update replay
Hi, I have set in sql.conf multiple sql instance. I will also include further different dialup.conf for sql query. How can I configure default file in site-avalible as for one softswitch I do not need this variables to be replied: update reply { NAS-IP-Address = %{NAS-IP-Address} Acct-Multi-Session-Id = %{Acct-Multi-Session-Id} Acct-Session-Id = %{Acct-Session-Id} Event-Timestamp = %{Event-Timestamp} 3GPP2-Session-Termination-Capability = %{3GPP2-Session-Termination-Capability} 3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota} 3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability} # 3GPP2-Session-Termination-Capability = {3GPP2-Session-Termination-Capability} # Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} # 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} } Thanks! Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
Hi, Hi, I have set in sql.conf multiple sql instance. I will also include further different dialup.conf for sql query. How can I configure default file in site-avalible as for one softswitch I do not need this variables to be replied: stick a if (%{NAS-IP-Address} != 192.168.0.1){ } wrapper around it - where that IP address is the one you dont care about alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
On 2/13/2012 10:19 AM, Alan Buxey wrote: Hi, Hi, I have set in sql.conf multiple sql instance. I will also include further different dialup.conf for sql query. How can I configure default file in site-avalible as for one softswitch I do not need this variables to be replied: stick a if (%{NAS-IP-Address} != 192.168.0.1){ } wrapper around it - where that IP address is the one you dont care about alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for quick replay! Regards, Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cert issues
Please respond to the original email, not a digest, and use a good subject line. It helps other people track the conversation. Gilmour, Scott wrote: Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones. That's fine. You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration? The file raddb/certs/Makefile creates good certificates. The *cnf files in the same directory create good certificates. I don't know what you're doing different, and it isn't really useful to look. Grab the certificate creation commands from the Makefile, and use those. Modify them to point to your files. It *will* work. There's a lot of magic in creating good certs. That magic is embedded in the existing Makefile and config files. Use them, they will make your life easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Il 12/02/2012 23:54, McNutt, Justin M. ha scritto: I'm not sure why, then, but it actually does work. We have shown that with the client configured to use u...@e.mail.address (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. See Phil's answer on Feb 03 18:57 ... That's because domains (both NT-like and Kerberos-like) get stripped from crypto ops. Too bad you can't change user name when calling ntlm_auth (that's what I'd have to do for users with an UPN change). The user name must not be part of the crypto calculation or it would fail. I've been able to correct all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
On Mon, Feb 13, 2012 at 4:44 PM, Miha Zoubek m...@softnet.si wrote: Hi, I have one problem: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ Module: Checking post-auth {...} for more modules to load Bare %{...} is invalid in condition at: %{NAS-IP-Address} != xxx.xxx.xx.xxx) The message should be quite obvious. Try adding quotes: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
On 2/13/2012 10:52 AM, Fajar A. Nugraha wrote: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ @Fajar sorry that I did not inform you about this. I have noticed right when I send email to the group. I have fix quotes but still getting error. fix: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ update reply { NAS-IP-Address = %{NAS-IP-Address} Acct-Multi-Session-Id = %{Acct-Multi-Session-Id} Acct-Session-Id = %{Acct-Session-Id} Event-Timestamp = %{Event-Timestamp} 3GPP2-Session-Termination-Capability = %{3GPP2-Session-Termination-Capability} 3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota} 3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability} # 3GPP2-Session-Termination-Capability = {3GPP2-Session-Termination-Capability} # Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} # 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} } } Error: Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Bare %{...} is invalid in condition at: %{NAS-IP-Address} != xxx.xxx.xxx.xxx) /usr/local/etc/raddb/sites-enabled/default[450]: Errors parsing post-auth section. [root@newbill sites-available]# BR, Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
On 2/13/2012 11:06 AM, Miha Zoubek wrote: On 2/13/2012 10:52 AM, Fajar A. Nugraha wrote: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ @Fajar sorry that I did not inform you about this. I have noticed right when I send email to the group. I have fix quotes but still getting error. fix: if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ update reply { NAS-IP-Address = %{NAS-IP-Address} Acct-Multi-Session-Id = %{Acct-Multi-Session-Id} Acct-Session-Id = %{Acct-Session-Id} Event-Timestamp = %{Event-Timestamp} 3GPP2-Session-Termination-Capability = %{3GPP2-Session-Termination-Capability} 3GPP2-Prepaid-Acct-Quota = %{3GPP2-Prepaid-Acct-Quota} 3GPP2-Prepaid-acct-Capability = %{3GPP2-Prepaid-acct-Capability} # 3GPP2-Session-Termination-Capability = {3GPP2-Session-Termination-Capability} # Acct-Multi-Session-Id = %{request:Acct-Multi-Session-Id} # 3GPP2-Release-Indicator =%{request:3GPP2-Release-Indicator} } } Error: Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Bare %{...} is invalid in condition at: %{NAS-IP-Address} != xxx.xxx.xxx.xxx) /usr/local/etc/raddb/sites-enabled/default[450]: Errors parsing post-auth section. [root@newbill sites-available]# BR, Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. Sorry:) forget. It is working perfectly:) Thanks! Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update replay
Hi, if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){ no, please add quotes around %{NAS-IP-Address} as was already mentioned alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cert issues
Am 13.02.2012 10:32, schrieb Alan DeKok: Please respond to the original email, not a digest, and use a good subject line. It helps other people track the conversation. Gilmour, Scott wrote: Alan, I already have certificates created on my 2008 Server so I want to use those certificates on my Ubuntu Server without creating new ones. That's fine. If you use a MS CA please be aware that by default 2k8 CAs create certificates signed with SHA-256bit - many systems (including XP and Win 2003 without a patch) are NOT able to deal with those certificates, as they only support SHA1. Once the CA has been setup, there is no easy way to change this. Also, usually MS CAs include some mandatory extensions in their CRLs which OpenSSL can not read as well. You need to remove these extensions in the CRL configuration. You mentioned my openssl configuration is wrong. Any suggestions on how I can fix the openssl configuration? The file raddb/certs/Makefile creates good certificates. The *cnf files in the same directory create good certificates. I don't know what you're doing different, and it isn't really useful to look. Grab the certificate creation commands from the Makefile, and use those. Modify them to point to your files. It *will* work. There's a lot of magic in creating good certs. That magic is embedded in the existing Makefile and config files. Use them, they will make your life easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / with kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
Hi, I have successfully installed and tested freeRADIUS on centOS with MySQL database. But I wanted to test if the freeRADIUS is accessible from remote machines as well so I tried to test it using NTRadPing on my windows PC, but it always say no response from the server. I have added my PC IP to clients.conf. I even tried to telnet 1812 on localhost but it says connection refused. Please can someone help me in this regard. chezang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
Hi, I have successfully installed and tested freeRADIUS on centOS with MySQL database. But I wanted to test if the freeRADIUS is accessible from remote machines as well so I tried to test it using NTRadPing on my windows PC, but it always say no response from the server. I have added my PC IP to clients.conf. first question would be why? end clients never talk to the RADIUS server directly - the NAS (wireless AP, switch, VPN, RAS etc) do. however if this is for eg testing another server can talk to it, then simply add the client to clients.conf, restart FR and ensure the client is allowed to talk to the RADIUS server (firewall) I even tried to telnet 1812 on localhost but it says connection refused. yep. firewall. adjust your CentOS default firewall settings - /etc/sysconfig/iptables so that your client can talk to the server on UDP 1812 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test FreeRADIUS on CentOS from a remote windows PC using NTRadPing
On Mon, Feb 13, 2012 at 6:48 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: I even tried to telnet 1812 on localhost but it says connection refused. yep. firewall. adjust your CentOS default firewall settings - /etc/sysconfig/iptables so that your client can talk to the server on UDP 1812 While firewall is most likely the culprit, you can't use telnet to test UDP connection. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM on freeradius-server-2.1.12
Hello all, I configured manually ($ ./configure --with-modules=rlm_sim --with-modules=rlm_sim_files make) and installed (# make install) the freeradius-server-2.1.12 from the upstream on the CentOS 5.7 x86_64 machine. Then I configured the following configuration files: - /usr/local/etc/raddb/radiusd.conf - /usr/local/etc/raddb/clients.conf - /usr/local/etc/raddb/eap.conf - /usr/local/etc/raddb/sites-enabled/default And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with six (6) triplets (just to make sure though AFAIK 3 is enough) for a single IMSI. Then, I executed the command # /usr/local/sbin/radiusd -X -d /usr/local/etc/raddb and tried testing directly from my iPhone4, I got the below snippet of the stdout logs: - - - s n i p - - - rad_recv: Access-Request packet from host 172.17.1.110 port 2048, id=120, length=249 User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org NAS-IP-Address = 172.17.1.110 NAS-Port = 0 Called-Station-Id = 0E-19-BE-80-71-00:eap-sim Calling-Station-Id = 5C-59-48-67-C7-A5 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] expand: %t - Mon Feb 13 23:48:18 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 57 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org] (from client eap-sim