Re: add field in radcheck table
On Tue, Nov 1, 2011 at 12:42 PM, gary wrote: > I read freeradius how-to it recommand use only user name as authentication. No it doesn't. > read as below: > "If you're stripping all domain name elements from usernames via realms, > remember NOT to include the domain name elements in the usernames you put in > the SQL tables You conveniently ignore the first part: "IF you're stripping all domain name elements from usernames" If you don't strip domain names/realms then you don't have to read the rest. > Anyway, it is appreciate if someone can point direction or share documention > how to add a check column in radcheck table I can study. Just edit the queries, e.g. raddb/sql/mysql/dialup.conf. If you want to customize it, you need to have sufficent sql knowldege (e.g. SELECT, JOIN, etc). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add field in radcheck table
- Original Message - From: "Fajar A. Nugraha" To: "FreeRadius users mailing list" Sent: Tuesday, November 01, 2011 11:02 AM Subject: Re: add field in radcheck table On Tue, Nov 1, 2011 at 9:07 AM, gary wrote: From the login page,user can type his name and select pull-down option for the realm and then send to FR server for authentication. for example, gary@domain1 and gary@domain2 come from different company and both in same database. I can directly input gary@domain1 and gary@domain2 as user name for authentication. but I would like to separate two field for checking. user can see(probably read) user infomation(eg:logout page) only user name instead of gary@domain1 . This is a captive portal setup, right? FR doesn't really care what user puts in "drop down box", it only cares what the NAS (e.g. chillispot) sends. And the NAS doesn't really care what the user inputs, it only cares what the captive portal sends it (which may or may not be the same as what the user inputs). Yes, I mean FR server will receive user@domain finally. For example, in my setup the captive portal adds a realm automatically (user can't put it manually) and pre-process the password that user entered (e.g. using a custom hash). In that setup there's really no need to separate user and realm. Just use the default setup. Furthermore, in case lot of data in radcheck, it can be search,sort...etc according to the realm field to improve server performance. I actually think the easiest way is to just add a "realm" field in radcheck as ENUM type, indexed, used only for search/sorting purposes, updated automatically by mysql trigger. That way you don't have to modify anything on FR side. Thanks. that means username field in radcheck will be user@domain for user authentication. I will take this as first priority testing. I read freeradius how-to it recommand use only user name as authentication. read as below: "If you're stripping all domain name elements from usernames via realms, remember NOT to include the domain name elements in the usernames you put in the SQL tables - they should get stripped BEFORE the database is checked, so name@domain will NEVER match if you're realm stripping (assuming you follow point 2 above) - you should just have 'name' as a user in the database. Once it's working without, and if you want more complex realm handling, go back to work out not stripping (and keeping name@domain in the db) if you really want to." Anyway, it is appreciate if someone can point direction or share documention how to add a check column in radcheck table I can study. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client hostname in clients.conf instead of IP address
On Tue, Nov 1, 2011 at 10:25 AM, tohaikmeng wrote: > Is there anyway for me to retrieve the Client hostname as configured in > raddb/clients.conf shown in the example below. > > client www.abc.com { > secret = password > } Try %{Client-Shortname} -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client hostname in clients.conf instead of IP address
Hello, Can anyone help me with this question? I have added the following configuration to raddb/modules/attr_rewrite, which allows me to get Client IP address. attr_rewrite addclientip { attribute = Client-IP-Address searchin = packet searchfor = "^$" replacewith = "%{Client-IP-Address}" maxmatches = 1 new_attribute = yes } Is there anyway for me to retrieve the Client hostname as configured in raddb/clients.conf shown in the example below. client www.abc.com { secret = password } Any help will be greatly appreciated. Thanks :) Alex -- View this message in context: http://freeradius.1045715.n5.nabble.com/Client-hostname-in-clients-conf-instead-of-IP-address-tp4954180p4954180.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add field in radcheck table
