 3000 + %{rand:1200} } Cute. Added. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
Alan Buxey wrote: however, i have noticed a bug/change of bahviour which doesnt seem right. Fri Sep 2 17:15:04 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:16 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 Fri Sep 2 17:15:29 2011 : Error: Unauthorized connection to /var/run/radiusd/radiusd.sock from gid 101 GID 101 is munin. OK. munin has been added to the radiusd group which is defined in the control virtual server - and this used to work all okay with 2.1.10 and 2.1.11 - so the change in code for root GID seems to have borked the access to radiusd.sock for other groups. I've committed a fix to the v2.1.x branch of git which should address this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
Hi Alan, Thank you for your response. I've been having a lot of trouble reaching the mailing list, my responses are not getting through. Hopefully this one will! Below is the output from the debug mode: rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60, length=83 User-Name = dra User-Password = * Service-Type = Authenticate-Only NAS-Identifier = debian-test-dra.vsl.com.au NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = dra, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 54 ++[files] returns ok rlm_perl: Authorize Function Called rlm_perl: Authorization for 127.0.0.1 was granted... rlm_perl: Added pair User-Name = dra rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair User-Password = * rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group Perl {...} rlm_perl: Log Request Attributes Called rlm_perl:Request: User-Name = dra rlm_perl:Request: User-Password = * rlm_perl:Request: NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl:Request: Service-Type = Authenticate-Only rlm_perl:Request: NAS-IP-Address = 127.0.0.1 rlm_perl: Authenticate Function Called rlm_perl: User: dra Authenticated, now sending access-challenge rlm_perl: Log Reply Attributes Called rlm_perl:Reply: Reply-Message = Please Enter Code rlm_perl:Reply: State = challenge rlm_perl: Added pair User-Name = dra rlm_perl: Added pair User-Password = * rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Reply-Message = Please Enter Code rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl ++[perl] returns handled Sending Access-Challenge of id 60 to 127.0.0.1 port 1026 Reply-Message = Please Enter Code State = 0x6368616c6c656e6765 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 60 with timestamp +148 Ready to process requests. The output to the browser at this point looks like this: (Firefox 6.0, but I have tried IE 8.0 too) http://imageshack.us/photo/my-images/856/authenticationrequired2.png/ I turned-up the logging level for Apache too, the following is a complete successful login: [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for user=dra : [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(): RADIUS server requested challenge for user dra [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS authentication for user=dra password=* failed\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending failure message to user=dra\n [Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra: authentication failure for /test/: Password Mismatch [Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for user=dra : [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1256): RADIUS Authentication for user=dra password= OK. Cookie expiry in 5 minutes\n [Tue Aug 30 09:25:18 2011] [debug]
Mac OSX FreeRadius EAP Authentication making progress - But still not there
Hi all I am still determined to make this work and have now reinstalled everything to start again with prior lessons learned. However - I am still unable to authenticate wireless clients by PEAP or TTLS MSCHAPv2 on a cisco access point (IP=192.168.0.98) with radius running on a MAC OSX server (IP=192.168.0.90) NOW Radtest works fine returning rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237, length=20 AND if clients authenticate using only one protocol LEAP or TLS alone then authentication is also successful and an IP address assigned But if the client machine has protocols for authentication as TLS PEAP TTLS and EAP-FAST then the authentication fails with output as below Your help/insight would be greatly appreciated Thanks RADIUSD -X output during failed authentication by a client machine user name BBB password bbb1 (As mentioned: Cisco access point IP=192.168.0.98 and freeradius running on a MAC OSX server IP=192.168.0.90) rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=216, length=129 User-Name = BBB Framed-MTU = 1400 Called-Station-Id = 0023.331c.9680 Calling-Station-Id = 9027.e4f9.25b0 Service-Type = Login-User Message-Authenticator = 0x97a3bddfd63906e3230b58166cccdbd3 EAP-Message = 0x0201000801424242 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = 2113 NAS-IP-Address = 192.168.0.98 NAS-Identifier = ap1250 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = BBB, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry BBB at line 1 ++[files] returns ok rlm_opendirectory: The SACL group com.apple.access_radius does not exist on this system. rlm_opendirectory: The host 192.168.0.98 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.0.98 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x State = 0x8da1c3b98da3d6d5f63e6480350916ec Finished request 63. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=217, length=303 User-Name = BBB Framed-MTU = 1400 Called-Station-Id = 0023.331c.9680 Calling-Station-Id = 9027.e4f9.25b0 Service-Type = Login-User Message-Authenticator = 0x90d79354ab3708574c402c920154a72e EAP-Message = 0x020200a41580009a1603010095019103014e644aee06b1089ec2d1b1077222c6bb2c8d08967a8f07d3c2260773e8342cea56c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 2113 NAS-Port-Id = 2113 State = 0x8da1c3b98da3d6d5f63e6480350916ec NAS-IP-Address = 192.168.0.98 NAS-Identifier = ap1250 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = BBB, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] TLS 1.0 Handshake [length 085e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending