Re: Freeradius crashes everyday
On 13/03/2555 13:07, Morteza Milani wrote: Hi, I don't know what's wrong with freeradius. It's running but does not handle authentication requests. After restarting, it works fine but after a while it goes to sleep;) Does freeradius log details somewhere to see what happens? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please run in debug mode freeradius -XXX and show your log - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius crashes everyday
Run FreeRADIUS in debug mode and read the output. # radiusd -X Tim > -Original Message- > From: freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org > [mailto:freeradius-users- > bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of > Morteza Milani > Sent: Monday, March 12, 2012 11:08 PM > To: freeradius-users@lists.freeradius.org > Subject: Freeradius crashes everyday > > Hi, > > I don't know what's wrong with freeradius. It's running but does not handle > authentication requests. After restarting, it works fine but after a while it > goes > to sleep;) > > Does freeradius log details somewhere to see what happens? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius crashes everyday
Hi, I don't know what's wrong with freeradius. It's running but does not handle authentication requests. After restarting, it works fine but after a while it goes to sleep;) Does freeradius log details somewhere to see what happens? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail log file .CSV format
Shreya Shah wrote: > Hi, > > Is it possible to get the detail file under radacct in .CSV or text > format ? No. The detail file has a fixed format, which isn't CSV. If you change it to CSV, then it's no longer the detail file. If you want CSV format, see the "linelog" module. You can change its format to be anything you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detail log file .CSV format
Hi, Is it possible to get the detail file under radacct in .CSV or text format ? Thanks in advance. -Shreya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
On 13/03/12 07:33, ulislam.raihan wrote: 192.168.2.X. I am planing to write a small module in Java . Whn a device attached to Access Point. It will get IP from192.168.1.X and all the request from this ip range will go to the java program. It will get the user name and password from the user and then do the authentication with the Radius server. Afrer authentication is done then the DHCP server will change IP address of the that device. Hi Raihan. I suggest you look at something like Coova Chilli. It uses a Radius server to authenticate users, but does the captive portal. You can use any access point with it, and it'll run fine on the same machine as Freeradius. I don't suggest reinventing the wheel if you can avoid it. If you are totally new to radius/captive portals etc, I suggest checking out the Grase Hotspot project, all you need is a machine with 2 network cards, install a base debian or ubuntu distro, and then install the Grase Hotspot packages on top. It'll setup the Freeradius for you, with Coova Chilli and a nice admin interface. Tim Dislaimer: The Grase Hotspot is my project, there are other hotspot systems out there with Freeradius and Coova Chilli, but some are hard to setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
Hi,
On Mon, Mar 12, 2012 at 09:07:23PM +, Scott McLane Gardner wrote:
> ++? if (Ldap-Group == "PWHC Secure Wireless")
> [ldap] Entering ldap_groupcmp()
> expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
> expand:
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
> uniquemember=)))
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in ou=users,dc=example,dc=com, with filter
> (&(memberOf=PWHC Secure
> Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
> ueNames)(uniquemember=
> [ldap] object not found
This is what freeradius is searching ^^^
> It looks to me like it's binding and searching and deciding that I'm not a
> member of that group, however I know that I am because if I do a
> command-line ldapsearch it shows that I'm a member of that group.
You're not searching the same thing:
> # ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
> cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
> Can anyone tell me what I'm doing wrong?
Try looking at the groupmembership_filter option - work out a
search that works on the command line (with a filter), and then
fit that filter into the ldap config.
It should probably something like (untested)
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = memberOf
Run in debug, look at what it's actually searching, match to the
config file, tweak, rinse & repeat.
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add Users in MySQL database
Hi everyone... I have a little problem... I want to add users in the MySQL database, but before everything (before AAA) what module i need to edit o configuring to add a script that manage the mysql? -- Fabricio A. Flores G. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hi Alan, Thanks for your advice. Is it possible to configure the DHCP module in freeRadius in such a way that at first the DHCP will gave ip address of from one subnet like 192.168.1.X and afterwards after authentication is done then DHCP will force to change the IP address to different IP subnet like 192.168.2.X. I am planing to write a small module in Java . Whn a device attached to Access Point. It will get IP from192.168.1.X and all the request from this ip range will go to the java program. It will get the user name and password from the user and then do the authentication with the Radius server. Afrer authentication is done then the DHCP server will change IP address of the that device. May be i am making it more complex. Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5559220.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 -> 2.1.12 migration steps
I don't see any differences... Just save your config files and replace them later when rpm "goes live" On 3/12/2012 8:34 PM, Norman Elton wrote: And we are expecting to ship freeradius 2.1.12 in the RHEL 6.3 update. Any chance you can post the 2.1.12 packages to test? I can compile FR by hand, but testing the RPM would be good. Thanks, Norman Elton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
Hi, > I am a new person using freeRadius server. I have a wireless access point > with WPA authentication option. It does not have any support for 802.1x or > configuring Radius server.But i want to implement some central security > using Radius server.Is it possible to configure the FreeRadius server in > such a way so that i can setup an captive portal. Any suggestion will be > highly appreciated. yes - but you say you want some central security - and security doesnt go with captive portal so suggest you change the AP to one that can do 802.1X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DHCP
On Mon, Mar 12, 2012 at 10:25 PM, Franz wrote: > Hi, > I was wondering if when using DHCP with freeradius we can control the > lease time depending on the group the user belongs to. Possible, but you need to create the rule yourself. If you use v2.1.x branch from git, the lease time is selected by default in the config file. If you're using sql or ldap to store your users, you can easily change it with unlang. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional attributes with AD
Okay, I am a couple steps closer, but still having trouble. My radius
server is saying my test user is not in the group I'm filtering for,
however I know that it is. My sites-available/default config looks like:
authorize
...
ldap
if (Ldap-Group == "PWHC Secure Wireless") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 456
}
}
...
And my modules/ldap config looks like:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "adserver.example.com"
identity = "cn=admin,ou=users,dc=example,dc=com"
password = adminpass
basedn = "ou=users,dc=example,dc=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
...
And I'm receiving the following log messages:
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> username
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=username)
[ldap] expand: ou=users,dc=example,dc=com -> ou=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.uark.edu:389, authentication 0
[ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to
adserver.uark.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=users,dc=example,dc=com, with filter
(sAMAccountName=username)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user username authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (Ldap-Group == "PWHC Secure Wireless")
[ldap] Entering ldap_groupcmp()
expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=users,dc=example,dc=com, with filter
(&(memberOf=PWHC Secure
Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
ueNames)(uniquemember=
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is
not a member.
? Evaluating (Ldap-Group == "PWHC Secure Wireless") -> FALSE
++? if (Ldap-Group == "PWHC Secure Wireless") -> FALSE
It looks to me like it's binding and searching and deciding that I'm not a
member of that group, however I know that I am because if I do a
command-line ldapsearch it shows that I'm a member of that group.
# ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: cn=username
# requesting: memberOf
#
# username, Users, example.com
dn: CN=username,OU=users,dc=example,dc=com
memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com
memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special
Accounts,dc=example
,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Can anyone tell me what I'm doing wrong?
Thanks,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure FreeRadius as Captive Portal
Hi All, I am a new person using freeRadius server. I have a wireless access point with WPA authentication option. It does not have any support for 802.1x or configuring Radius server.But i want to implement some central security using Radius server.Is it possible to configure the FreeRadius server in such a way so that i can setup an captive portal. Any suggestion will be highly appreciated. Thanks Raihan -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5559073.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 -> 2.1.12 migration steps
On 03/12/2012 03:34 PM, Norman Elton wrote: And we are expecting to ship freeradius 2.1.12 in the RHEL 6.3 update. Any chance you can post the 2.1.12 packages to test? I can compile FR by hand, but testing the RPM would be good. No, I'm sorry I cannot pre-release packages. However if you are a RHEL customer I believe you can participate in beta testing. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 -> 2.1.12 migration steps
> And we are expecting to ship freeradius 2.1.12 in the RHEL 6.3 update. Any chance you can post the 2.1.12 packages to test? I can compile FR by hand, but testing the RPM would be good. Thanks, Norman Elton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
On 12/03/12 18:23, u...@3.am wrote: ...and you just hit on something that solved the problem. It seems that FR was getting the group info from LDAP indirectly, through the PAM module, which was Actually, probably not. It probably gets the groups via nss_ldap, through nssswitch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
> Hi, > >> > DEFAULT Group == "FOO", Pool-Name :="FOO_pool" >> >> "Group" is probably empty. I can't remember what module, if any, fills >> it out. > > # The Group and Group-Name attributes are automatically created by > # the Unix module, and do checking against /etc/group automatically. > # This means that you CANNOT use Group or Group-Name to do any other > # kind of grouping in the server. You MUST define a new group > # attribute. > > ...thats probably the one :-) ...and you just hit on something that solved the problem. It seems that FR was getting the group info from LDAP indirectly, through the PAM module, which was configured using authconfig. Running authconfig pointing to the local LDAP server solved the problem. /etc/pam.d/system-auth authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so Dovecot, sshd and other apps transparently use LDAP this way. I didn't think FR did (and maybe it doesn't completely), because I seem to recall trying to get it to work on an older version (using Auth-type=PAM) that way with no luck...but that was a while ago. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this a possible project?
On 03/12/2012 03:32 PM, 甄鹏 wrote: > Hello Everybody: > Recently,I got a project,it requires set a Radius Server in the > company,and 100 APs in 100 Restarants in the city,all the APs of course > connected to its own router. > I want to the customers who want to use wifi in any of these restarant > need to get authentication through the Radius Server locate in my > company rather than the traditional wpa/wpa2 ways. > for honestly,i am new to freeRadius,i even not really sure if is it a > possible project? > The radius server could have a static WAN ip address,but all the APs > could only got a LAN ip address like 192.168.*.*,when I set up the > freeRadius+Mysql system,how could i distinguish different AP?because,i > know in the LAN,i set the IP address for different AP for the nasname > option in nas.sql. > sorry for too many questions here, > thank you in advanced In a setup like that I would start looking at an Aruba (http://www.arubanetworks.com/) setup. That gives you the possibility to create environments where every app sends out the corporate SSID with WPA2-Enterprise and give guests access to a local guest network with a controlled internet breakout. This can all work very fine with freeradius. -- Met vriendelijke groet, Jan Hugo Prins E: j...@jhprins.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
custom AVPs from LDAP in AccessAccept packet
hi, we have a central radius server (LDAP user store) talking to a department radius server connected to an AP. I can't change the LDAP, so I can't use the radiusprofile objectclass. I'd like to configure the central radius server to send custom AVPs fetched from the LDAP to the department radius server. The department radius server (which is proxying AccessRequests to the central radius server) will then unlang these custom AVPs contained in the AccessAccept packet to set the appropriate VLAN Id. I've mapped ldap attributes in the ldap.attrmap of the central radius server (eg: replyItem Campus-Usage-Right diritto8021x) but am now a bit confused on how to go on. Should I now define a custom dictionary file that that the central radius server and the department radius server must share? Or should I rather add entries in /etc/raddb/dictionary of the central radius server (eg ATTRIBUTE Campus-Usage-Right 1 string)? Thank you very much in advance for your help, Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
Hi, > > DEFAULT Group == "FOO", Pool-Name :="FOO_pool" > > "Group" is probably empty. I can't remember what module, if any, fills > it out. # The Group and Group-Name attributes are automatically created by # the Unix module, and do checking against /etc/group automatically. # This means that you CANNOT use Group or Group-Name to do any other # kind of grouping in the server. You MUST define a new group # attribute. ...thats probably the one :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
> On 12/03/12 15:44, u...@3.am wrote: > >> >> DEFAULT Group == "FOO", Pool-Name :="FOO_pool" > > "Group" is probably empty. I can't remember what module, if any, fills > it out. > > What do you *think* "Group" will contain? It won't contain LDAP groups. I was about to post about this..I just did a test with this entry: someuserPool-Name :="FOO_pool" And it got an IP from the pool just fine, so you're right, the problem lies with "Group". It is a legacy entry, left over from before we switched from PAM/unix to LDAP. Since it continued to work even after removing all of the unix group entries and still continues to work when we add new LDAP groups and LDAP users to that group. How it gets that is something I don't know...there's no ldap.attrmap entry for it on the older, working servers. I take it I will need to define map the LDAP attribute PosixGroup to something? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
On 12/03/12 15:44, u...@3.am wrote: DEFAULT Group == "FOO", Pool-Name :="FOO_pool" "Group" is probably empty. I can't remember what module, if any, fills it out. What do you *think* "Group" will contain? It won't contain LDAP groups. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pool-Name attribute issue WAS Re: Unknown Auth-Type "LDAP" in authenticate sub-section
> On Sat, Mar 10, 2012 at 5:29 AM, wrote:
>>> So to save lots of time and configuration problem: does your LDAP
>>> store user passwords in clear text or any "common" hash (e.g. md5,
>>> unix)? If yes, AND you know what the LDAP attribute is, you don't even
>>> need an LDAP section in authenticate.
>>
>> Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as
>> well. Assuming those hashes are "common" enough, what do I need to do?
>
> If the hash is supported (see
> http://wiki.freeradius.org/Protocol%20Compatibility) , you only need
> to make sure FR sees it in the right place. See ldap.atrmap.
>
>>
>> I should point out that I had been using:
>>
>> DEFAULT Auth-Type = Ldap
>>
>> In the users file as well on the two older servers, despite docs that say
>> that
>> it
>> is "almost always wrong", but it was the only way we got it working.
>>
>
> If you have the attribute, and the hash is supported, you shouldn't need that.
I've taken that out on the new, 2.1.12 install and now a typical DEFAULT entry
looks like this:
DEFAULT Group == "FOO", Pool-Name :="FOO_pool"
It seems to instantiate the module ok:
Module: Linked to module rlm_ippool
Module: Instantiating module "FOO_pool" from file /usr/etc/raddb/radiusd.conf
ippool FOO_pool {
session-db = "/usr/etc/raddb/db.FOO_ippool"
ip-index = "/usr/etc/raddb/db.FOO_ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.17.0.101
range-stop = 172.17.0.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
The Access-Request packet looks ok:
Framed-Protocol = PPP
User-Name = "someuser"
User-Password = "somepassword"
NAS-Port-Type = Virtual
NAS-Port = 2
NAS-Port-Id = "Uniq-Sess-ID2"
Service-Type = Framed-User
NAS-IP-Address = some pptp cisco device
LDAP authentication then succeeds as it should.
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = ldap1
LDAP bind is then successful as it should be, but then:
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
[FOO_pool] Could not find Pool-Name attribute.
++[FOO_pool] returns noop
I assume I must be doing something wrong now with the users file entry. The
old,
working one was this:
DEFAULT Group == FOO, Pool-Name :="FOO_pool", Auth-Type = Ldap
Framed-Protocol == PPP,
Framed-Compression = Van-Jacobson-TCP-IP
The new one is currently:
DEFAULT Group == "FOO", Pool-Name :="FOO_pool"
I have tried the Framed-Protocol=PPP (is this still desired for PPTP, BTW?), I
have tried setting:
Service-Type = Framed-User
At the beginning and end of the line, same for "Login-User", but the "Could not
find Pool-Name attribute" persists. The config files are all the same as the
older versions (2.1.09-.10). The pool name is listed in the accounting and
post-auth sections of sites-enabled/default.
Appreciate any clues as to what I missed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 -> 2.1.12 migration steps
On 03/12/2012 11:33 AM, Fred wrote: Just a little remark : CentOS 5.8 has up-to-date freeradius 2.1.12 (binary and sources) CentOS 6.2 only has freeradius 2.1.10 from upstream (redhat 6.2). And we are expecting to ship freeradius 2.1.12 in the RHEL 6.3 update. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.1.2 -> 2.1.12 migration steps
Just a little remark : CentOS 5.8 has up-to-date freeradius 2.1.12 (binary and sources) CentOS 6.2 only has freeradius 2.1.10 from upstream (redhat 6.2). Best regards, Fred MAISON Le 6 mars 2012 13:06, Fajar A. Nugraha a écrit : > On Tue, Mar 6, 2012 at 6:13 PM, Martin Mielke wrote: >> This is part of an OS consolidation project which started some time ago. >> There were too many Linux-flavours like Debian, Slackware, Fedora, CentOS, >> RedHat 4, Mandriva... thus making maintenance, support and administration >> more complicated... >> >> Anyway, this was not the point ;-) > > IMHO it's relevant. > > If you're consolidating stuff, you'd want to put in on something with > a long support lifetime. RHEL5 will end its production phase 1 this > year. So if this is a new setup, and you're migrating to FR2 anyway, > RHEL6 would be a better choice. > > As to how to migrate, Alan and Bjorn already provide good suggestions. > If you still have problems during migration, feel free to ask. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using DHCP
Hi, I was wondering if when using DHCP with freeradius we can control the lease time depending on the group the user belongs to. Thanks, Franz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HP-Command-String in sql accounting
On 12 Mar 2012, at 15:55, Marc Boisis-Delavaud wrote: > Hello, > I've enabled command accounting of my HP procure switches. The information is > sent to radius : > rad_recv: Accounting-Request packet from host 10.10.0.138 port 1274, id=79, > length=128 > Acct-Session-Id = "00280016" > Acct-Status-Type = Interim-Update > Service-Type = NAS-Prompt-User > Acct-Authentic = RADIUS > User-Name = "toto" > NAS-IP-Address = 10.10.0.138 > NAS-Identifier = "sw" > NAS-Port-Type = Virtual > Calling-Station-Id = "10.1.11.61" > HP-Command-String = "show running-config" > Acct-Delay-Time = 0 > > > But the HP-Command-String is not present in the radacct table, is it possible > to have it ? > thanks Yes. Just edit the queries in raddb/sql//dialup.conf for accounting updates and modify your SQL schema. Be sure to issue the following commands on your ProCurve switches: aaa accounting session-id common aaa accounting commands interim-update radius (from the output it looks like you already have) You'll probably want to use a text field type and the built in SQL function to concatenate the HP-Command-String field from multiple accounting update packets. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HP-Command-String in sql accounting
Just change the SQL schema of your table and adapt the SQL query in sql.conf! Best regards, E:S > -Original Message- > From: freeradius-users- > bounces+edvin.seferovic=kolp...@lists.freeradius.org > [mailto:freeradius-users- > bounces+edvin.seferovic=kolp...@lists.freeradius.org] On Behalf Of Marc > Boisis-Delavaud > Sent: Montag, 12. März 2012 15:56 > To: FreeRadius users mailing list > Subject: HP-Command-String in sql accounting > > Hello, > I've enabled command accounting of my HP procure switches. The > information is sent to radius : > rad_recv: Accounting-Request packet from host 10.10.0.138 port 1274, > id=79, length=128 > Acct-Session-Id = "00280016" > Acct-Status-Type = Interim-Update > Service-Type = NAS-Prompt-User > Acct-Authentic = RADIUS > User-Name = "toto" > NAS-IP-Address = 10.10.0.138 > NAS-Identifier = "sw" > NAS-Port-Type = Virtual > Calling-Station-Id = "10.1.11.61" > HP-Command-String = "show running-config" > Acct-Delay-Time = 0 > > > But the HP-Command-String is not present in the radacct table, is it > possible to have it ? > thanks > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HP-Command-String in sql accounting
Hello, I've enabled command accounting of my HP procure switches. The information is sent to radius : rad_recv: Accounting-Request packet from host 10.10.0.138 port 1274, id=79, length=128 Acct-Session-Id = "00280016" Acct-Status-Type = Interim-Update Service-Type = NAS-Prompt-User Acct-Authentic = RADIUS User-Name = "toto" NAS-IP-Address = 10.10.0.138 NAS-Identifier = "sw" NAS-Port-Type = Virtual Calling-Station-Id = "10.1.11.61" HP-Command-String = "show running-config" Acct-Delay-Time = 0 But the HP-Command-String is not present in the radacct table, is it possible to have it ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this a possible project?
