Re: Default reply for username incorrect-s
Ok I think i got the idea, will no go and try it out! thank you! as to 2nd reply, yes my NAS supports Reply-Messages 2010/1/4 Charles (KOL-Goma) char...@goma.kivu-online.com Does your NAS support the option? - Original Message - *From:* EasyHorpak.com i...@easyhorpak.com *To:* FreeRadius users mailing listfreeradius-users@lists.freeradius.org *Sent:* Monday, January 04, 2010 6:27 AM *Subject:* Re: Default reply for username incorrect-s Alex M wrote: Happy New Year to you all! I have quick question: How can I send default reply to all users that have incorrect username / password combination, right now FR just rejects them w/o any message. I use MySQL i tried to add DEFAULT as user name in rad reply but that did not help :( Hope some one can help me? TNX -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html try this man http://www.easyzonecorp.net/network/view.php?ID=1038 it 's only accept not found username. for wrong password you must use unlang try this http://www.easyzonecorp.net/network/view.php?ID=1042 -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink http://www.easyhorpak.com/superlink- ?? 5 free Domains with Select Hosting Plans. Get yours! com net org info us name biz cc tv ws mobi -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Buy a domain : http://www.1and1.com/?k_id=25085883 5 free Domains with Select Hosting Plans. Get yours! com net org info us name biz cc tv ws mobi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default reply for username incorrect-s
Happy New Year to you all! I have quick question: How can I send default reply to all users that have incorrect username / password combination, right now FR just rejects them w/o any message. I use MySQL i tried to add DEFAULT as user name in rad reply but that did not help :( Hope some one can help me? TNX - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Yes that helped =) Thank you! 2009/12/27 zhongwei feng feng...@gmail.com hi , try to exchange sequece ? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { update reply{ Reply-Message := Hello Hello Hello } reject } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Ok I still having trouble with this. Here is my code: if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Hello Hello Hello } } The problem is that I don't see the Reply Message... I see other one that i got from the Usergroup. My userr is the member of default user group that sends reply message to every one saying that Username is incorrect that is my way to output the message where Usename Password (Probably there should be a better way to do that and maybe that is a problem) but that what i have now. So that message is getting outputed even though the mac address is banned Here is copy of my output.. Hope you can help me out? TNX === rad_recv: Access-Request packet from host x4.xxx.74.xxx port 62760, id=111, length=139 NAS-IP-Address = 192.168.0.104 NAS-Identifier = xxx.com User-Name = alexus7 User-Password = open Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 5 Framed-IP-Address = 192.168.1.199 Called-Station-Id = 00:0d:b9:06:xx:xx Calling-Station-Id = 00:0b:6a:29:xx:xx +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = alexus7, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - alexus7 [sql] sql_set_user escaped user -- 'alexus7' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alexus7' ORDER BY id WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alexus7' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'alexus7' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Ban' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'All' ORDER BY id [sql] User found in group All [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'All' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) sql_xlat expand: %{User-Name} - alexus7 sql_set_user escaped user -- 'alexus7' expand: SELECT mac FROM `lrc_banlist` WHERE
Re: Rejecting User By their Calling-Station-Id (Mac Address)
As suggested I just tried to replace operator = with := and even with == but reply message is not getting outputted :( Maybe I'm missing something? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply{ Reply-Message := Hello Hello Hello } } On Sat, Dec 26, 2009 at 12:08 PM, Alex M freerad...@lrcommunications.netwrote: lol true! I always use that one for reply messages... i guess i was too sleepy last night :( Thank you! On Sat, Dec 26, 2009 at 11:19 AM, Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 26/12/2009 08:05, Alex M wrote: Ok I still having trouble with this. Here is my code: if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Hello Hello Hello } } Wrong operator. You want := to overwrite the attribute value that already exists... update reply { Reply-Message := Hello Hello Hello } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
that worked well! thank you I guess once reject is sent there is no further processing of the code. On Sat, Dec 26, 2009 at 1:16 PM, Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 26/12/2009 10:11, Alex M wrote: As suggested I just tried to replace operator = with := and even with == but reply message is not getting outputted :( Maybe I'm missing something? Try moving the reject to after the update stanza. I think a return code of reject stops the server processing the current section. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
I need to ask again for help. So I added this code to Autorize section of Default config file it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far... So maybe some one can tell me how to add reply-message to this logic? Thank you a lot and Marry Xmas if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}) { reject #reply := Your account has been disabled. } On Wed, Dec 16, 2009 at 4:07 PM, Alex M freerad...@lrcommunications.netwrote: ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again! On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
o no wonder all my trys didnt work =) Thanks a lot! On Fri, Dec 25, 2009 at 7:10 PM, t...@kalik.net wrote: I need to ask again for help. So I added this code to Autorize section of Default config file it blocks banned users well! But I need to tell them why they got banned so I tried diferent ways to add Reply-Message in the logic Nothing helped me so far... So maybe some one can tell me how to add reply-message to this logic? Thank you a lot and Marry Xmas if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE mac='%{Calling-Station-Id}'}) { reject update reply { Reply-Message = Your account has been disabled. } #reply := Your account has been disabled. } Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
ok fair enough =) will go dig config file... How can I send the reason for rejection? Just add reply command somewhere along the lines? Can I link reply message to the reply message associated with reply in groups? Tnx again! On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? Why? You were given a simple solution. I suggest trying that. Trying to figure out how to get groups to do what you want is a waste of time when you *already* have a solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
wow... i managed to make it work w/ groups but i like your way better =) Thank you! On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Create a table called blocked MACs, and put the MAC addresses in there. Then, in the authorize section, do: if (Calling-Station-Id == %{sql: SELECT }) { reject } Fix the SQL statement to SELECT the row containing the Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting User By their Calling-Station-Id (Mac Address)
Well i guess i'm back to my problem :( I tried group thing and i'm getting som strange un-constant results :( Can some one tell me how the logic works for groupcheck? If I have Calling-Station-Id and reply reject spesified for the same user what should happen? what if i have 100 MAC addressed entered how do we check for that? I had 1 MAC address entered and geting rejected well. If 1 MAC is entered but not my MAC then im not getting rejected, yet when 2 Mac addresses entered im geting rejected regardless of my mac address. (My ban group has priority of 1) I would love to solve my problem w/ groups so I don't have to edit radius xinfig files,,, but if im geting this trange results or if its not possible i'm more or less ok w. adding more settings to configs... Thanks for helping me out! On Tue, Dec 15, 2009 at 2:41 PM, Alex M freerad...@lrcommunications.netwrote: wow... i managed to make it work w/ groups but i like your way better =) Thank you! On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Create a table called blocked MACs, and put the MAC addresses in there. Then, in the authorize section, do: if (Calling-Station-Id == %{sql: SELECT }) { reject } Fix the SQL statement to SELECT the row containing the Calling-Station-Id. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting User By their Calling-Station-Id (Mac Address)
Hey all, i'm coming back here w/ my old question of how to reject users based on their MAC address... but now im running FR 2.x.x So, we have trial access for free, and some people figured that they can re-register new accounts for trial all over again and have fun this way. Well thats not fun for us so we trying to figure out what we can do to reject reqyest from their machines no matter what name they put in. So maybe some one can help me out here. Here is what I tried: *radusergroup* (username, groupename, priority) all user-names registered Ban Test_User Home 1 *radgroupcheck* (groupname, attribute, op, value) Ban Calling-Station-Id == 00:0b:6a:xx:xx:xx Ban Reply-Message == You have been banned Ban Auth-Type := Reject *radcheck* (username, attribute, op, value) Test_User password == letmein So far that dint work at all... I tried changing priority but no matter what I do the user still authorized to enter the network. I'm sure I did something wrong but im not sure what? So maybe some one can help me out? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
user password i guess is same as System? On Mon, Oct 19, 2009 at 11:49 AM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, But I still got small problem, when i run in de debug mode i saw this warning. I'm not fully sure what it asks me to do? Any advice on this? its fairly clear isnt it? the error is written very clearly. follow the advice. !!! Please update your configuration so that the known good !!! clear text password is in Cleartext-Password, and not in User-Password. somewhere in your config you are matching against 'User-Password'. change that attribute to 'Cleartext-Password' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