port 0 cli 5C-59-48-67-C7-A5) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 120 to 172.17.1.110 port 2048 EAP-Message = 0x0404 Message-Authenticator = 0x Waking up in 4.9 seconds. Cleaning up request 0 ID 120 with timestamp +13 Ready to process requests. - - - s n i p - - - Based on the above logs, below are the (3) lines that I'm not sure how to address them: [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org rlm_sim_files: insufficient number of challenges for imsi 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0 ++[sim_files] returns notfound [pap] WARNING! No known good password found for the user. Authentication may fail because of this. [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP type sim failed in initiate [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org] (from client eap-sim port 0 cli 5C-59-48-67-C7-A5) Please advice on how am I going to proceed from here. Thank you in advance. Regards, GNUbie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Increment Acct-Delay-Time on proxy
Hello, I've installed FreeRADIUS 2.1.7 on a CentOS system. In my setup, the RADIUS server will work as proxy, storing locally the accounting packets if the destination servers are down, and resending them when the destination servers are up again. To achieve this result I've followed the robust-proxy-accounting example config file with success. Now I'm looking for a way to update the Acct-Delay-Time, so that, when the destination servers are back, the packet is read from the detail file and is sent by the proxy adding to the Acct-Delay-Time the delay introduced by the temporary failure at the proxy level. Is there a way to do this with FreeRADIUS? Thanks! Emanuele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Increment Acct-Delay-Time on proxy
- Messaggio originale - Da: Alan DeKok al...@deployingradius.com A: FreeRadius users mailing list freeradius-users@lists.freeradius.org Inviato: Lunedì, 13 febbraio 2012 17:54:01 Oggetto: Re: Increment Acct-Delay-Time on proxy Now I'm looking for a way to update the Acct-Delay-Time, so that, when the destination servers are back, the packet is read from the detail file and is sent by the proxy adding to the Acct-Delay-Time the delay introduced by the temporary failure at the proxy level. Is there a way to do this with FreeRADIUS? The detail file reader will automatically do that for you. Actually it didn't worked for me... How can I check this? Is there any setting for enabling this feature or a delay threshold after it starts working? What configuration file I could check? Thanks! Emanuele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Increment Acct-Delay-Time on proxy
Emanuele Colombo wrote: Actually it didn't worked for me... How can I check this? Is there any setting for enabling this feature or a delay threshold after it starts working? What configuration file I could check? The code has been in the server since August 2007, i.e. 2.0.0. There is no setting for enabling it. It works. What do you mean it didn't work for me ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Increment Acct-Delay-Time on proxy
- Messaggio originale - Da: Alan DeKok al...@deployingradius.com A: FreeRadius users mailing list freeradius-users@lists.freeradius.org Inviato: Lunedì, 13 febbraio 2012 18:03:42 Oggetto: Re: Increment Acct-Delay-Time on proxy The code has been in the server since August 2007, i.e. 2.0.0. There is no setting for enabling it. It works. What do you mean it didn't work for me ? I looked at packets sent by my FreeRADIUS server when the destination was back and Acct-Delay-Time was 0, as the original ones. Now I know that it should already work so tomorrow I'll make some other test and I'll try to find where my mistake is. Thanks, Emanuele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl and Threaded Perl??
Hello, I've been looking at free radius wiki, and read all about interpreter pools. the prerequisites are that perl is complied with USE_ITHREADS and a bit lower also with MULTIPLICITY. I have both. what I can't seem to get working is the thread management as: #max_clones = 32 #start_clones = 32 #min_spare_clones = 0 #max_spare_clones = 32 #cleanup_delay = 5 #max_request_per_clone = 0 Next stage was to look at the source, but I can't find any reference to any of the above! Is this still to come? Kind regards Simon ESEYE Ltd. Simon Earthrowl Surrey Technology Centre, 40 Occam Way, Guildford, Surrey, GU2 7YG Company No:06397669 Telephone:+44 (0)1483 685200, Cellular:+44 (0)7775 777672 Skype:simonearthrowl Winner: 2009 DTI Digital Communications Knowledge Network Competition Winner: 2009 SetSquared Investment Showcase Have you seen Eseye's Cool-Tel product on This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify Eseye on +44 (0)1483 685200. Any statements, opinions or information in this message are provided by the author, not on behalf of Eseye, unless subsequently confirmed by an individual who is authorised to represent Eseye. This email has been scanned for viruses; however, it is recommended that the addressee also check attachments. Eseye does not accept responsibility for any virus that is contracted via this email Follow @EseyeM2M Surface mount embedded SIMs in stock - adapter kit available for testing in a SIM socket "Smart Metering Technology of the Year Award 2012 - Shortlisted' Eseye Ltd , Company No: 06397669 - Surrey Technology Centre, Guildford, UK +44 1483 685200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and Threaded Perl??
