radclient coa example
I've read where radclient can be used to send a change-of-authorization message (COA) from the server to a NAS to change the bandwidth limit but I have not been able to find an example of this. Does any have an example of radclient sending a coa message to change the bandwidth limit? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Start Request error
Hi,
I am facing this problem that radius giving me return code 1. as for as i think
this is because Acct-Session-Id is missing in request...
how can i solve this problem because session id is set by session counter i
can not set it manually.. i hope you understand my question.
Acct-Status-Type = StartMove-ID = "4"SureTech-Attr-4 =
0xAcct-Link-Count = 1Accounting-Type = 1
User-Name = "290B7DY3ENSG9" Processing the preacct section of
radiusd.confmodcall: entering group preacct for request 2 modcall[preacct]:
module "preprocess" returns noop for request 2rlm_acct_unique: WARNING:
Attribute NAS-Port was not found in request, unique ID MAY be
inconsistentrlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found
in request, unique ID MAY be inconsistentrlm_acct_unique: Hashing
',Client-IP-Address = 192.168.22.79,NAS-IP-Address = 192.168.22.79,,User-Name =
"290B7DY3ENSG9"'rlm_acct_unique: Acct-Unique-Session-ID = "14b16fdf26a1520d".
modcall[preacct]: module "acct_unique" returns ok for request 2rlm_realm:
No '@' in User-Name = "290B7DY3ENSG9", looking up realm NULLrlm_realm: No
such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 2
modcall[preacct]: module "files" returns noop for request 2modcall: leaving
group preacct (returns ok) for request 2 Processing the accounting section of
radiusd.confmodcall: entering group accounting for request 2radius_xlat:
'/usr/local/var/log/radius/radacct/192.168.22.79/detail-20121022:18'rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d:%H expands
to /usr/local/var/log/radius/radacct/192.168.22.79/detail-20121022:18
modcall[accounting]: module "detail" returns ok for request 2radius_xlat:
'/usr/local/var/log/radius/radutmp'radius_xlat: '290B7DY3ENSG9' rlm_radutmp:
No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will
probably not work! modcall[accounting]: module "radutmp" returns noop for
request 2 modcall[accounting]: module "sql" returns ok for request 2modcall:
leaving group accounting (returns ok) for request 2Sending Accounting-Response
of id 38 to 192.168.22.79 port 37436ReturnCode = 1User-Name =
"290B7DY3ENSG9"Finished request 2Going to the next request--- Walking the
entire request list ---Cleaning up request 2 ID 38 with timestamp
50852447Nothing to do. Sleeping until we see a request.
Regards Qasim -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New attribute on old freeradius server
Thanks Alan, So basically the correct way would be create a vendor dict, and there can I use any number or I need to follow some guideline? 2012/10/20 Alan DeKok : > Tiago wrote: >> I think its not my case, because I'll need to get these attributes on >> my NAS (rp-pppoe server) and with it set Down/Up rates to my customer. >> Am I right? If yes, so which number should I use? > > You use the numbers as defined in the dictionary on the NAS. If it > has a Up/Down rate attribute, use that. > >> By the way, I'm setting the same attr on freeradius and NAS server. > > You should create a vendor-specific dictionary, and define the > attribute there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug Directory
On 10/22/2012 05:55 PM, George Innocent wrote: Hello; I have been running the radius and can only see the radius.log files; what is the directory for debug logs. Debugging info is only written to stdout, never to a log. If you read the documentation you would know that without having to bother the list with silly questions, which by observation is a bad habit for you. It has been stated numerous times on this list how to capture the debug output, refer to the archives. It's basically UNIX 101. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug Directory
You need to run radiusd with the -X flag: radiusd -X Aidan. On 23/10/2012, at 7:55 AM, George Innocent wrote: > Hello; > > I have been running the radius and can only see the radius.log files; what is > the directory for debug logs. > > > > -- > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Mon, Oct 22, 2012 at 11:13 PM, wrote: > Hi Guys, > > thank you for your answers. I killed the attribute user-name on my global > radius server in post-proxy and post-auth sections by unlang. > > Now I have got the full username on my server, because it is not overwritten > by other radius communicatons. > > The realm is not in the radacct table of server A. But I kow the reason, > because FR doesn't know this realms. But thats ok. Good to know. > >>What I don't understand is how come the reply that FR sends STILL contains >>User-Name. >>Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >>never allow User-Name on Access-Accept. >>Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >>whatever virtual server you're using? > > Sry, I don't understand the problem. I see more attributes than just > user-name. All filters are disabled by default. > A filter is only for rejecting requests, which are not matching. Right? No. And that, is the root of your problem: blindly changing config files without knowing what it's for. Had you left it the way it was in the first place, you wouldn't have had this problem. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Hi Guys, thank you for your answers. I killed the attribute user-name on my global radius server in post-proxy and post-auth sections by unlang. Now I have got the full username on my server, because it is not overwritten by other radius communicatons. The realm is not in the radacct table of server A. But I kow the reason, because FR doesn't know this realms. But thats ok. >What I don't understand is how come the reply that FR sends STILL contains >User-Name. >Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >never allow User-Name on Access-Accept. >Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >whatever virtual server you're using? Sry, I don't understand the problem. I see more attributes than just user-name. All filters are disabled by default. A filter is only for rejecting requests, which are not matching. Right? And sorry again for my bad english. ;-) Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