On 12 Mar 2012, at 15:32, 甄鹏 wrote: > Hello Everybody: > Recently,I got a project,it requires set a Radius Server in the company,and > 100 APs in 100 Restarants in the city,all the APs of course connected to its > own router. > I want to the customers who want to use wifi in any of these restarant need > to get authentication through the Radius Server locate in my company rather > than the traditional wpa/wpa2 ways. Do you want to use WPA/WPA2 Enterprise instead, or through a captive portal on the access point, or through mac authentication? > for honestly,i am new to freeRadius,i even not really sure if is it a > possible project? > The radius server could have a static WAN ip address,but all the APs could > only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql > system,how could i distinguish different AP? Depends on the AP, some will send the NAS-Identifier attribute which you could use to distinguish between them. Otherwise most will include a Called-Station-ID attribute which *may* contain a Mac-Address associated with the Access point, you'll need what your Access Point sends. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this a possible project?
Hello Everybody: Recently,I got a project,it requires set a Radius Server in the company,and 100 APs in 100 Restarants in the city,all the APs of course connected to its own router. I want to the customers who want to use wifi in any of these restarant need to get authentication through the Radius Server locate in my company rather than the traditional wpa/wpa2 ways. for honestly,i am new to freeRadius,i even not really sure if is it a possible project? The radius server could have a static WAN ip address,but all the APs could only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql system,how could i distinguish different AP?because,i know in the LAN,i set the IP address for different AP for the nasname option in nas.sql. sorry for too many questions here, thank you in advanced Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 83, Issue 43
Thank you Fajar, it works. i included sqlcounter.conf in module section of radiusd.conf. Then I inserted into radcheck a user with the attributes User-Password:="password" Service-Type:="Framed-User" Max-Daily-Session:="240" Debug logs. rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user student, check_item=240, counter=242 modcall[authorize]: module "dailycounter" returns reject for request 15 modcall: leaving group authorize (returns reject) for request 15 Invalid user (rlm_sqlcounter: Maximum hourly usage time reached): [student] (from client C2960_NOC_LAN1 port 50009 cli 00-1E-33-D5-7A-68) Delaying request 15 for 1 seconds Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.5.4:1645, id=81, length=197 Sending Access-Reject of id 81 to 10.1.5.4 port 1645 Reply-Message = "Your maximum hourly usage time has been reached" Once again thank you Pamela Pomary ICTD University of Ghana Email: ppom...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about multiple nas
Hello all, Does anyone know how to configure the users on the multiple nas/clients in freeradius? for example : my nas type (client type) is chillispot access points. my first nas ip address is 192.168.1.1 my second nas ip address is 192.168.1.2 my third nas ip address is 192.168.1.3 "bot" user must be valid from these NASs/Clients. So, I inserted below rows in radcheck table. But it is not working. Username | Attribute | op | value | | dagia | NAS-IP-Address | == | 192.168.1.1|192.168.1.2|192.168.1.3 | Anyone help me pls? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
Norman Elton wrote:
> Well, I understand how the alive/zombie/dead process SHOULD work, but
> I'm having trouble lining it up with what we're seeing. We're proxying
> to a windows NPS box. Here's the proxy config:
Part of the issue is that the timers on the proxy are independent of
the timers on the client. The timers on the proxy fire ONLY when it
receives packets from the client.
So if the client doesn't retransmit, or if it retransmits on an
unusual pattern, proxying becomes more difficult.
> Now, for whatever reason, the Windows box decides to discard some
> requests. Unfortunately, the error reporting is pretty weak
> ("discarding invalid request"). Our Windows guys are digging into
> this. It seems to be client specific, we suspect something with our
> recently changed certificate.
I don't see how. Normal RADIUS doesn't use certificates.
And if your home server *randomly* discards requests, then your
priority should be to fix that. No amount of poking FreeRADIUS will
make the home server magically work. No amount of poking FreeRADIUS
will work around the fact that the home server is broken.
> FreeRadius is dropping into zombie state, which is expected given that
> the home server is dropping requests. But our logs and packet captures
> indicate that the home server is never dropping the "ping_user" status
> checks that FR is using to determine the home server state. But, our
> FreeRadius logs indicate that the home_server is being flagged 'dead'
> immediately upon becoming zombie:
Check which version of the server you're running. Old versions
sometimes had issues with zombie timers. See doc/ChangeLog for details.
> Why is the server going into zombie state at 20:32:26 and immediately
> becoming dead at 20:32:27? Shouldn't it wait for the entire
> zombie_period before dropping dead?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