On Tue, Nov 1, 2011 at 9:07 AM, gary wrote: >> From the login page,user can type his name and select pull-down option for > > the realm and then send to FR server for authentication. > for example, gary@domain1 and gary@domain2 come from different company and > both in same database. > I can directly input gary@domain1 and gary@domain2 as user name for > authentication. > but I would like to separate two field for checking. > user can see(probably read) user infomation(eg:logout page) only user name > instead of gary@domain1 . This is a captive portal setup, right? FR doesn't really care what user puts in "drop down box", it only cares what the NAS (e.g. chillispot) sends. And the NAS doesn't really care what the user inputs, it only cares what the captive portal sends it (which may or may not be the same as what the user inputs). For example, in my setup the captive portal adds a realm automatically (user can't put it manually) and pre-process the password that user entered (e.g. using a custom hash). In that setup there's really no need to separate user and realm. Just use the default setup. > Furthermore, in case lot of data in radcheck, it can be search,sort...etc > according to the realm field to improve server performance. I actually think the easiest way is to just add a "realm" field in radcheck as ENUM type, indexed, used only for search/sorting purposes, updated automatically by mysql trigger. That way you don't have to modify anything on FR side. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add field in radcheck table
- Original Message - From: "Fajar A. Nugraha" To: "FreeRadius users mailing list" Sent: Monday, October 31, 2011 8:34 PM Subject: Re: add field in radcheck table On Mon, Oct 31, 2011 at 5:23 PM, gary wrote: Hi Fajar I think the secondname field may be realm instead of. First rule before asking anything: make SURE you know what you want. When you're not even sure, how can others help you? I am thinking this in case without proxy, using local database it can determine by two field "username+realm" instead one check field username such as "gary@companyA" . User can see his/her name like "gary" only without "@companyA" character. What do you mean "User can SEE"? The question is simple. What does the user put as username? How do you want to process that username? If the user only inputs "gary", and you don't know how you you can get the realm, then how can FR do what you want? By being psychic? Sorry for my poor english. From the login page,user can type his name and select pull-down option for the realm and then send to FR server for authentication. for example, gary@domain1 and gary@domain2 come from different company and both in same database. I can directly input gary@domain1 and gary@domain2 as user name for authentication. but I would like to separate two field for checking. user can see(probably read) user infomation(eg:logout page) only user name instead of gary@domain1 . Furthermore, in case lot of data in radcheck, it can be search,sort...etc according to the realm field to improve server performance. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
Hi, > so now the password is not clear text in the log as it was before but > still seeing that no good password errorbut then there is that line > towards the bottom that sasys user authorized to use remote access... do > i need to configure Filter-Id or something in the sites-enabled/default > or innertunnel or something like that? getting confused with authorization and authentication? check your requirements in LDAP - do they match (eg CN/DN?) have you got PAP listed after the ldap and is the auto_header enabled in the pap module? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
Hi, >Thank you all for your help. I added two more listen blocks in >radiusd.conf and I updated detail { ... with the following: >%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but >. (there's always a but). if we use an IPv6 address, then >Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and >the path becomes : > > ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log > >but FR crashes since it cannot create a folder with that name. Is there >any way of overcoming this issue? replace : with . or so??? well, you asked how it could be done..you didnt say you were trying this on Windows! whats the next surprise? I would do something like use PERL to make %{Packet-Src-IPv6-Address} become sanitized. eg assign %{Tmp-String-0} and use SED to swap : with - this means no single source code line change and easily adaptable to whatever else you might come across then use simly use %{Tmp-String-0} in your detail module config alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
subscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111031/af34ae26/attachment.html> -- Message: 3 Date: Mon, 31 Oct 2011 15:46:47 + From: Phil Mayers Subject: Re: IPv6 ready? To: freeradius-users@lists.freeradius.org Message-ID:<4eaec2e7.20...@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 31/10/11 15:32, Sergio NNX wrote: Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Really? Which OS? There's no built-in xlat that allows you to do a substitute; you'll have to use rlm_perl or rlm_python, or an exec script, to translate the name. -- Message: 4 Date: Mon, 31 Oct 2011 15:58:35 + From: Sergio NNX Subject: RE: IPv6 ready? To: Message-ID: Content-Type: text/plain; charset="iso-8859-1" Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? Date: Mon, 31 Oct 2011 15:46:47 + From: p.may...@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: IPv6 ready? On 31/10/11 15:32, Sergio NNX wrote: Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Really? Which OS? There's no built-in xlat that allows you to do a substitute; you'll have to use rlm_perl or rlm_python, or an exec script, to translate the name. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL:<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111031/adfd0635/attachment.html> -- Message: 5 Date: Mon, 31 Oct 2011 16:08:21 + From: Phil Mayers Subject: Re: IPv6 ready? To: freeradius-users@lists.freeradius.org Message-ID:<4eaec7f5.5090...@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 31/10/11 15:58, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? I can tell you for absolute certain it won't without even having to try. It's a Windows limitation. -- Message: 6 Date: Mon, 31 Oct 2011 18:08:52 +0200 From: Johan Meiring Subject: Re: IPv6 ready? To: freeradius-users@lists.freeradius.org Message-ID:<4eaec814.2050...@pcservices.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 2011/10/31 05:58 PM, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? C:\junk>mkdir 0:0:0:0:0:0:0:0 The system cannot find the drive specified. C:\junk>mkdir '0:0:0:0:0:0:0:0' The filename, directory name, or volume label syntax is incorrect. C:\junk>mkdir "0:0:0:0:0:0:0:0" The system cannot find the drive specified. C:\junk>mkdir 0\:0\:0\:0\:0\:0\:0\:0 The filename, directory name, or volume label syntax is incorrect. Why not simply remove the Ip address from the log path? Do they HAVE to be in directories with the IP address as part of the name? Cheers, -- Matthew Arguin Currensee, Inc. 54 Canal St, 4th Floor Boston, MA 02114 (617) 986-4758 (Office) _ This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suit
RE: IPv6 ready?
Thanks for all your ideas and suggestions. I'm trying to 'patch' (sorry for this) rlm_detail and replace all ':' with '.' (obviously, when on Windows). I'll try sql as well. Let's keep in touch. > Date: Mon, 31 Oct 2011 17:02:36 + > From: p.may...@imperial.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: IPv6 ready? > > On 31/10/11 16:19, Sergio NNX wrote: > > Cool, what can i do about it? I'm new to FR so I don't know how to > > Personally I'd advise running it on a Unix system at the moment. > > > implement a rule or something like that. Can you provide an example or > > an url where I can find more info? > > > > wiki.freeradius.org? > > The docs that come with the server? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
On Mon, Oct 31, 2011 at 9:48 PM, andreapepa wrote: > > So...i've followed the instructions on this link.( > http://wiki.freeradius.org/Build#Building+Debian+packages )..but > compilation give me this error, libssl-dev is installed: > libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual > -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes > -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef > -I/home/apepa/fr212/freeradius-server-2.1.12/src > -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" > -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=1.12 -c > modules.c -fPIC -DPIC -o .libs/modules.o > modules.c: In function âfr_dlopenextâ: > modules.c:216: error: âlt_dladviseâ undeclared (first use in this function) > modules.c:216: error: (Each undeclared identifier is reported only once (Shrug) works for me (just tested it). Did you perhaps missed some dependency? Try "apt-get build-dep freeradius" first. As an alternative, you could try building from the source of my ppa. It's based on Ubuntu's 2.1.10 package (which is slightly different then the bundled FR debian build rules). Both should work though. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On 31/10/11 16:19, Sergio NNX wrote: Cool, what can i do about it? I'm new to FR so I don't know how to Personally I'd advise running it on a Unix system at the moment. implement a rule or something like that. Can you provide an example or an url where I can find more info? wiki.freeradius.org? The docs that come with the server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
Hi, > I've tried to install also from the source...but with no success, this is > the error i get after the install: ldconfig -v alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
