Re: Freeradius issue : Active Directory Integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi. Wondering what authentication method you are using as maybe looking at wrong ntlm check the mschap module for its ntlm_auth incantation. Also, if you have doubts about the AD account used to bind them follow that up. Get it bound in the same way. What does ntlm_auth do on the command line for you? alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJOYUIyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC6y4ACdEIQs/dxW8YhNraSmI3pX qbNXMmcAn2s9S34AfgH/JbgqjHiYr51Vw9uN =lpVL -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius issue : Active Directory Integration
Hi,
> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
>
is ntml_auth on the command line working?
Please provide some debug output.
regards
-andreas
--
___
FACHHOCHSCHULE SALZBURG GmbH
Salzburg University of Applied Sciences
Andreas Sartori
Systems Engineer
IS - Information Services
Lecturer
ITS - Information Technology and Systems Management
MMT - Multimedia Technology
Urstein Süd 1 | 5412 Puch/Salzburg | Austria
fon: +43 (0)50-2211-1655 | fax: -1699
web: www.fh-salzburg.ac.at
Gerichtsstand Salzburg | FN166054y
___
- Original Message -
> From: "Shameek Bhattacharya"
> To: freeradius-users@lists.freeradius.org
> Sent: Friday, October 4, 2013 8:02:59 AM
> Subject: Freeradius issue : Active Directory Integration
>
>
>
>
>
>
> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
>
> ie
> exec ntlm_auth {
> wait = no
> program = “/usr/bin/ntlm_auth -request-nt-key
> -username=%{mschap:User-Name} -password=%{User-Password}”
> }
>
>
>
>
>
> But MS CHAP fails completely . Tried all options but not working at
> all . I have another Freeradius Server with same configuration which
> is working perfectly. The only difference is that the faulty Radius
> Server was joined to Domain with a backup administrator account ,
> not with the default Domain Administrator account . Is this creating
> the issue ? Please suggest . I have attached the debug output.
>
>
> Regards,
>
> Shameek
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius issue : Active Directory Integration
Hello,
I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth
ie
exec ntlm_auth {
wait = no
program = “/usr/bin/ntlm_auth -request-nt-key
-username=%{mschap:User-Name} -password=%{User-Password}”
}
But MS CHAP fails completely . Tried all options but not working at all . I
have another Freeradius Server with same configuration which is working
perfectly. The only difference is that the faulty Radius Server was joined
to Domain with a backup administrator account , not with the default Domain
Administrator account . Is this creating the issue ? Please suggest . I
have attached the debug output.
Regards,
Shameek
Radius
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign vlan per group or per user
Jean Carlos Coelho wrote: > I need to configure one radius server with ldap integration and dynamic > vlan assign per user or group, didn't find any documentation about this > procedures, someone knows any url about this? See the NAS documentation for which attributes it expects in an Access-Accept. Then, put those attributes into the reply. In the "users" file, you can do: bob Cleartext-Password := "password" vlan attributes = ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deny access to Switch Cisco by Group
Thanks. I have done your tip but I'm get the follow error rlm_ldap::ldap_groupcmp: Group cisco not found or user is not a member. [ldap] performing search in o=dohler, with filter (&(cn=cisco)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames (uniquemember= [ldap] object not found I have created the group "cisco" in the Ldap and put the user inside it but the logs from freeradius shows that group not found. maybe there is mismatch at the searching ldap from freeradius that I have fit it. any tip about ? Thanks 2013/10/3 : > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Re: Running RADIUS in permanent debug mode with rotating log > (Arran Cudbard-Bell) >2. Re: Wifi APs Models compatible with by username dynamic vlan > assignment (Arran Cudbard-Bell) >3. How to deny access to Switch Cisco by Group (Usu?rio do Sistema) >4. Re: How to deny access to Switch Cisco by Group (Alan DeKok) >5. Re: Running RADIUS in permanent debug mode with rotating log > (a.l.m.bu...@lboro.ac.uk) >6. RE: radwho not working (Clint Petty) > > > -- > > Message: 1 > Date: Thu, 3 Oct 2013 11:04:42 +0100 > From: Arran Cudbard-Bell > To: FreeRadius users mailing list > > Subject: Re: Running RADIUS in permanent debug mode with rotating log > Message-ID: <414c50cc-a53f-4480-b111-14fb8a774...