ok now since i know where autorize and authenticate and accounting modules went i feel much better =) But I still got small problem, when i run in de debug mode i saw this warning. I'm not fully sure what it asks me to do? Any advice on this? ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password [pap] Using clear text password [pap] User authenticated successfully ++[pap] returns ok Thanks a lot for helping! On Mon, Oct 19, 2009 at 7:03 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, My SQL include and module authorization is enabled in instantiate section Im not 100% sure what virtual server do in new radius. I guess you are probably right about that fact that my radius is not accsesing SQL to see the users there,.. so since my Include is enabled i guess i need to figure out what those virtual servers are and how to use them you need to ensure that 'sql' is listed in the correct section - eg in the authenticate section - see the files and comments in config files. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
Password is in SQL table raddcheck Also will take a look at that FAQ I know i had the same problem w. FR 1.5 and there I just had to take out DEFAULT Auth-Type: system so that we don't look for system password but I didnt find anything like that on FR 2 On Sun, Oct 18, 2009 at 10:43 AM, Ivan Kalik t...@kalik.net wrote: hey all we keep upgrading FR servers and i got stuck with problem where I need PAP (I think) well i need clear text password and its not working for my user. When i send request through NTRAdping w/ CHAP all works well but when I'm using device as NAS nothing works :( I hope some one can point me out in right direction. Here is my output: Where is password supposed to be? It wasn't found in users (files) or system (unix) file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clear Text PAP passwords - how to enable
My SQL include and module authorization is enabled in instantiate section Im not 100% sure what virtual server do in new radius. I guess you are probably right about that fact that my radius is not accsesing SQL to see the users there,.. so since my Include is enabled i guess i need to figure out what those virtual servers are and how to use them tnx for helping! On Sun, Oct 18, 2009 at 5:04 PM, Ivan Kalik t...@kalik.net wrote: Sql is not enabled in 2.x by default. Enable INCLUDE in radiusd.conf and sql entries you need in default virtual server (raddb/sites-enabled/default). Ivan Kalik Kalik Informatika ISP Password is in SQL table raddcheck Also will take a look at that FAQ I know i had the same problem w. FR 1.5 and there I just had to take out DEFAULT Auth-Type: system so that we don't look for system password but I didnt find anything like that on FR 2 On Sun, Oct 18, 2009 at 10:43 AM, Ivan Kalik t...@kalik.net wrote: hey all we keep upgrading FR servers and i got stuck with problem where I need PAP (I think) well i need clear text password and its not working for my user. When i send request through NTRAdping w/ CHAP all works well but when I'm using device as NAS nothing works :( I hope some one can point me out in right direction. Here is my output: Where is password supposed to be? It wasn't found in users (files) or system (unix) file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clear Text PAP passwords - how to enable
hey all we keep upgrading FR servers and i got stuck with problem where I need PAP (I think) well i need clear text password and its not working for my user. When i send request through NTRAdping w/ CHAP all works well but when I'm using device as NAS nothing works :( I hope some one can point me out in right direction. Here is my output: rad_recv: Access-Request packet from host XXX.XXX.XXX.11 port 64094, id=152, length=136 NAS-IP-Address = 192.168.0.112 NAS-Identifier = XXX.XXX.com User-Name = alex User-Password = mypass Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 0 Framed-IP-Address = 192.168.2.254 Called-Station-Id = 00:0d:b9:XX:XX:XX Calling-Station-Id = 00:0e:35:XX:XX:XX +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = alex, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - alex attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 152 to XXX.XXX.XXX.11 port 64094 Waking up in 4.9 seconds. Cleaning up request 1 ID 152 with timestamp +827 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New install does not respond to requests
ok so I added sql in instantiate section and it start loading NAS table as i even saw my NAS ip. Now im getting error on startup that crushes the server: = Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 = what could this be? On Tue, Sep 29, 2009 at 4:33 AM, Ivan Kalik t...@kalik.net wrote: So i dont even see any access to my database at all, i see that SQL config is loaded but no request Do i have to add any parameters when compiling the code so that we have support of network functionality? No, but you need to list sql *somewhere* in order for it to be used. If you don't want to use it in AAA (ie. you don't want to use it in virtual servers) list it in instantiate section of radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New install does not respond to requests
dude why cant it just say that like all other programs do that Instance of the server is already running? On Tue, Sep 29, 2009 at 12:47 PM, John Dennis jden...@redhat.com wrote: On 09/29/2009 12:26 PM, Alex M wrote: ok so I added sql in instantiate section and it start loading NAS table as i even saw my NAS ip. Now im getting error on startup that crushes the server: = Failed binding to authentication address * port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 = what could this be? You should be able to diagnose this yourself. Do you know what port 1812 is for? Go look it up and then ask yourself under what circumstances might port 1812 already be in use. Then fix that problem. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New install does not respond to requests