I've tried to install also from the source...but with no success, this is the error i get after the install: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory there were no errors in configure make or make install procedures. Also, the old freeradius is still there, working.. Can you help me? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4952896.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On Mon, Oct 31, 2011 at 11:19 PM, Sergio NNX wrote: > Cool, what can i do about it? I'm new to FR so I don't know how to implement > a rule or something like that. Can you provide an example or an url where I > can find more info? Just edit them. You could put everyting on one file per day: detailfile = ${radacctdir}/detail-%Y%m%d.log ... or better yet, don't use detail if you don't really need it. Use sql instead (which is useful for other things like simultaneous use check, counters, etc) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
Sergio NNX wrote: > Thank you all for your help. I added two more listen blocks in > radiusd.conf and I updated detail { ... with the following: > %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but > . (there's always a but). if we use an IPv6 address, then > Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, > and the path becomes : > >${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log > > but FR crashes since it cannot create a folder with that name. Is there > any way of overcoming this issue? replace : with . or so??? If it crashes, see doc/BUGS If it doesn't crash, report the *real* error. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
Johan Meiring wrote: > Why not simply remove the Ip address from the log path? > Do they HAVE to be in directories with the IP address as part of the name? No. That's why the config files are editable. Edit them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Cool, what can i do about it? I'm new to FR so I don't know how to implement a rule or something like that. Can you provide an example or an url where I can find more info? Cheers. > Date: Mon, 31 Oct 2011 16:08:21 + > From: p.may...@imperial.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: IPv6 ready? > > On 31/10/11 15:58, Sergio NNX wrote: > > Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and > > let mw know if it works? > > I can tell you for absolute certain it won't without even having to try. > It's a Windows limitation. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On 2011/10/31 05:58 PM, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? C:\junk>mkdir 0:0:0:0:0:0:0:0 The system cannot find the drive specified. C:\junk>mkdir '0:0:0:0:0:0:0:0' The filename, directory name, or volume label syntax is incorrect. C:\junk>mkdir "0:0:0:0:0:0:0:0" The system cannot find the drive specified. C:\junk>mkdir 0\:0\:0\:0\:0\:0\:0\:0 The filename, directory name, or volume label syntax is incorrect. Why not simply remove the Ip address from the log path? Do they HAVE to be in directories with the IP address as part of the name? Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On 31/10/11 15:58, Sergio NNX wrote: Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? I can tell you for absolute certain it won't without even having to try. It's a Windows limitation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Thanks Phil. Can you try 'mkdir 0:0:0:0:0:0:0:0' on a Windows box and let mw know if it works? > Date: Mon, 31 Oct 2011 15:46:47 + > From: p.may...@imperial.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: IPv6 ready? > > On 31/10/11 15:32, Sergio NNX wrote: > > Thank you all for your help. I added two more listen blocks in > > radiusd.conf and I updated detail { ... with the following: > > %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but > > . (there's always a but). if we use an IPv6 address, then > > Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, > > and the path becomes : > > > > ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log > > > > but FR crashes since it cannot create a folder with that name. Is there > > any way of overcoming this issue? replace : with . or so??? > > Really? Which OS? > > There's no built-in xlat that allows you to do a substitute; you'll have > to use rlm_perl or rlm_python, or an exec script, to translate the name. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On 31/10/11 15:32, Sergio NNX wrote: Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Really? Which OS? There's no built-in xlat that allows you to do a substitute; you'll have to use rlm_perl or rlm_python, or an exec script, to translate the name. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IPv6 ready?