@freeradius.org> > Content-Type: text/plain; charset=us-ascii > > > On 3 Oct 2013, at 10:14, wrote: > >>> How can we run radiusd -x > "logname" such that we have different >>> logname for each day? >> >> Clement, may I suggest a cron job? >> >> At midnight, move the log, kill and restart the radius server with a new log >> in the name? Of course you run the risk of possibly killing any >> authentication attempts that happen at that point in time, but... that's >> something you need to take into account? > > Please don't. Use a crontab by all means but just use the main log file and > enable additional debugging (-xx). > > As of 2.2.1 you can use the radmin control socket to reopen the log file > handle without restarting the server, or sending a -HUP. > > It's not just the fact you'll kill any EAP auth sessions in progress, but > you'll will clear out any cached entries (rlm_cache), > and where proxying is being performed upstream server state will be lost. > > It's also dangerous in that if someone has messed with the configurations, or > overwritten the radiusd/freeradius(debian) binary > you'll experience an unexpected migration to the new binary/config on next > restart. > > Arran Cudbard-Bell > FreeRADIUS Development Team > > > > -- > > Message: 2 > Date: Thu, 3 Oct 2013 11:08:34 +0100 > From: Arran Cudbard-Bell > To: FreeRadius users mailing list > > Subject: Re: Wifi APs Models compatible with by username dynamic vlan > assignment > Message-ID: > Content-Type: text/plain; charset=us-ascii > > > On 3 Oct 2013, at 10:57, matthew pideil > wrote: > >> Hello, >> >> I want to perform dynamic VLAN assignment by username through wifi >> access. I set up this configuration few time ago but didn't works. >> >> I want to know which WiFi APs are compatible and/or what is the term to >> search for in devices specifications ... > > > Look for claimed compliance with RFC3580/RFC4675 in the specifications of your > Access-Point. > > -Arran > > Arran Cudbard-Bell > FreeRADIUS Development Team > > > > -- > > Message: 3 > Date: Thu, 3 Oct 2013 09:37:57 -0300 > From: Usu?rio do Sistema > To: FreeRadius users mailing list > > Subject: How to deny access to Switch Cisco by Group > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > I have just installed a FreeRADIUS Version 2.1.12. it's integrate > with OpenLdap and I'm able to use it that way. > my issue is how to deny users aren't member of the any group. > For exemple, I should like authorize users do login in the my devices > Cisco from a group of the my data base LDAP. if user doesn't inside in > that group the freeradius must DENY it. currently my freeradius is > allow any user from LDAP. if the user is created on LDAP it's able > login in my Cisco devices. > how to deny access by group ? if user is member of the group it's able > login in otherwise the user is deny >
Re: radwho not working
Clint Petty wrote: > I am not blaming, I am just wanting to get the radwho command to work. That is *entirely* the wrong attitude. There is no "just get it to work". There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read "man radwho", you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses. > I have now turned on accounting info to be sent from the StrongSwan server > to the FreeRadius server. For I can see the accounting info in > /var/log/radius/radacct//detail-20131003 file. Which isn't the radutmp file, is it? Again, "man radwho" says it reads the radutmp file. Again, your process should be something like this: - "man radwho" says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified? > However I am still getting the same results with the radwho command, showing > just the titles, with no connections? You other message indicates that the module is being used, and is returning "ok". Does the "radwho" command print anything after the "radutmp" module returns "ok" ? It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
tory...
[ldap] userPassword -> User-Password == "password"
[ldap] userPassword -> Password-With-Header == "password"
[ldap] sambaNtPassword -> NT-Password ==
0x3842423544393331433146303430343833393537393933353042383233443243
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
Login OK: [test] (from client localhost port 61 cli xx.xx.xx.150[29608])
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to xx.xx.xx.79 port 50925
EAP-Message = 0x03010004
Message-Authenticator = 0x
User-Name = "test"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host xx.xx.xx.79 port 48595, id=95,
length=136
Acct-Status-Type = Start
Acct-Session-Id = "1380824273-61"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 61
NAS-Port-Id = "ios"
NAS-IP-Address = xx.xx.xx.79
Called-Station-Id = "xx.xx.xx.79[4500]"
Calling-Station-Id = "xx.xx.xx.150[29608]"
User-Name = "test"
Framed-IP-Address = xx.xx.xx.1
NAS-Identifier = "strongSwan"
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 61,Client-IP-Address =
xx.xx.xx.79,NAS-IP-Address = xx.xx.xx.79,Acct-Session-Id =
"1380824273-61",User-Name = "test"'
[acct_unique] Acct-Unique-Session-ID = "145df3492fbbdbec".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} -> xx.xx.xx.79
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /var/log/radius/radacct/xx.xx.xx.79/detail-20131003
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/xx.xx.xx.79/detail-20131003
[detail]expand: %t -> Thu Oct 3 21:45:27 2013
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> test
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 95 to xx.xx.xx.79 port 48595
Finished request 2.
