Re: [Help] - How To configure Radius timeout / count retries
Arran, >* Let say for example in our Wireless AP (access point) we can put 2 Radius >server in sequence, radiusA and radiusB. I know the AP will eventually look at >the 1st server, and if its not available (let say server is down) then it will >go to the 2nd radius server (I only assume this). *>* *>* So is there any way >in Radius conf we can set the retries or timeout, so for example after failed >for 2 times (no matter what is the error is) it will goes to the other radius >server? * You're asking whether you can configure FreeRADIUS to inform the access point that it should fail over to another server server after a given number of timeouts/retries? Or are you talking about failing over between upstream proxy servers? -Arran "Or are you talking about failing over between upstream proxy servers?" Does this mean a setup of Radius load balancing? I mean a few Radius server that used by the same AP ? So from AP point of view i just need to point to the "master" Ip address of the first radius server? Thanks Danny On Fri, Mar 1, 2013 at 3:27 PM, Danny Kurniawan < danny.kurnia...@fairchildsemi.com> wrote: > No worries, i receive this mailing list on my email now.. > > OK, so i also understand that we can only configure that from the AP side. > But unfortunately we cant find that in the Meraki AP ... let me check with > our vendor on it. > > Thanks > Danny > > On Fri, Mar 1, 2013 at 2:26 PM, Arran Cudbard-Bell < > a.cudba...@freeradius.org> wrote: > >> >> On 1 Mar 2013, at 00:20, Danny Kurniawan < >> danny.kurnia...@fairchildsemi.com> wrote: >> >> > Out of topic : All, btw how can i make sure that when i reply in this >> mailing list it appears after the previous post ? I dont receieve any of >> your reply in my email and i have to go to the archive list to reply this. >> >> I'm not sure what you're asking... >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > Best Regards, > Danny > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
No worries, i receive this mailing list on my email now.. OK, so i also understand that we can only configure that from the AP side. But unfortunately we cant find that in the Meraki AP ... let me check with our vendor on it. Thanks Danny On Fri, Mar 1, 2013 at 2:26 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > On 1 Mar 2013, at 00:20, Danny Kurniawan < > danny.kurnia...@fairchildsemi.com> wrote: > > > Out of topic : All, btw how can i make sure that when i reply in this > mailing list it appears after the previous post ? I dont receieve any of > your reply in my email and i have to go to the archive list to reply this. > > I'm not sure what you're asking... > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
2013/3/1 Arran Cudbard-Bell : > > On 1 Mar 2013, at 01:45, Бен Томпсон wrote: > >> 2013/3/1 Бен Томпсон : >>> 2013/3/1 Arran Cudbard-Bell : On 1 Mar 2013, at 00:43, Бен Томпсон wrote: > Hello Everyone > > I have a NAS which is not sending Event-Timestamp in accounting > messages. I wondered if I could create it in unlang by subtracting > Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a > reference to Packet-Original-Timestamp in the acconting setion I get > the following error :- > > Reference "${Packet-Original-Timestamp}" not found > > Am I doing something wrong? Yeah you're using a $ instead of a %. >>> >>> Many thanks. >> >> Another quick question :- >> >> ## snip ## >> ++? if (!Event-Timestamp) >> ? Evaluating !(Event-Timestamp) -> TRUE >> ++? if (!Event-Timestamp) -> TRUE >> ++- entering if (!Event-Timestamp) {...} >> expand: %{Packet-Original-Timestamp} -> >> +++[request] returns updated >> ++- if (!Event-Timestamp) returns updated >> >> >> It seems that Packet-Original-Timestamp does not contain anything. I >> was under the impression that it is generated automatically by >> FreeRADIUS. Is this not the case > > Packet-Original-Timestamp is only set by the detail file reader. > > Event-Timestamp should be set in accounting if you call preprocess in > preacct*. > > -Arran > > * At least in 3.0 OK, thanks again, I will give it a try. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