Hi, I've been looking at [1]free radius wiki, and read all about interpreter pools. the prerequisites are that perl is complied with USE_ITHREADS and a bit lower also with MULTIPLICITY. I have both. what I can't seem to get working is the thread management as: what version of FR ? in older versions you had to care about the PERL clones entry - to make sure it matched the parent process counts.. (learnt that the hard way) - but with newer releases all of this is dealt with for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl and Threaded Perl??
FR 2.1.12-1 and 2.1.12-7, but also looked at 3.0.0. I manage to get 2048 perl threads (assumed from /netstat -ap/ - as I'm interfacing into Apache's ActiveMQ), then when I hit 2049 threads FR crashes. Simon On 02/13/2012 11:25 PM, Alan Buxey wrote: Hi, I've been looking at [1]free radius wiki, and read all about interpreter pools. the prerequisites are that perl is complied with USE_ITHREADS and a bit lower also with MULTIPLICITY. I have both. what I can't seem to get working is the thread management as: what version of FR ? in older versions you had to care about the PERL clones entry - to make sure it matched the parent process counts.. (learnt that the hard way) - but with newer releases all of this is dealt with for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Follow us on Twitter at EseyeM2M Surface mount embedded SIMs in stock - adapter kit available for testing in a SIM socket Smart Metering Technology of the Year Award 2012- Shortlisted' Eseye Ltd , Company No: 06397669 - Surrey Technology Centre, Guildford, UK +44 1483 685200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on freeradius-server-2.1.12
Hello all, What am I missing in my current setup that I am getting such errors? Why is it that it can't find the triplets when in fact it's there? Basically, the major changes I made on the configuration files are as follows: [ /usr/local/etc/raddb/radiusd.conf ] user = radiusd group = radiusd modules { sim_files { simtriplets = /usr/local/etc/raddb/simtriplets.dat } ... ... ... } [ /usr/local/etc/raddb/clients.conf ] client 172.17.1.0 { ipaddr = 172.17.1.0 netmask = 24 secret = qwerty shortname = eap-sim } [ /usr/local/etc/raddb/eap.conf ] eap { sim { } default_eap_type = sim ... ... ... } [ /usr/local/etc/raddb/sites-enabled/default ] authorize { ... ... ... sim_files eap { ok = return } ... ... ... } The contents of the /usr/local/etc/raddb/simtriplets.dat file has the format of IMSI,RAND,SRES,KC without the quotes: 354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800 354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00 354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800 354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400 354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800 354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00 I also tried in my testing to add 1 on every IMSI but with no luck. # sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat And lastly, the rlm_eap_sim and rlm_sim_files modules are in place. # ls -l /usr/local/lib/*sim* lrwxrwxrwx 1 root root14 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.la - rlm_eap_sim.la -rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so -rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a -rwxr-xr-x 1 root root 932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la lrwxrwxrwx 1 root root21 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.so - rlm_eap_sim-2.1.12.so lrwxrwxrwx 1 root root16 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.la - rlm_sim_files.la -rwxr-xr-x 1 root root 35331 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.so -rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a -rwxr-xr-x 1 root root 910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la lrwxrwxrwx 1 root root23 Feb 13 21:19 /usr/local/lib/rlm_sim_files.so - rlm_sim_files-2.1.12.so Can anyone from this community help me how to solve my problem? Thank you in advance. Regards, GNUbie On Tue, Feb 14, 2012 at 12:26 AM, GNUbie gnu...@gmail.com wrote: Hello all, I configured manually ($ ./configure --with-modules=rlm_sim --with-modules=rlm_sim_files make) and installed (# make install) the freeradius-server-2.1.12 from the upstream on the CentOS 5.7 x86_64 machine. Then I configured the following configuration files: - /usr/local/etc/raddb/radiusd.conf - /usr/local/etc/raddb/clients.conf - /usr/local/etc/raddb/eap.conf - /usr/local/etc/raddb/sites-enabled/default And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with six (6) triplets (just to make sure though AFAIK 3 is enough) for a single IMSI. Then, I executed the command # /usr/local/sbin/radiusd -X -d /usr/local/etc/raddb and tried testing directly from my iPhone4, I got the below snippet of the stdout logs: - - - s n i p - - - rad_recv: Access-Request packet from host 172.17.1.110 port 2048, id=120, length=249 User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org NAS-IP-Address = 172.17.1.110 NAS-Port = 0 Called-Station-Id = 0E-19-BE-80-71-00:eap-sim Calling-Station-Id = 5C-59-48-67-C7-A5 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] expand: %t - Mon Feb 13 23:48:18 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0
Re: rlm_perl and Threaded Perl??