Cleaning up request 2 ID 95 with timestamp +9
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 93 with timestamp +9
Cleaning up request 1 ID 94 with timestamp +9
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+cpetty=company@lists.freeradius.org
[mailto:freeradius-users-bounces+cpetty=company@lists.freeradius.org] On
Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: Thursday, October 03, 2013 2:17 PM
To: FreeRadius users mailing list
Subject: Re: radwho not working
Hi,
> I am not blaming, I am just wanting to get the radwho command to work. I
> have now turned on accounting info to be sent from the StrongSwan server to
> the FreeRadius server. For I can see the accounting info in
> /var/log/radius/radacct//detail-20131003 file. However I am
> still getting the same results with the radwho command, showing just the
> titles, with no connections?
same reponse - output of "radiusd -X" please
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, > I am not blaming, I am just wanting to get the radwho command to work. I > have now turned on accounting info to be sent from the StrongSwan server to > the FreeRadius server. For I can see the accounting info in > /var/log/radius/radacct//detail-20131003 file. However I am > still getting the same results with the radwho command, showing just the > titles, with no connections? same reponse - output of "radiusd -X" please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
Hi Alan, I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct//detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections? -Original Message- From: freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 03, 2013 10:53 AM To: FreeRadius users mailing list Subject: Re: radwho not working cpetty wrote: > Below is the results from radiusd -X (debug mode), while logging in: > > rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, > length=138 The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign vlan per group or per user
Hi, My first post! I need to configure one radius server with ldap integration and dynamic vlan assign per user or group, didn't find any documentation about this procedures, someone knows any url about this? Thank You! []s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.2.2
I've pushed a fix for the proxy issue into the v2.x.x branch. If people can test it, that would be appreciated. We'll then release 2.2.2 and 3.0.0 on Monday. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: > Below is the results from radiusd -X (debug mode), while logging in: > > rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, > length=138 The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
Hi Alan,
Below is the results from radiusd -X (debug mode), while logging in:
rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79,
length=138
User-Name = "test"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 53
NAS-Port-Id = "ios"
NAS-IP-Address = xx.xx.xx.79
Called-Station-Id = "xx.xx.xx.79[4500]"
Calling-Station-Id = "xx.xx.xx.150[32055]"
EAP-Message = 0x0209016a646f65
NAS-Identifier = "strongSwan"
Message-Authenticator = 0x13a0846c40f521e3c009161546f6f3fb
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for test
[ldap] expand: (&(uid=%u)) -> (&(uid=test))
[ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to xx.xx.xx.126:389, authentication 0
[ldap] bind as cn=Admin,dc=company,dc=com/ to xx.xx.xx.126:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=People,dc=company,dc=com, with filter
(&(uid=test))
[ldap] looking for check items in directory...
[ldap] userPassword -> User-Password == "password"
[ldap] userPassword -> Password-With-Header == "password"
[ldap] sambaNtPassword -> NT-Password == 0x38424235443
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 79 to xx.xx.xx.79 port 40379
EAP-Message = 0x010100160410c73f50e02103b6473c8f5ed51995e29f
Message-Authenticator = 0x
State = 0x2310bb7d2311bf963fc3fbc63c331669
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=80,
length=169
User-Name = "test"
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 53
NAS-Port-Id = "ios"
NAS-IP-Address = xx.xx.xx.79
Called-Station-Id = "xx.xx.xx.79[4500]"
Calling-Station-Id = "xx.xx.xx.150[32055]"
EAP-Message = 0x020100160410958ab4a6a9b38188febc74cc0c573b96
NAS-Identifier = "strongSwan"
State = 0x2310bb7d2311bf963fc3fbc63c331669
Message-Authenticator = 0xdb77c116ca06726a60a2d3a224bc2e22
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for test
[ldap] expand: (&(uid=%u)) -> (&(uid=test))
[ldap] expand: ou=People,dc=company,dc=com -> ou=People,dc=company,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=company,dc=com, with filter
(&(uid=test))
[ldap] looking for check items in directory...