On 1 Mar 2013, at 01:45, Бен Томпсон wrote: > 2013/3/1 Бен Томпсон : >> 2013/3/1 Arran Cudbard-Bell : >>> >>> On 1 Mar 2013, at 00:43, Бен Томпсон wrote: >>> Hello Everyone I have a NAS which is not sending Event-Timestamp in accounting messages. I wondered if I could create it in unlang by subtracting Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a reference to Packet-Original-Timestamp in the acconting setion I get the following error :- Reference "${Packet-Original-Timestamp}" not found Am I doing something wrong? >>> >>> Yeah you're using a $ instead of a %. >> >> Many thanks. > > Another quick question :- > > ## snip ## > ++? if (!Event-Timestamp) > ? Evaluating !(Event-Timestamp) -> TRUE > ++? if (!Event-Timestamp) -> TRUE > ++- entering if (!Event-Timestamp) {...} > expand: %{Packet-Original-Timestamp} -> > +++[request] returns updated > ++- if (!Event-Timestamp) returns updated > > > It seems that Packet-Original-Timestamp does not contain anything. I > was under the impression that it is generated automatically by > FreeRADIUS. Is this not the case Packet-Original-Timestamp is only set by the detail file reader. Event-Timestamp should be set in accounting if you call preprocess in preacct*. -Arran * At least in 3.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AVP EAP-KEY name support in FR
Alan, Thanks a lot for the fix.. Authenticator is now able to start MKA session now. We will get back to you. If any other implementations are required. Thanks, Srinivas -Original Message- From: freeradius-users-bounces+sbandari=vitesse@lists.freeradius.org [mailto:freeradius-users-bounces+sbandari=vitesse@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 20 February 2013 19:11 To: FreeRadius users mailing list Subject: Re: AVP EAP-KEY name support in FR Srinu Bandari wrote: > Alan, > > We had tried with latest build, now it sends Access-Challenge and there is a > segmentation fault. > > Please find debug log for the latest ones as below. Whoops. Please do a "git pull". It should work now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
2013/3/1 Бен Томпсон : > 2013/3/1 Arran Cudbard-Bell : >> >> On 1 Mar 2013, at 00:43, Бен Томпсон wrote: >> >>> Hello Everyone >>> >>> I have a NAS which is not sending Event-Timestamp in accounting >>> messages. I wondered if I could create it in unlang by subtracting >>> Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a >>> reference to Packet-Original-Timestamp in the acconting setion I get >>> the following error :- >>> >>> Reference "${Packet-Original-Timestamp}" not found >>> >>> Am I doing something wrong? >> >> Yeah you're using a $ instead of a %. > > Many thanks. Another quick question :- ## snip ## ++? if (!Event-Timestamp) ? Evaluating !(Event-Timestamp) -> TRUE ++? if (!Event-Timestamp) -> TRUE ++- entering if (!Event-Timestamp) {...} expand: %{Packet-Original-Timestamp} -> +++[request] returns updated ++- if (!Event-Timestamp) returns updated It seems that Packet-Original-Timestamp does not contain anything. I was under the impression that it is generated automatically by FreeRADIUS. Is this not the case? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trucation of octet attribute handled by rlm_perl
Many thanks for you help. 2013/3/1 Iliya Peregoudov : > All attributes in rlm_perl scripts should be text. rlm_perl convert them to > text before function call and convert them from text after function return. > So you should use > > $RAD_REPLY{'DHCP-Classless-Static-Route'} = '0x'.unpack('H*', $route); > > > On 28.02.2013 11:05, Бен Томпсон wrote: >> >> Hello everyone >> >> I am having a slight problem with rlm_perl and I would really >> appreciate any advice/help. >> >> I have a perl script which rlm_perl adds a value to the >> DHCP-Classless-Static-Route attribute something like this :- >> >> perl script snippets >> ... >> my $route = pack('C7', split(/\,/, "16,172,16,10,0,0,2")); >> ... >> &radiusd::radlog(RADLOG_DEBUG, "packed data: " . unpack('H*', $route)); >> ... >> $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; >> ... >> ### > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
2013/3/1 Arran Cudbard-Bell : > > On 1 Mar 2013, at 00:43, Бен Томпсон wrote: > >> Hello Everyone >> >> I have a NAS which is not sending Event-Timestamp in accounting >> messages. I wondered if I could create it in unlang by subtracting >> Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a >> reference to Packet-Original-Timestamp in the acconting setion I get >> the following error :- >> >> Reference "${Packet-Original-Timestamp}" not found >> >> Am I doing something wrong? > > Yeah you're using a $ instead of a %. Many thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
On 1 Mar 2013, at 00:19, Danny Kurniawan wrote: > Hello, > > This is what i want to do : > > "You're asking whether you can configure FreeRADIUS to inform the access > point that it should fail over to another server server after a given number > of timeouts/retries? " You can't. You configure that directly on the Access Point via the CLI/GUI or SNMP. The RADIUS protocol isn't used to transport server definitions or failover behaviour. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
On 1 Mar 2013, at 00:20, Danny Kurniawan wrote: > Out of topic : All, btw how can i make sure that when i reply in this mailing > list it appears after the previous post ? I dont receieve any of your reply > in my email and i have to go to the archive list to reply this. I'm not sure what you're asking... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trucation of octet attribute handled by rlm_perl
All attributes in rlm_perl scripts should be text. rlm_perl convert them to text before function call and convert them from text after function return. So you should use $RAD_REPLY{'DHCP-Classless-Static-Route'} = '0x'.unpack('H*', $route); On 28.02.2013 11:05, Бен Томпсон wrote: Hello everyone I am having a slight problem with rlm_perl and I would really appreciate any advice/help. I have a perl script which rlm_perl adds a value to the DHCP-Classless-Static-Route attribute something like this :- perl script snippets ... my $route = pack('C7', split(/\,/, "16,172,16,10,0,0,2")); ... &radiusd::radlog(RADLOG_DEBUG, "packed data: " . unpack('H*', $route)); ... $RAD_REPLY{'DHCP-Classless-Static-Route'} = $route; ... ### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet-Original-Timestamp
On 1 Mar 2013, at 00:43, Бен Томпсон wrote: > Hello Everyone > > I have a NAS which is not sending Event-Timestamp in accounting > messages. I wondered if I could create it in unlang by subtracting > Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a > reference to Packet-Original-Timestamp in the acconting setion I get > the following error :- > > Reference "${Packet-Original-Timestamp}" not found > > Am I doing something wrong? Yeah you're using a $ instead of a %. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Packet-Original-Timestamp
Hello Everyone I have a NAS which is not sending Event-Timestamp in accounting messages. I wondered if I could create it in unlang by subtracting Acct-Delay-Time from Packet-Original-Timestamp. However, when I put a reference to Packet-Original-Timestamp in the acconting setion I get the following error :- Reference "${Packet-Original-Timestamp}" not found Am I doing something wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
Out of topic : All, btw how can i make sure that when i reply in this mailing list it appears after the previous post ? I dont receieve any of your reply in my email and i have to go to the archive list to reply this. Thanks -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
Hello, This is what i want to do : "You're asking whether you can configure FreeRADIUS to inform the access point that it should fail over to another server server after a given number of timeouts/retries? " Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] - How To configure Radius timeout / count retries
> Let say for example in our Wireless AP (access point) we can put 2 Radius > server in sequence, radiusA and radiusB. I know the AP will eventually look > at the 1st server, and if its not available (let say server is down) then it > will go to the 2nd radius server (I only assume this). > > So is there any way in Radius conf we can set the retries or timeout, so for > example after failed for 2 times (no matter what is the error is) it will > goes to the other radius server? You're asking whether you can configure FreeRADIUS to inform the access point that it should fail over to another server server after a given number of timeouts/retries? Or are you talking about failing over between upstream proxy servers? -Arran Arran Cudbard-Bell FreeRADIUS dev team - Maintainer Please contribute documentation: http://wiki.freeradius.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] - How To configure Radius timeout / count retries