hey all we just upgraded from 1.x.x to latest version of FreeRadius unfortunately its aint working :( well i see config files have changed dramatically so maybe i did something wrong. What we did we installed everything, unquoted SQL module in dadiusd.config add proper MySQL info When i start in -X mode i don't see any errors but the half of the log is cut off (i guess output is too long) When I send request i'm getting response that client is unknown. (I did add nas info in the nas table) I fugue that SQL statements are not executed but how can i debug that? In sql config i enabled detailed output but it still does not show anything. I guess i'm doing something wrong and I hope i can get some help here? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New install does not respond to requests
Ok readclients was not enabled :( Still enabling that did not help. (I did restart the server after enabling it ;-) How do I output screen to file? I tried radiusd -X radius_log.txt but that just didnt execure anything :( tnx for helping On Mon, Sep 28, 2009 at 6:03 PM, Ivan Kalik t...@kalik.net wrote: When i start in -X mode i don't see any errors but the half of the log is cut off (i guess output is too long) So send the output to a file. When I send request i'm getting response that client is unknown. (I did add nas info in the nas table) Did you enable readclients in sql.conf? I fugue that SQL statements are not executed but how can i debug that? radiusd -X. It will show which clients are read from the nas table. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New install does not respond to requests
So i dont even see any access to my database at all, i see that SQL config is loaded but no request Do i have to add any parameters when compiling the code so that we have support of network functionality? TNX a lot! On Mon, Sep 28, 2009 at 7:26 PM, Alex M freerad...@lrcommunications.netwrote: tee worked =) tnx still no lack, not even errors, i mean i got output dump, but there is no trace of requesting MySQL or having an error loading my sql belo is the output. PS: im not good in linux or freeradius but the only way to become bbeter is try it and ask question otherwise i keep sucking =) FreeRADIUS Version 2.1.7, for host i686-pc-linux-gnu, built on Sep 26 2009 at 17:24:15 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ detail.example.com including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct
Re: Reject user by Calling-Station-Id
will do here is the thing... i did all that was sujested and tested on my comps and gor rejections if my username belong to SQL Group that has reject reply or i was able to block myyslef by mac address. Well I just looked at the log and I see that 2 users that bloked by both mac and username, managed to sneak to the network. I personally cant imagine how that happaned... whats more that i cant imagine is how to debug that. Any recomendations? tnx! On Sat, Feb 7, 2009 at 10:05 AM, t...@kalik.net wrote: ok well i guess i will do manuall replys for each user :( So freeRadius 2.x have taken care of my problem and I actually can use SQL to controll everything? Read man unlang on freeradius site and you will see how much more you can do in 2.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
yey thats seam to work, but still getting one problem. So the comp gets bloket regardless of username, but the Reply-message from the bloked table is not being displayed. So I have bloked huntgroup name and I have SQL group: Deny_Trial that sends Reply-Message + Reject for all its members (which works fine if i assign user to that group) Here is my debug: rad_recv: Access-Request packet from host xxx.147.xxx.xxx:60365, id=125, length=138 NAS-IP-Address = xxx.147.xxx.xxx NAS-Identifier = domain.com User-Name = alexus User-Password = Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 1 Framed-IP-Address = 192.168.1.244 Called-Station-Id = 00:0d:b9:xx:xx:xx Calling-Station-Id = 00:0b:6a:xx:xx:xx Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_sql (sql): - sql_groupcmp radius_xlat: 'alexus' rlm_sql (sql): sql_set_user escaped user -- 'alexus' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='alexus'' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='alexus' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group Deny_Trial No huntgroup access: [alexus] (from client home_segment port 1 cli 00:0b:6a:xx:xx:xx) modcall[authorize]: module preprocess returns reject for request 2 modcall: leaving group authorize (returns reject) for request 2 Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 125 to xxx.147.xxx.xxx port 60365 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 125 with timestamp 498cd334 Nothing to do. Sleeping until we see a request. 2009/1/31 t...@kalik.net Here is a trick from the old days: Create a huntgroup like: blocked Calling-Station-Id == whatever SQL-Group == suspend Where suspend is the group with Auth-Type := Reject in it. That will blok him if he is in suspend group or not (only the message in radius.log will be different). It means using huntgroups file and restart for each change to it but if it's only 3 users ... Ivan Kalik Kalik Informatika ISP Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše: damn, upgrade will be painfull for me :( I guess I will try to use other means to block missbehaving users. At least we got only 3 people who try to free ride. thanks for help 2009/1/31 t...