Thank you all for your help. I added two more listen blocks in radiusd.conf and I updated detail { ... with the following: %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} and it works but . (there's always a but). if we use an IPv6 address, then Packet-Src-APv6-Address value will be, for instance, 0:0:0:0:0:0:0:0, and the path becomes : ${radacctdir}/0:0:0:0:0:0:0:0/detail-%Y%m%d.log but FR crashes since it cannot create a folder with that name. Is there any way of overcoming this issue? replace : with . or so??? Thanks again for your help. Sergio. > Date: Mon, 31 Oct 2011 08:52:46 + > From: a.l.m.bu...@lboro.ac.uk > To: freeradius-users@lists.freeradius.org > Subject: Re: IPv6 ready? > > Hi, > > >Just wondering if FR supports IPv6 addresses since I'm unable to start > > the > >server when using IPv6. > > yes. we use it fine with IPv6 - both receiving and sending RADIUS packets. > > >Another question is: are you aware of any (client) tool for testing FR > >when using IPv6 addresses? eapol_test doesn't seem to know anything about > >:: or ::1 > > eapol_test - use hostnames (eg in /etc/hosts ?) ? > > > > >Do the below lines from radiusd.conf require any change when IPv6? > > > >... > >... > >detail { > > detailfile = > >${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log > > yes, Client-IP-Address doesnt exist in IPv6 world - you can use one of the > source > address attributes instead > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
On 31/10/11 14:03, Matthew Arguin wrote: Phil, I just confirmed that it is tagged with the {CRYPT} or {SHA} (i have tried both). also, i changed the user that is binding to be the manager CN which has full access to the ldap for mod etc to rule that out. Ah. I've just seen that you are running 2.1.7 from your original email. The default LDAP attribute mappings were updated after that version to include this line in "ldap.attrmap": checkitem Password-With-HeaderuserPassword ...you should: a. Add that line to your "ldap.attrmap", see if it makes any difference b. Plan an upgrade to 2.1.12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
So...i've followed the instructions on this link.( http://wiki.freeradius.org/Build#Building+Debian+packages )..but compilation give me this error, libssl-dev is installed: make[7]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_dynamic_clients' Making all in rlm_replicate... /usr/bin/make -w -C rlm_replicate all make[7]: Entering directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate' /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c -fPIC -DPIC -o .libs/rlm_replicate.o libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c -o rlm_replicate.o >/dev/null 2>&1 /usr/bin/libtool --mode=link gcc -release 2.1.12 \ -module -export-dynamic -o rlm_replicate.la \ -rpath /usr/lib/freeradius rlm_replicate.lo rlm_replicate.c /home/apepa/fr212/freeradius-server-2.1.12/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread libtool: link: gcc -shared .libs/rlm_replicate.o -Wl,-rpath -Wl,/home/apepa/fr212/freeradius-server-2.1.12/src/lib/.libs -Wl,-rpath -Wl,/usr/lib/freeradius /home/apepa/fr212/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread-Wl,-soname -Wl,rlm_replicate-2.1.12.so -o .libs/rlm_replicate-2.1.12.so libtool: link: (cd ".libs" && rm -f "rlm_replicate.so" && ln -s "rlm_replicate-2.1.12.so" "rlm_replicate.so") libtool: link: ar cru .libs/rlm_replicate.a rlm_replicate.o libtool: link: ranlib .libs/rlm_replicate.a libtool: link: ( cd ".libs" && rm -f "rlm_replicate.la" && ln -s "../rlm_replicate.la" "rlm_replicate.la" ) for x in .libs/* rlm_replicate.la; do \ rm -rf /home/apepa/fr212/freeradius-server-2.1.12/src/modules/lib/$x; \ ln -s /home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate/$x /home/apepa/fr212/freeradius-server-2.1.12/src/modules/lib/$x; \ done make[7]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate' make[6]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules' make[5]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules' Making all in main... /usr/bin/make -w -C main all make[5]: Entering directory `/home/apepa/fr212/freeradius-server-2.1.12/src/main' /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c -fPIC -DPIC -o .libs/acct.o libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c -o acct.o >/dev/null 2>&1 /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c auth.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTI
Re: cisco WAP/FreeRadius/OpenLDAP
Phil, I just confirmed that it is tagged with the {CRYPT} or {SHA} (i have tried both). also, i changed the user that is binding to be the manager CN which has full access to the ldap for mod etc to rule that out. [ldap] performing user authorization for marguin2 [ldap] expand: (uid=%u) -> (uid=marguin2) [ldap] expand: ou=people,dc=currensee,dc=com -> ou=people,dc=currensee,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=currensee,dc=com, with filter (uid=marguin2) [ldap] checking if remote access for marguin2 is allowed by radiusFilterId [ldap] looking for check items in directory... [ldap] looking for reply items in directory... rlm_ldap: radiusFilterId -> Filter-Id = "wireless" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user marguin2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 at this point i am wondering if i have not done something with that radiusFilterId value... meaning do something to permit that that filter is permitted to auth etc. -m On 10/28/2011 10:40 AM, freeradius-users-requ...@lists.freeradius.org wrote: On 28/10/11 13:46, Matthew Arguin wrote: > right now, the user that i am testing with has a password that is CRYPT. Ok. But does it look like this: userPassword: xxyyeeyeetwe or this: userPassword: {crypt}xxyyeqetew This matters. -- -- Matthew Arguin Currensee, Inc. 54 Canal St, 4th Floor Boston, MA 02114 (617) 986-4758 (Office) _ This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions. Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add field in radcheck table
