radclient coa example
I've read where radclient can be used to send a change-of-authorization message (COA) from the server to a NAS to change the bandwidth limit but I have not been able to find an example of this. Does any have an example of radclient sending a coa message to change the bandwidth limit? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Start Request error
Hi, I am facing this problem that radius giving me return code 1. as for as i think this is because Acct-Session-Id is missing in request... how can i solve this problem because session id is set by session counter i can not set it manually.. i hope you understand my question. Acct-Status-Type = StartMove-ID = "4"SureTech-Attr-4 = 0xAcct-Link-Count = 1Accounting-Type = 1 User-Name = "290B7DY3ENSG9" Processing the preacct section of radiusd.confmodcall: entering group preacct for request 2 modcall[preacct]: module "preprocess" returns noop for request 2rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistentrlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistentrlm_acct_unique: Hashing ',Client-IP-Address = 192.168.22.79,NAS-IP-Address = 192.168.22.79,,User-Name = "290B7DY3ENSG9"'rlm_acct_unique: Acct-Unique-Session-ID = "14b16fdf26a1520d". modcall[preacct]: module "acct_unique" returns ok for request 2rlm_realm: No '@' in User-Name = "290B7DY3ENSG9", looking up realm NULLrlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 2 modcall[preacct]: module "files" returns noop for request 2modcall: leaving group preacct (returns ok) for request 2 Processing the accounting section of radiusd.confmodcall: entering group accounting for request 2radius_xlat: '/usr/local/var/log/radius/radacct/192.168.22.79/detail-20121022:18'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d:%H expands to /usr/local/var/log/radius/radacct/192.168.22.79/detail-20121022:18 modcall[accounting]: module "detail" returns ok for request 2radius_xlat: '/usr/local/var/log/radius/radutmp'radius_xlat: '290B7DY3ENSG9' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module "radutmp" returns noop for request 2 modcall[accounting]: module "sql" returns ok for request 2modcall: leaving group accounting (returns ok) for request 2Sending Accounting-Response of id 38 to 192.168.22.79 port 37436ReturnCode = 1User-Name = "290B7DY3ENSG9"Finished request 2Going to the next request--- Walking the entire request list ---Cleaning up request 2 ID 38 with timestamp 50852447Nothing to do. Sleeping until we see a request. Regards Qasim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New attribute on old freeradius server
Thanks Alan, So basically the correct way would be create a vendor dict, and there can I use any number or I need to follow some guideline? 2012/10/20 Alan DeKok : > Tiago wrote: >> I think its not my case, because I'll need to get these attributes on >> my NAS (rp-pppoe server) and with it set Down/Up rates to my customer. >> Am I right? If yes, so which number should I use? > > You use the numbers as defined in the dictionary on the NAS. If it > has a Up/Down rate attribute, use that. > >> By the way, I'm setting the same attr on freeradius and NAS server. > > You should create a vendor-specific dictionary, and define the > attribute there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug Directory
On 10/22/2012 05:55 PM, George Innocent wrote: Hello; I have been running the radius and can only see the radius.log files; what is the directory for debug logs. Debugging info is only written to stdout, never to a log. If you read the documentation you would know that without having to bother the list with silly questions, which by observation is a bad habit for you. It has been stated numerous times on this list how to capture the debug output, refer to the archives. It's basically UNIX 101. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug Directory
You need to run radiusd with the -X flag: radiusd -X Aidan. On 23/10/2012, at 7:55 AM, George Innocent wrote: > Hello; > > I have been running the radius and can only see the radius.log files; what is > the directory for debug logs. > > > > -- > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Mon, Oct 22, 2012 at 11:13 PM, wrote: > Hi Guys, > > thank you for your answers. I killed the attribute user-name on my global > radius server in post-proxy and post-auth sections by unlang. > > Now I have got the full username on my server, because it is not overwritten > by other radius communicatons. > > The realm is not in the radacct table of server A. But I kow the reason, > because FR doesn't know this realms. But thats ok. Good to know. > >>What I don't understand is how come the reply that FR sends STILL contains >>User-Name. >>Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >>never allow User-Name on Access-Accept. >>Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >>whatever virtual server you're using? > > Sry, I don't understand the problem. I see more attributes than just > user-name. All filters are disabled by default. > A filter is only for rejecting requests, which are not matching. Right? No. And that, is the root of your problem: blindly changing config files without knowing what it's for. Had you left it the way it was in the first place, you wouldn't have had this problem. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Hi Guys, thank you for your answers. I killed the attribute user-name on my global radius server in post-proxy and post-auth sections by unlang. Now I have got the full username on my server, because it is not overwritten by other radius communicatons. The realm is not in the radacct table of server A. But I kow the reason, because FR doesn't know this realms. But thats ok. >What I don't understand is how come the reply that FR sends STILL contains >User-Name. >Reading raddb/attrs and raddb/modules/attr_filter, it looks like FR should >never allow User-Name on Access-Accept. >Did you REMOVE attr_filter.post-proxy from raddb/sites-available/default or >whatever virtual server you're using? Sry, I don't understand the problem. I see more attributes than just user-name. All filters are disabled by default. A filter is only for rejecting requests, which are not matching. Right? And sorry again for my bad english. ;-) Ulf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
On 10/22/2012 10:32 AM, Prateek Kumar wrote: rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem Just in case it helps to understand what the error message is attempting to say. The private key is held in a pkcs12 file. The private key is protected by Password Based Encryption (hence pbe). That means given a password a specific algorithm is used to encrypt the private key for protection purposes. OpenSSL is complaining the PBE algorithm is not supported. I'm guessing a new OpenSSL version has deprecated the use of an insecure method that your older p12 file used. You need to generate a new p12 file. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
So I have to compile freeradius with new openssl version else use old openssl for creating certificates. Also will I have to change random & dh file every time I change the server.pem & ca.pem. Thanks for your inputs. Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
Hi, > I have freeradius server ( ver. 2.1.10 ) compiled >with openssl-0.9.8l. Now by method given in raddb/certs I created the >certificates on a machine having OpenSSL 1.0.0e. new OpenSSL and old OpenSSL may have issues with things like this - depending on the settings of that new openSSL (ie if it has new features enabled or the older version hd things disabled >rlm_eap: SSL error error:06074079:digital envelope >routines:EVP_PBE_CipherInit:unknown pbe algorithm google for that error - likely to be that the PBE on 1.0.0 is some method that your old 0.9.8 doesnt work with alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap module failed to start
On Mon, Oct 22, 2012 at 9:32 PM, Prateek Kumar wrote: > Hi, >I have freeradius server ( ver. 2.1.10 ) compiled with > openssl-0.9.8l. Now by method given in raddb/certs I created the > certificates on a machine having OpenSSL 1.0.0e. > > After loading ca.pem,server.pem & private.pem ( which is copy of server.pem > ) certificates under raddb/certs and then starting the radius server I got > this error just after eap module. Is this due to different openssl versions? Most likely so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap module failed to start
Hi, I have freeradius server ( ver. 2.1.10 ) compiled with openssl-0.9.8l. Now by method given in raddb/certs I created the certificates on a machine having OpenSSL 1.0.0e. After loading ca.pem,server.pem & private.pem ( which is copy of server.pem ) certificates under raddb/certs and then starting the radius server I got this error just after eap module. Is this due to different openssl versions? Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/private.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/inner-tunnel[236]: Failed to load module "eap". /etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. Thanks & Regards, Prateek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-V2 allow_retry on ldap authentification
Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I realize this has been discussed before because I have spent a lot of time reading through this list and other sources. So current setup is OpenLDAP in a central location, a slave is set up remote with FreeRADIUS on top of that to allow for WPA2, this also means there is no correlation between user accounts on computers and domains so when people change their LDAP password their WPA2 username/password remain the same and the user needs to change it manually. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying "please change password"? judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. Thanks for reading :) Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
Sending Access-Accept of id 188 to 172.16.3.225 port 1814 User-Name = "markus" MS-MPPE-Recv-Key = 0x19bfda63662c5eda0d0cfd34c617f262ae8611b10aab33c89598e9478000e667 MS-MPPE-Send-Key = 0xa653fb00f50ffb9b86c15b777bc4d6807912c23511749aef1d030b87cb3b0619 EAP-Message = 0x03e4 Message-Authenticator = 0x 3Com-Ip-Host-Addr = "123.456.789.012" Proxy-State = 0x323437 Proxy-State = 0x323132 You should add "nostrip" into your local realm definition: # raddb/proxy.conf realm kl-dfki.de { nostrip } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS: Access Reject comes randomly from AAA
2012/06/04 15:52:41:686525 :rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca This means WiMAX supplicant sends TLS Alert message. This is because supplicant do not trust CA that have issued AAA server certificate. CA certificate of the CA that have issued AAA server certificate should be installed on WiMAX supplicant into list of "trusted root CA certificates". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html