[ldap] userPassword -> User-Password == "password"
[ldap] userPassword -> Password-With-Header == "password"
[ldap] sambaNtPassword -> NT-Password == 0x38424235443
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap
Re: Running RADIUS in permanent debug mode with rotating log
Hi, this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some guides for the EXACT thing you need eg http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/ (and ensure your escape quotes are the right way around) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to deny access to Switch Cisco by Group
Usuário do Sistema wrote: > how to deny access by group ? if user is member of the group it's able > login in otherwise the user is deny See the FAQ. Put this at the top of the "users" file: DEFAULT LDAP-Group != "allowed", Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to deny access to Switch Cisco by Group
Hello, I have just installed a FreeRADIUS Version 2.1.12. it's integrate with OpenLdap and I'm able to use it that way. my issue is how to deny users aren't member of the any group. For exemple, I should like authorize users do login in the my devices Cisco from a group of the my data base LDAP. if user doesn't inside in that group the freeradius must DENY it. currently my freeradius is allow any user from LDAP. if the user is created on LDAP it's able login in my Cisco devices. how to deny access by group ? if user is member of the group it's able login in otherwise the user is deny thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi APs Models compatible with by username dynamic vlan assignment
On 3 Oct 2013, at 10:57, matthew pideil wrote: > Hello, > > I want to perform dynamic VLAN assignment by username through wifi > access. I set up this configuration few time ago but didn't works. > > I want to know which WiFi APs are compatible and/or what is the term to > search for in devices specifications ... Look for claimed compliance with RFC3580/RFC4675 in the specifications of your Access-Point. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running RADIUS in permanent debug mode with rotating log
On 3 Oct 2013, at 10:14, wrote: >> How can we run radiusd -x > "logname" such that we have different >> logname for each day? > > Clement, may I suggest a cron job? > > At midnight, move the log, kill and restart the radius server with a new log > in the name? Of course you run the risk of possibly killing any > authentication attempts that happen at that point in time, but... that's > something you need to take into account? Please don't. Use a crontab by all means but just use the main log file and enable additional debugging (-xx). As of 2.2.1 you can use the radmin control socket to reopen the log file handle without restarting the server, or sending a -HUP. It's not just the fact you'll kill any EAP auth sessions in progress, but you'll will clear out any cached entries (rlm_cache), and where proxying is being performed upstream server state will be lost. It's also dangerous in that if someone has messed with the configurations, or overwritten the radiusd/freeradius(debian) binary you'll experience an unexpected migration to the new binary/config on next restart. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wifi APs Models compatible with by username dynamic vlan assignment
Hello, I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works. I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ... Regards, -- Matthew Pideil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Running RADIUS in permanent debug mode with rotating log
> How can we run radiusd -x > "logname" such that we have different > logname for each day? Clement, may I suggest a cron job? At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account? Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running RADIUS in permanent debug mode with rotating log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I really wouldn't recommend running in full debug mode on a production server full time... its only single threaded so if you have to service lots of requests you have an immediate bottleneck. What sort of weird problems are you facing? You know you can run on debug mode for single users or clients via radmin/raddebug ?? If you really want to proceed then you can use eg crontab to run a script which kills all radiusd processes and then starts new debug session with the date in the logfile eg radiusd -X > /var/log/debug-'date +args xxx' Where + args xx is the date string format you require alan Clement Ogedengbe wrote: >Hello, > >We have been having "strange" experiences with our RADIUS service >lately and we thought it would be a good idea to run RADIUS in debug >mode "permanently" to enable us effectively troubleshoot user >complaints. > >How can we run radiusd -x > "logname" such that we have different >logname for each day? > >Clement >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJNM9EyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC7CfwCgir2zDhH8h4HExwUJ1vB9 820ZXBAAnjvmK6fXtpUpJbEGJDCa8gvkkjMz =KXvy -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running RADIUS in permanent debug mode with rotating log
Hello, We have been having "strange" experiences with our RADIUS service lately and we thought it would be a good idea to run RADIUS in debug mode "permanently" to enable us effectively troubleshoot user complaints. How can we run radiusd -x > "logname" such that we have different logname for each day? Clement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, > I would like to display the active Radius connections. When I run radwho I > get the following results (showing nothing but the titles) even though I know > I have an active connection: using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