@kalik.net Ah, sql groups don't work properly in 1.x. Upgrade. Ivan Kalik Kalik Informatika ISP Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše: I guess its different in newer version of radius but in my 1.5 the only table that has PRIO is radgroupreply and there is table radusergroup instead there is a group called usergroup. I'm getting fustrated. :( On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote: Tried that... now i'm getting all users rejected regardless of mac address in the given group :( That shouldn't happen. Post the debug. How do i set priorities? You have priority field in radusergroup table. I though priorities only apply to radreply. There are no priorities in radreply. Do I have to set fall through? No. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
ok well i guess i will do manuall replys for each user :( So freeRadius 2.x have taken care of my problem and I actually can use SQL to controll everything? On Fri, Feb 6, 2009 at 8:07 PM, t...@kalik.net wrote: yey thats seam to work, but still getting one problem. So the comp gets bloket regardless of username, but the Reply-message from the bloked table is not being displayed. So I have bloked huntgroup name and I have SQL group: Deny_Trial that sends Reply-Message + Reject for all its members (which works fine if i assign user to that group) I am afraid that sql group is just a gimick. As you have noticed user doesn't have to be a member of it to get rejected. It doesn't even have to exist. It's a trick to get something done, not a proper policy. You can send replies for individual macs: DEFAULT Calling-Station-Id == whatever Reply-Message = Naughty boy Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
damn, upgrade will be painfull for me :( I guess I will try to use other means to block missbehaving users. At least we got only 3 people who try to free ride. thanks for help 2009/1/31 t...@kalik.net Ah, sql groups don't work properly in 1.x. Upgrade. Ivan Kalik Kalik Informatika ISP Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše: I guess its different in newer version of radius but in my 1.5 the only table that has PRIO is radgroupreply and there is table radusergroup instead there is a group called usergroup. I'm getting fustrated. :( On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote: Tried that... now i'm getting all users rejected regardless of mac address in the given group :( That shouldn't happen. Post the debug. How do i set priorities? You have priority field in radusergroup table. I though priorities only apply to radreply. There are no priorities in radreply. Do I have to set fall through? No. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply message to rejected users
well i found that option in my config file but I cant find documentation in man :( How do I implement with MySQL? Thanks for help! On Fri, Jan 30, 2009 at 5:05 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. Read raddb/sites-available/default. Look in the post-auth section for the Post-Auth-Type Reject subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
Hi i just tried to add following (as adviced) into my radcheck table in MySQL: UserName: DEFAULT Attribute: Calling-Station-Id op: == Value: 00:0b:6a:xx:xx:xx, Auth-Type := Reject And it did not work guessI just can not add value with operator in it, but still how can i reject user based on their mac address with MySQL only setup. I would assume if i do the same in users tabe on the server then it should work? But I prefere MySQL managment Please help me out Thanks a lot! On Tue, Jan 20, 2009 at 8:34 PM, t...@kalik.net wrote: I'm using MySQL to store all configs. I want to reject some comuters by their MAC address (Calling-Station-Id) Ex: one user keeps creating new userrnames to avoid administratice actions, so I got bored playing tom and jerry with him and I just want to bun his MAC address regardless of what udername he/she whould use. I hope that is doable. Could some one point me in right direction here? DEFAULT Calling-Station-Id == whatever, Auth-Type := Reject Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
Tried that... now i'm getting all users rejected regardless of mac address in the given group :( How do i set priorities? I though priorities only apply to radreply. Do I have to set fall through? Or maybe i did something wrong? On Fri, Jan 30, 2009 at 5:45 PM, t...@kalik.net wrote: Hi i just tried to add following (as adviced) into my radcheck table in MySQL: UserName: DEFAULT Attribute: Calling-Station-Id op: == Value: 00:0b:6a:xx:xx:xx, Auth-Type := Reject And it did not work guessI just can not add value with operator in it, but still how can i reject user based on their mac address with MySQL only setup. I would assume if i do the same in users tabe on the server then it should work? But I prefere MySQL managment OK, use groups then. For group ban put: Calling-Station-Id == 00:0b:6a:xx:xx:xx and Auth-Type := Reject in radgroupcheck table you can also add Reply-Message = Oh, no, you won't! in radgroupreply (I see you are asking about reply message for rejected users as well) add all users to group ban with low priority. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