On Tue, Feb 14, 2012 at 6:32 AM, Simon Earthrowl searthr...@eseye.com wrote: FR 2.1.12-1 and 2.1.12-7, but also looked at 3.0.0. I manage to get 2048 perl threads (assumed from netstat -ap - as I'm interfacing into Apache's ActiveMQ), then when I hit 2049 threads FR crashes. Why would you want that many threads? Can your activemq backend REALLY process 2048 concurrent active connections without slowing down? It might be simply that nobody has tested that many perl threads in FR, so if a lower number works then I suggest you stick with that for now. From my experience with sql, the optimum number of radius threads is equal to the number of backend connections (in my case, sql). And the optimum number of sql connections depends on several things, including processing delay (e.g. network roundtrip between nodes) and available cpu cores. But even then my optimum number is around 200. If a radius request arrive when all the 200-threads are busy, it will simply be queued for later processing. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-SIM on freeradius-server-2.1.12
... ... ... } [ /usr/local/etc/raddb/sites-enabled/default ] authorize { ... ... ... sim_files eap { ok = return } ... ... ... } The contents of the /usr/local/etc/raddb/simtriplets.dat file has the format of IMSI,RAND,SRES,KC without the quotes: 354162120787078,C97024E532E340a1A1C4DE24DA001CA6,CBe30a81,988c8753D4197800 354162120787078,38E1F9E16B6E4ee6A785072241E8FF43,9Bcd3f54,F56fb487C1359c00 354162120787078,8254442AD6CB47a29ABC530391DDE402,7054a123,806894125A715800 354162120787078,7CA9CE3C148D43e09EBCC40D0AF8048B,A290d514,A2983885440dc400 354162120787078,391DDF50B644482fAE46F091B1D6AA1C,7968b608,875d2af9E883d800 354162120787078,E244EC5344CF4df1A83E54AB7E399670,F9122829,FB2763c02Cbfac00 I also tried in my testing to add 1 on every IMSI but with no luck. # sed -i 's/^/1/g' /usr/local/etc/raddb/simtriplets.dat And lastly, the rlm_eap_sim and rlm_sim_files modules are in place. # ls -l /usr/local/lib/*sim* lrwxrwxrwx 1 root root 14 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.la - rlm_eap_sim.la -rwxr-xr-x 1 root root 35972 Feb 13 21:19 /usr/local/lib/rlm_eap_sim-2.1.12.so -rw-r--r-- 1 root root 48340 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.a -rwxr-xr-x 1 root root 932 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.la lrwxrwxrwx 1 root root 21 Feb 13 21:19 /usr/local/lib/rlm_eap_sim.so - rlm_eap_sim-2.1.12.so lrwxrwxrwx 1 root root 16 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.la - rlm_sim_files.la -rwxr-xr-x 1 root root 35331 Feb 13 21:19 /usr/local/lib/rlm_sim_files-2.1.12.so -rw-r--r-- 1 root root 46534 Feb 13 21:19 /usr/local/lib/rlm_sim_files.a -rwxr-xr-x 1 root root 910 Feb 13 21:19 /usr/local/lib/rlm_sim_files.la lrwxrwxrwx 1 root root 23 Feb 13 21:19 /usr/local/lib/rlm_sim_files.so - rlm_sim_files-2.1.12.so Can anyone from this community help me how to solve my problem? Thank you in advance. Regards, GNUbie On Tue, Feb 14, 2012 at 12:26 AM, GNUbie gnu...@gmail.com wrote: Hello all, I configured manually ($ ./configure --with-modules=rlm_sim --with-modules=rlm_sim_files make) and installed (# make install) the freeradius-server-2.1.12 from the upstream on the CentOS 5.7 x86_64 machine. Then I configured the following configuration files: - /usr/local/etc/raddb/radiusd.conf - /usr/local/etc/raddb/clients.conf - /usr/local/etc/raddb/eap.conf - /usr/local/etc/raddb/sites-enabled/default And lastly, I created the /usr/local/etc/raddb/simtriplets.dat with six (6) triplets (just to make sure though AFAIK 3 is enough) for a single IMSI. Then, I executed the command # /usr/local/sbin/radiusd -X -d /usr/local/etc/raddb and tried testing directly from my iPhone4, I got the below snippet of the stdout logs: - - - s n i p - - - rad_recv: Access-Request packet from host 172.17.1.110 port 2048, id=120, length=249 User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org NAS-IP-Address = 172.17.1.110 NAS-Port = 0 Called-Station-Id = 0E-19-BE-80-71-00:eap-sim Calling-Station-Id = 5C-59-48-67-C7-A5 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x023901336265383535616537613836303763376640776c616e2e6d6e633030312e6d63633532352e336770706e6574776f726b2e6f7267 Message-Authenticator = 0xdef1645477a2ba0f9a9371f0a9eea8b7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.17.1.110/auth-detail-20120213 [auth_log] expand: %t - Mon Feb 13 23:48:18 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc525.3gppnetwork.org for User-Name = 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc525.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: insufficient number of challenges for imsi 3be855ae7a8607...@wlan.mnc001.mcc525.3gppnetwork.org: 0 ++[sim_files] returns notfound [eap] EAP packet type response id 0 length 57 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim can not initiate sim, no RAND1 attribute [eap] Default EAP