On Mon, Oct 31, 2011 at 5:23 PM, gary wrote: > Hi Fajar > I think the secondname field may be realm instead of. First rule before asking anything: make SURE you know what you want. When you're not even sure, how can others help you? > I am thinking this in case without proxy, using local database it can > determine by two field "username+realm" instead one check field username > such as "gary@companyA" . User can see his/her name like "gary" only without > "@companyA" character. What do you mean "User can SEE"? The question is simple. What does the user put as username? How do you want to process that username? If the user only inputs "gary", and you don't know how you you can get the realm, then how can FR do what you want? By being psychic? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota based on time with squid
I added monthlycounter ,dailycounter, noresetcounter in post-auth i get follwing error /etc/raddb/sites-enabled/default[514]: "SQL Counter" modules aren't allowed in 'post-auth' sections -- they have no such method. /etc/raddb/sites-enabled/default[440]: Errors parsing post-auth section. When i added in authorize , radius can start and works but quota not works radtest doe hello localhost 0 testing123 Sending Access-Request of id 85 to 127.0.0.1 port 1812 User-Name = "doe" User-Password = "hello" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=85, length=26 Session-Timeout = 540 i also get following error ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[monthlycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop Please help me. Thanks, Senthil On Sat, Oct 29, 2011 at 5:12 PM, Suman Dash wrote: > You have not instantiated the counters in Post-Auth . Read more about > counter and how it works and how you can enable the same. > > Regards > Suman > > On Sat, Oct 29, 2011 at 4:40 PM, senthil kumar > wrote: >> >> Hello Team >> >> The user can authenticate and browse at any time. May i know which >> entry i have to add to make user 'test' deny authenticate after 1 >> hour? >> >> When ever a user authenticates it is logged in radpostauth. >> >> In /etc/raddb/users file i have a user test "test" >> Cleartext-Password := "hello" >> >> my database details are as follows >> >> mysql> select * from radcheck; >> ++--+-++---+ >> | id | username | attribute | op | value | >> ++--+-++---+ >> | 45 | test | Max-All-Session | := | 540 | >> ++--+-++---+ >> INSERT into radcheck VALUES ('','test','Max-All-Session',':=','5400'); >> >> mysql> select * from radpostauth; >> ++--+--+---+-+ >> | id | username | pass | reply | authdate | >> ++--+--+---+-+ >> | 54 | test | test | Access-Accept | 2011-10-19 13:59:18 | >> | 55 | test | test | Access-Accept | 2011-10-19 13:59:34 | >> | 56 | test | test | Access-Accept | 2011-10-19 14:22:57 | >> | 57 | test | test | Access-Accept | 2011-10-21 22:32:54 | >> | 58 | test | test | Access-Accept | 2011-10-25 15:11:34 | >> ++--+--+---+-+ >> 5 rows in set (0.00 sec) >> >> radtest test hello localhost 0 testing123 >> Sending Access-Request of id 67 to 127.0.0.1 port 1812 >> User-Name = "test" >> User-Password = "hello" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 0 >> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=67, >> length=20 >> >> >> Please help me , thanks in advance >> >> Thanks, >> Senthil >> >> On Tue, Oct 25, 2011 at 3:06 PM, senthil kumar >> wrote: >> > Thanks i will check in and let you know >> > >> > On Sat, Oct 22, 2011 at 12:37 AM, Alan DeKok >> > wrote: >> >> senthil kumar wrote: >> >>> I have installed free-radius in linux machine with accounting support >> >>> and was able to authenticate using radtest client.and also I was also >> >>> successfully authenticate with squid proxy server. >> >> >> >> That's good to hear. >> >> >> >>> I need to assign quota to squid users based on the weekly/hourly >> >>> basis. I need users radius server to return packet reject when time is >> >>> expired. is it possible in radius? >> >> >> >> Yes. See the "counter" module, or the "sqlcounter" module. >> >> >> >> The main issue is that they require the NAS to send accounting >> >> packets. I don't know if squid does that. >> >> >> >>> I am using only linux machine with proxy server. whether NAS is >> >>> needed? >> >> >> >> In this case, squid is the NAS. (i.e. machine sending Access-Request) >> >> >> >>> If so, can anyone help me in framing the rules for quota . eg 2 hours >> >>> a day. I have basic configuration and now when a user authenticates >> >>> login time is updated in the radpostauth. >> >> >> >> This is documented in the sqlcounter module. Look there first. >> >> >> >> Alan DeKok. >> >> >> >> >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add field in radcheck table
