Re: 3gpp with Freeradius
Hi there , For some reason am not getting the callingstation-ID for my users who are using 3gpp, could be missing something in the config, i have done some reading and all my settings seem fine. This is how my accounting looks and am missing a key feature which is the calling station ID Wed Apr 10 12:39:06 2013 Acct-Multi-Session-Id = 53bf18f2 Acct-Link-Count = 1 Event-Timestamp = Apr 10 2013 12:38:50 EAT Framed-IP-Address = y.y.y.y Acct-Session-Id = c48653bf18f2 NAS-IP-Address = 196.0.0.133 Framed-Protocol = GPRS-PDP-Context Acct-Authentic = RADIUS Called-Station-Id = broadband NAS-Identifier = GGSN9811 Acct-Delay-Time = 0 User-Name = eric@3g NAS-Port-Type = Virtual Service-Type = Framed-User Acct-Status-Type = Start 3GPP-IMSI = 6411101051238450 3GPP-Charging-ID = 1405032690 3GPP-PDP-Type = 0 3GPP-Charging-Gateway-Address = x.x.x.x 3GPP-GPRS-Negotiated-QoS-profile = 99-23421f9196404074f74040 3GPP-SGSN-Address = 196.0.0.129 3GPP-GGSN-Address = 196.0.0.134 3GPP-IMSI-MCC-MNC = 64111 3GPP-GGSN-MCC-MNC = 64111 3GPP-NSAPI = 5 3GPP-Selection-Mode = 0 3GPP-Charging-Characteristics = 0800 3GPP-SGSN-MCC-MNC = 64111 3GPP-Attr-26 = 0x00 Acct-Unique-Session-Id = ae61f0992e7b5eaa Timestamp = 1365586746 Request-Authenticator = Verified- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3gpp with Freeradius
Mulindwa wrote: Hi there , For some reason am not getting the callingstation-ID for my users who are using 3gpp, could be missing something in the config, i have done some reading and all my settings seem fine. This is how my accounting looks and am missing a key feature which is the calling station ID This is in the FAQ. The NAS isn't sending it. Go fix the NAS. There is nothing you can do to FreeRADIUS to magically invent a Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + MySQL + Daloradius
Erik Sellgren wrote: I am trying to setup wireless authentication through my mikrotik router using freeradius with mysql and daloradius. I have the server setup and working, I can use NTradtest from my pc and I get Access-Accept messages in return with my cleartext user/password, username userclear password clear. But when I set it all up and try to access the wireless with the same credentials it is an access-reject. See below # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: userclear [mschap] Told to do MS-CHAPv2 for userclear with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. After reading the top of inner-tunnel I used the test they said to use : radtest USER PASSWORD 127.0.0.1:18120 0 testing123 It also says to try MSCHAP. Or at least recent versions say this. When I use my user it fails, when I use the test user user and pass it succeeds. So do I have my innertunnel setup wrong or something? I have sql uncommented in /etc/raddb/sites-available/inner-tunnel Please let me know what info you need and I can supply it, please help me debug this issue. You've conveniently deleted nearly all of the debug output. This isn't useful. From what little is there, it seems you're forcing Auth-Type to MSCHAP. This is wrong. See the FAQ. Instead (as the output shows) you need to supply a Cleartext-Password, and then let FreeRADIUS figure out which authentication method to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql checkval Operator which work with Value comma (,)
Dear All I need to use modules checkval to check Multi NAS-Identifier many docs setup is to set := NAS1 But How can I use := NAS1,NAS2,NAS3 Which Operator can i use with comma? I can not use 1 nas per row. Because I have many GroupName and many NAS to check. I setup multi hotspot. so I have 10 hotspot and have 10 billing plans (GroupName) per Hotspot. I try to use Operators += but it is not work. Thank in advance to all expert. -- EasyZone Hotspot Billing v3.0 LDAP - supports LDAP , VLAN, Landing Page, Block site by Group, Multi Hotspot, Cisco WLC EasyZone Ready Hotspot Box - Mikrotik + EasyZone ISP Billing stable and easy to use. EasyZone ISP Billing - Billing for Wireless ISP, Local ISP. http://www.easyzonecorp.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql checkval Operator which work with Value comma (,)
On 10 Apr 2013, at 08:15, EasyHorpak.com i...@easyhorpak.com wrote: Dear All Jesus Fuck, what the hell are those hideously coloured blinking things at the bottom of your email. You're trying to advertise using your signature?! Have you any idea how completely inappropriate that is on a support list? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segfault error
I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. /var/log/messages Apr 9 17:33:45 on-radius01 kernel: radiusd[8831]: segfault at 2aae660ae000 rip 2aae5b6215eb rsp 2aae660ab7c8 error 4 What should I be looking for the RADIUS logs didn't turn up anything as it wasn't in debug mode. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql checkval Operator which work with Value comma (,)
On 10/04/2556 19:20, Arran Cudbard-Bell wrote: On 10 Apr 2013, at 08:15, EasyHorpak.com i...@easyhorpak.com wrote: Dear All Jesus Fuck, what the hell are those hideously coloured blinking things at the bottom of your email. You're trying to advertise using your signature?! Have you any idea how completely inappropriate that is on a support list? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Big apologize with my email signature sir. Chuan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault error