Re: rlm_perl and Threaded Perl??
Simon Earthrowl wrote: Hello, I've been looking at free radius wiki http://wiki.freeradius.org/Rlm_perl, and read all about interpreter pools. the prerequisites are that perl is complied with USE_ITHREADS and a bit lower also with MULTIPLICITY. I have both. what I can't seem to get working is the thread management as: That hasn't worked for MANY years. I've deleted that nonsense from the Wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad client
Hi, I need one information about radius behaviour regarding voip cdr (AAA). I know I get two stop packet and two start packets for every call that is made. For one softswitch I get session ID same for all paskets (stopstart for a leg, and stopstart for b leg), on other softswitch I get one session ID for one stopstart packet and other ID for second stopstart packet. So, for one softswitch as is only one ID I get one enetry in sql table, for other softswitch I get two enetries in my sql table as I get two session IDs. Which behaviour is right? Thanks! Miha -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rad client
On Tue, Feb 14, 2012 at 2:34 PM, Miha Zoubek m...@softnet.si wrote: Hi, I need one information about radius behaviour regarding voip cdr (AAA). I know I get two stop packet and two start packets for every call that is made. For one softswitch I get session ID same for all paskets (stopstart for a leg, and stopstart for b leg), on other softswitch I get one session ID for one stopstart packet and other ID for second stopstart packet. So, for one softswitch as is only one ID I get one enetry in sql table, for other softswitch I get two enetries in my sql table as I get two session IDs. Which behaviour is right? I can't comment about softswitch, but a NAS in general should send only one acct start stop for each session it handles. Unless they're re-sent due to transmission problems, in which case the session ID will be the same. I suggest you ask your softswitch vendor about that. If you know the difference betwenn those two different packets from the same session (e.g perhaps there's an attribute that's only present in one of them), then you should be able to filter it out so you can record only one entry per session in your acct table. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rad client
@Fajar, thanks for you quick replay. I will ask vendor about it. BR, Miha On 2/14/2012 8:46 AM, Fajar A. Nugraha wrote: On Tue, Feb 14, 2012 at 2:34 PM, Miha Zoubekm...@softnet.si wrote: Hi, I need one information about radius behaviour regarding voip cdr (AAA). I know I get two stop packet and two start packets for every call that is made. For one softswitch I get session ID same for all paskets (stopstart for a leg, and stopstart for b leg), on other softswitch I get one session ID for one stopstart packet and other ID for second stopstart packet. So, for one softswitch as is only one ID I get one enetry in sql table, for other softswitch I get two enetries in my sql table as I get two session IDs. Which behaviour is right? I can't comment about softswitch, but a NAS in general should send only one acct start stop for each session it handles. Unless they're re-sent due to transmission problems, in which case the session ID will be the same. I suggest you ask your softswitch vendor about that. If you know the difference betwenn those two different packets from the same session (e.g perhaps there's an attribute that's only present in one of them), then you should be able to filter it out so you can record only one entry per session in your acct table. -- Best regards / Lep Pozdrav Miha Zoubek Softnet d.o.o. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html