Hi All, Let say for example in our Wireless AP (access point) we can put 2 Radius server in sequence, radiusA and radiusB. I know the AP will eventually look at the 1st server, and if its not available (let say server is down) then it will go to the 2nd radius server (I only assume this). So is there any way in Radius conf we can set the retries or timeout, so for example after failed for 2 times (no matter what is the error is) it will goes to the other radius server? Thanks Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL V3 client certificate error
thank you so much .. yes it only have issue intermitenly on some user .. so i have to set our client laptop manually for the root CA? I believe it should be there as we use Global Sign ... -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP sqlippool reply values
On Fri, Mar 1, 2013 at 4:15 AM, Phil Mayers wrote: > On 28/02/13 13:36, Igor Smitran wrote: >> >> I've added two new fields into radippool table that i am using for DHCP >> dynamic pools. >> >>`gateway` varchar(15) NOT NULL DEFAULT '', >>`netmask` varchar(15) NOT NULL DEFAULT '', >> >> in ippool-dhcp.conf i've added new fields: >> >> allocate-find = "SELECT framedipaddress,gateway,netmask FROM >> ${ippool_table} >> >> I am not able to figure out how to address new fields inside >> policy.conf. Is it even possible? > > > I don't think so. The sqlippool module has large parts of the logic in C > code, including which columns it expects the query to return and what it > does with them. If you only have small number of networks, it should be easier to define gateway and netmask inside an IF block. Another possible workaround (untested) is to borrow sql.authorize (e.g. using dummy "User-Name" control variable, set to client's MAC IP address), and then store the data inside radreply table. Should be more suitable if you have lots of small networks (e.g /29). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
Your guess is correct. I really hope that's the only thing wrong with the config. I'll try it as soon as I have access to the server. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication with FreeRadius
On 28 Feb 2013, at 10:02, Bouchra Badri wrote: > Hello, > Sorry to bring this up again. > I tried to do as you said, and added this line : > VMPS-VLAN-Name = "%{sql:select radius.maclist.vlanname from radius.maclist > where radius.maclist.mac='%{VMPS-Mac}'}" > as well as this one : $INCLUDE /etc/raddb/sql.conf ( don't know why, just > told my self it made sense if I want the above line to be queried) > I took the vmps file to sites-enabled so it runs as a virtual server. > I followed just what I needed from this link > http://wiki.freeradius.org/guide/SQL%20HOWTO to create the database and grant > privileges... > However when I run radiusd I get this ( in the image) > I know it's probably elementary, but it's that English isn't my forte so I > don't get what the debug says or why > At a guess i'd say you're not using the SQL module anywhere else in the server, and you need to add it to radiusd.conf in instantiate so it actually gets loaded... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP sqlippool reply values
On 28/02/13 13:36, Igor Smitran wrote: I've added two new fields into radippool table that i am using for DHCP dynamic pools. `gateway` varchar(15) NOT NULL DEFAULT '', `netmask` varchar(15) NOT NULL DEFAULT '', in ippool-dhcp.conf i've added new fields: allocate-find = "SELECT framedipaddress,gateway,netmask FROM ${ippool_table} I am not able to figure out how to address new fields inside policy.conf. Is it even possible? I don't think so. The sqlippool module has large parts of the logic in C code, including which columns it expects the query to return and what it does with them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP sqlippool reply values