Chris Taylor wrote: I am running freeradius2-2.1.12-5.el5 on a CentOS server release 5.9 (Final). I was doing some testing on some new RADIUS servers that we want to put into production and I got the following error. Well... upgrade to 2.2.0. There's no reason for us to debug issues in old versions. Those have already been debugged and fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius in cloud using openstack
Hi, can anybody here teach me how to install freeradius in openstack infrastructure? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius in cloud using openstack
On 10 Apr 2013, at 10:04, faizal ghazali fgha...@gmail.com wrote: Hi, can anybody here teach me how to install freeradius in openstack infrastructure? No. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/10/2013 12:03 AM, pramod kulkarni wrote: Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore. This is a nonsensical question, EAP-TLS uses certificates. You do not yet understand some of the basics. You need to invest some time in learning the what the authentication mechanisms are and how they operate, this is a good starting place. http://deployingradius.com/documents/protocols/ Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently . What the configuration block in modules/ldap is setting up is how the radius server can communicate with the LDAP server in a peer-to-peer relationship. The LDAP server has to know who the radius server is and if it has permission to access other users passwords and password hashes. Therefore radiusd must authenticate to LDAP. This process is completely *independent* of any of the authentication protocols, it's merely establishing if radius can view certain data. The way rlm_ldap is currently coded only simple binds (i.e. password based) are supported, therefore you must store a password in raddb. You are correct this is a security issue, however only root and the radius process should be able to read the file. On our systems we make sure the permissions and identities the processes run under assure this, if you've installed via some other mechanism it behooves you to assure the radius user and group are properly configured as well as the file permissions on the config files. Any by the way no I won't tell you how to do this, it's system admin 101. I'm pretty sure the defaults assure this as well, but I haven't verified. There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. Oh, and by the way just in case you're confused as to the TLS parameters in the ldap config, they have nothing to do with binding (i.e. authenticating radiusd to LDAP), their purpose is to establish a secure tunnel between radiusd and LDAP. You can request the tunnel only be established if certificate based authentication succeeds but a simple bind will still be performed inside the tunnel. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. No it wasn't. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3 LDAP Generic Attributes
Hi, I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' 'radiusCheckItem' attributes to FR3 generic attributes. While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. I was hoping someone could point me in the correct direction! Thanks, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' 'radiusCheckItem' attributes to FR3 generic attributes. I guess if it was useful we could add it back in, there's no real reason not to. Could you remind me what the value format was? While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. Ok. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Stupidity is a harsh teacher and her lesson is pain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile with ldap support
What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile with ldap support
On 10 Apr 2013, at 21:12, Chris Taylor chris.tay...@corp.eastlink.ca wrote: What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure –with-ldap but that didn’t seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn’t find anything. It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: compile with ldap support
How do I check that I have them installed I have the openldap rpm installed. I am trying to go from an rpm build to a source build to fix a problem. Chris -Original Message- From: freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink...@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Wednesday, April 10, 2013 10:07 PM To: FreeRadius users mailing list Subject: Re: compile with ldap support On 10 Apr 2013, at 21:12, Chris Taylor chris.tay...@corp.eastlink.ca wrote: What are options do I have to use to compile freeradius with ldap support turned on? I tried ./configure -with-ldap but that didn't seem to work I still get an error about not being able to find rlm_ldap. I checked the mail archives but I couldn't find anything. It'll build it by default if you have the libldap headers installed. Check the output of configure to verify it's actually building rlm_ldap. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Fruity Oaty Bars, make a man out of a mouse. Fruity Oaty Bars, make you bust out of your blouse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile with ldap support
Chris Taylor wrote: How do I check that I have them installed I have the openldap rpm installed. This is really a question for your OS vendor. How about man rpm? Or google? And you also want the libldap development headers. Just installing the OpenLDAP server won't get those. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html