On 10/22/2012 10:32 AM, Prateek Kumar wrote: rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem Just in case it helps to understand what the error message is attempting to say. The private key is held in a pkcs12 file. The private key is protected by Password Based Encryption (hence pbe). That means given a password a specific algorithm is used to encrypt the private key for protection purposes. OpenSSL is complaining the PBE algorithm is not supported. I'm guessing a new OpenSSL version has deprecated the use of an insecure method that your older p12 file used. You need to generate a new p12 file. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
So I have to compile freeradius with new openssl version else use old openssl for creating certificates. Also will I have to change random & dh file every time I change the server.pem & ca.pem. Thanks for your inputs. Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
Hi, > I have freeradius server ( ver. 2.1.10 ) compiled >with openssl-0.9.8l. Now by method given in raddb/certs I created the >certificates on a machine having OpenSSL 1.0.0e. new OpenSSL and old OpenSSL may have issues with things like this - depending on the settings of that new openSSL (ie if it has new features enabled or the older version hd things disabled >rlm_eap: SSL error error:06074079:digital envelope >routines:EVP_PBE_CipherInit:unknown pbe algorithm google for that error - likely to be that the PBE on 1.0.0 is some method that your old 0.9.8 doesnt work with alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
On Mon, Oct 22, 2012 at 9:32 PM, Prateek Kumar wrote: > Hi, >I have freeradius server ( ver. 2.1.10 ) compiled with > openssl-0.9.8l. Now by method given in raddb/certs I created the > certificates on a machine having OpenSSL 1.0.0e. > > After loading ca.pem,server.pem & private.pem ( which is copy of server.pem > ) certificates under raddb/certs and then starting the radius server I got > this error just after eap module. Is this due to different openssl versions? Most likely so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap module failed to start
Hi,
I have freeradius server ( ver. 2.1.10 ) compiled
with openssl-0.9.8l. Now by method given in raddb/certs I created the
certificates on a machine having OpenSSL 1.0.0e.
After loading ca.pem,server.pem & private.pem ( which is copy of server.pem
) certificates under raddb/certs and then starting the radius server I got
this error just after eap module. Is this due to different openssl versions?
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/private.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
rlm_eap: SSL error error:06074079:digital envelope
routines:EVP_PBE_CipherInit:unknown pbe algorithm
rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/etc/raddb/sites-enabled/inner-tunnel[236]: Failed to load module "eap".
/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate
section.
Thanks & Regards,
Prateek
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-V2 allow_retry on ldap authentification
Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I realize this has been discussed before because I have spent a lot of time reading through this list and other sources. So current setup is OpenLDAP in a central location, a slave is set up remote with FreeRADIUS on top of that to allow for WPA2, this also means there is no correlation between user accounts on computers and domains so when people change their LDAP password their WPA2 username/password remain the same and the user needs to change it manually. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying "please change password"? judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. Thanks for reading :) Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Sending Access-Accept of id 188 to 172.16.3.225 port 1814
User-Name = "markus"
MS-MPPE-Recv-Key =
0x19bfda63662c5eda0d0cfd34c617f262ae8611b10aab33c89598e9478000e667
MS-MPPE-Send-Key =
0xa653fb00f50ffb9b86c15b777bc4d6807912c23511749aef1d030b87cb3b0619
EAP-Message = 0x03e4
Message-Authenticator = 0x
3Com-Ip-Host-Addr = "123.456.789.012"
Proxy-State = 0x323437
Proxy-State = 0x323132
You should add "nostrip" into your local realm definition:
# raddb/proxy.conf
realm kl-dfki.de {
nostrip
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS: Access Reject comes randomly from AAA
2012/06/04 15:52:41:686525 :rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca This means WiMAX supplicant sends TLS Alert message. This is because supplicant do not trust CA that have issued AAA server certificate. CA certificate of the CA that have issued AAA server certificate should be installed on WiMAX supplicant into list of "trusted root CA certificates". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