I've added two new fields into radippool table that i am using for DHCP dynamic pools. `gateway` varchar(15) NOT NULL DEFAULT '', `netmask` varchar(15) NOT NULL DEFAULT '', in ippool-dhcp.conf i've added new fields: allocate-find = "SELECT framedipaddress,gateway,netmask FROM ${ippool_table} I am not able to figure out how to address new fields inside policy.conf. Is it even possible? I need to have two new fields, currently i have: update reply { DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}" } I am trying to get two new fields: DHCP-Subnet-Mask DHCP-Gateway-IP-Address I can use perl module to add those two fields but that means that i need two more database queries. Any other way? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup Checking
I'm having the very same issue, and can't understand why. If the Huntgroup-Name value is in radcheck the limitation is done correctly, but it is not when the Huntgroup-Name is in radgroupcheck, while the example here [1] is exactly with radgroupcheck. The proposed change doesn't work, also because it's not relevant. As per the example in the url: example user is in group site_a_admins (radusergroup) site_a is in radhuntgroup have in radgroupcheck: site_a_admins Huntgroup-Name == site_a access is allowed anywhere. If you move the check in radcheck, like: example user Huntgroup-Name == site_a then the check is performed correctly. The proposed modification to the group check query just adds huntgroup's properties to the request. thanks [1] http://wiki.freeradius.org/guide/SQL_Huntgroup_HOWTO - Messaggio originale - > Da: "Ben West" > A: "FreeRadius users mailing list" > Inviato: Mercoledì, 2 novembre 2011 15:22:25 > Oggetto: Huntgroup Checking > > You may need to inspect whether the groupcheck query in > mysql/dailup.conf (if you are using MySQL) looks in the huntgroup > table. > > For example, this is the default query in my copy of freeRADIUS > provided by Debian: > > authorize_group_check_query = "SELECT id, groupname, attribute, \ > Value, op \ > FROM ${groupcheck_table} \ > WHERE groupname = '%{Sql-Group}' \ > ORDER BY id" > > Try modifying it as such: > > authorize_group_check_query = "SELECT id, groupname, attribute, \ > value, op \ > FROM ${groupcheck_table} \ > WHERE ( groupname = '%{Sql-Group}' \ > OR groupname = '%{Huntgroup-Name}' ) \ > ORDER BY id" > > > On Wed, Nov 2, 2011 at 9:07 AM, simonm123 wrote: > > Can anyone tell me if hungroup checking can be made to work on the group > > level, not just the user level? > > > > Thanks > > > > -- > > View this message in context: > > http://freeradius.1045715.n5.nabble.com/Huntgroup-Checking-tp4950385p4958155.html > > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > -- > Ben West > westbyw...@gmail.com > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- -- Lorenzo Milesi - lorenzo.mil...@yetopen.it YetOpen S.r.l. - http://www.yetopen.it/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL V3 client certificate error
This is the client telling you it doesn't trust your server ca. Setup the client correctly. Danny Kurniawan wrote: >Hi All, > >I have some intermittent issue with our Radius auth. >OS : SLES 11 >Radius 2.1.1 > >We get the cert from GlobalSign and use it at the 2 Radius server. So >Server A and Server B use the same cert. >in Server B, ometimes it works fine to authenticate and sometimes its >failed but everything fine in Server A. > >Fri Feb 22 18:31:39 2013 : Auth: Login OK: [sdholakia2] (from client >AllWirelessAP port 0 via TLS tunnel) >Fri Feb 22 18:31:39 2013 : Auth: Login OK: [sdholakia2] (from client >AllWirelessAP port 0 cli A0-88-B4-0F-C3-D8) >*Fri Feb 22 18:36:30 2013 : Error: TLS Alert read:fatal:unknown CA >Fri Feb 22 18:36:30 2013 : Error: TLS_accept:failed in SSLv3 read >client certificate A >Fri Feb 22 18:36:30 2013 : Error: rlm_eap: SSL error error:14094418:SSL >routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >Fri Feb 22 18:36:30 2013 : Error: SSL: SSL_read failed inside of TLS >(-1), >TLS session fails.* >Fri Feb 22 18:36:30 2013 : Auth: Login incorrect: [800200sq] (from >client >AllWirelessAP port 0 cli A0-88-B4-58-BA-8C) >Fri Feb 22 18:37:34 2013 : Auth: Login OK: [800200sq] (from client >AllWirelessAP port 0 via TLS tunnel) >Fri Feb 22 18:37:34 2013 : Auth: Login OK: [800200sq] (from client >AllWirelessAP port 0 cli A0-88-B4-0F-C3-D8) > >Any idea what should i check for that error? > >Thanks > >-- >Best Regards, >Danny > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html -- Sent from my mobile device, please excuse brevity and typos.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html