Hi Fajar I think the secondname field may be realm instead of. I am thinking this in case without proxy, using local database it can determine by two field "username+realm" instead one check field username such as "gary@companyA" . User can see his/her name like "gary" only without "@companyA" character. Best Regards Gary - Original Message - From: "Fajar A. Nugraha" To: "FreeRadius users mailing list" Sent: Monday, October 31, 2011 11:04 AM Subject: Re: add field in radcheck table 2011/10/31 gary : Hi there Is it possible to add check field in radcheck table? Short answer: yes Long answer: yes, but you need to have sufficient knowledge about how FR works and how to design SQL queries. If you don't even know where the queries are stored, then I suggest you don't even bother. Something look like below,gary.companyA and gary.companyB as user name for authentication. +++-+-++-+ | id | username | secondname |attribute | op | value | +++-+-+---+ | 1 | gary | companyA |Cleartext-Password | := | garypass | +++-+-+---+ | 2 | gary | companyB |Cleartext-Password | := | garypass | +++-+-+---+ option 1: just store gary.companyA and gary.companyB in username field. option 2: be more clear in what you want, then maybe others can help you. What's your goal to add the field? Does user send gary.companyA as username, or just gary? How does the server get information about companyA or companyB? username? realm? NAS-IP-Address? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
Hi, >Just wondering if FR supports IPv6 addresses since I'm unable to start the >server when using IPv6. yes. we use it fine with IPv6 - both receiving and sending RADIUS packets. >Another question is: are you aware of any (client) tool for testing FR >when using IPv6 addresses? eapol_test doesn't seem to know anything about >:: or ::1 eapol_test - use hostnames (eg in /etc/hosts ?) ? > >Do the below lines from radiusd.conf require any change when IPv6? > >... >... >detail { > detailfile = >${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log yes, Client-IP-Address doesnt exist in IPv6 world - you can use one of the source address attributes instead - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 ready?
On Mon, Oct 31, 2011 at 3:11 PM, Sergio NNX wrote: > Ciao. > > Just wondering if FR supports IPv6 addresses Sure it does. If you want it to listen on both ipv4 and ipv6, just add extra "listen" blocks listen { ipv6addr = :: port = 0 type = auth } listen { ipv6addr = :: port = 0 type = acct } ... which would result in something like this on debug log Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 > since I'm unable to start the > server when using IPv6. You should be. Just to be safe, use latest version (I'm using 2.1.12) > > I've changed (or uncommented) a couple of lines in radiusd.conf under > 'listen' section: ipv6addr = :: and then I tried to start the server but no > way. It works ok when using IPv4. You might want to add listen blocks instead of editing them. > > FR spits out: Failed binding to authentication address 0:0: port 1812: > Bad file descriptor. > FR server has been built with IPv6 support. > > Another question is: are you aware of any (client) tool for testing FR when > using IPv6 addresses? eapol_test doesn't seem to know anything about :: or > ::1 Ask wpa_supplicant developers :) FR's radtest/radclient has both ipv4 and v6 support. So you can do something like $ radtest -4 testuser testpass localhost 0 testing123 $ radtest -6 testuser testpass localhost 0 testing123 ... which would test ipv4 and ipv6 address of localhost (assuming your /etc/hosts is set correctly) > > Do the below lines from radiusd.conf require any change when IPv6? > > ... > ... > detail { > detailfile = > ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log > } Probably. FreeRADIUS-Client-IPv6-Address? I use sql, and hardcode detailfile path when necessary (e.g. when using buffered-sql) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 ready?
Ciao. Just wondering if FR supports IPv6 addresses since I'm unable to start the server when using IPv6. I've changed (or uncommented) a couple of lines in radiusd.conf under 'listen' section: ipv6addr = :: and then I tried to start the server but no way. It works ok when using IPv4. FR spits out: Failed binding to authentication address 0:0: port 1812: Bad file descriptor. FR server has been built with IPv6 support. Another question is: are you aware of any (client) tool for testing FR when using IPv6 addresses? eapol_test doesn't seem to know anything about :: or ::1 Do the below lines from radiusd.conf require any change when IPv6? ... ... detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log } ... ... Sorry about asking many questions at the same time but they're all related. Sergio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html