I guess its different in newer version of radius but in my 1.5 the only table that has PRIO is radgroupreply and there is table radusergroup instead there is a group called usergroup. I'm getting fustrated. :( On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote: Tried that... now i'm getting all users rejected regardless of mac address in the given group :( That shouldn't happen. Post the debug. How do i set priorities? You have priority field in radusergroup table. I though priorities only apply to radreply. There are no priorities in radreply. Do I have to set fall through? No. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply message to rejected users
i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. I'm sure i did something wrong. So the question is: how do i display message to the user if their username gets rejected by any reason? thanks for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
allow Clear Text passwords
Hey all, My NAS sends only cleat text password and freeRadius seams to expect CHAP passwors instead... How can I configure FR to accespt clear text passwords? Thanks a lot! PS: My curent default auth-type = system... i tried local but that did not help :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allow Clear Text passwords
ok here is the debug info. Note: there is an SQL error which is not a problem... thats bug in mysql so it will onlyopen connection from second request. also when i sue the same combination under radius ping with CHAP all works good but w/o chap nothing works rad_recv: Access-Request packet from host xxx.147.xxx.xxx:61750, id=154, length=138 NAS-IP-Address = xxx.147.xxx.xxx NAS-Identifier = 51.wireless.com User-Name = homepc User-Password = test Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 1 Framed-IP-Address = 192.168.1.244 Called-Station-Id = 00:0d:b9:xx:xx:xx Calling-Station-Id = 00:0b:6a:xx:xx:xx Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = homepc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 radius_xlat: 'homepc' rlm_sql (sql): sql_set_user escaped user -- 'homepc' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'homepc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'homepc' ORDER BY id rlm_sql_mysql: MYSQL check_error: 2013, returning SQL_DOWN rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'homepc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'homepc' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'homepc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 154 to 24.47.133.215 port 61750 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 154 with timestamp 497e16b5 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allow Clear Text passwords
I'm using 1.5 (for some reason cold not install 2.x) Ok let me se if i can enable PAP On Mon, Jan 26, 2009 at 3:20 PM, t...@kalik.net wrote: ok here is the debug info. Note: there is an SQL error which is not a problem... thats bug in mysql so it will onlyopen connection from second request. also when i sue the same combination under radius ping with CHAP all works good but w/o chap nothing works What freeradius version is this? It looks old. .. modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 .. modcall[authorize]: module suffix returns noop for request 0 .. modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 You have been told to rem ove Auth-Type System. It's still there. .. modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 pap is not listed in authorize (this *is* a pap request). List it last. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allow Clear Text passwords
secret is incorrect.) Server rejecting request 2. Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 145 with timestamp 497e2a40 Nothing to do. Sleeping until we see a request. On Mon, Jan 26, 2009 at 3:59 PM, Alex M freerad...@lrcommunications.netwrote: I'm using 1.5 (for some reason cold not install 2.x) Ok let me se if i can enable PAP On Mon, Jan 26, 2009 at 3:20 PM, t...@kalik.net wrote: ok here is the debug info. Note: there is an SQL error which is not a problem... thats bug in mysql so it will onlyopen connection from second request. also when i sue the same combination under radius ping with CHAP all works good but w/o chap nothing works What freeradius version is this? It looks old. .. modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 .. modcall[authorize]: module suffix returns noop for request 0 .. modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 You have been told to rem ove Auth-Type System. It's still there. .. modcall[authorize]: module sql returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 pap is not listed in authorize (this *is* a pap request). List it last. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allow Clear Text passwords
wow hows thats possible? 8) My nas has 2 ADIUS servers support, both filds are pointing to the same location w/ same shared secret :( I will try to reboot NAS and radius, maybe that would help On Mon, Jan 26, 2009 at 6:39 PM, t...@kalik.net wrote: ok I removed the line from ysers sating that auth-type=system and that helped w/ authentication of the user... still have small problem... under the same conditions I get problem w. accounting stating that my shared secret is incorrect so accounting record is not accepted ... I dont get it completly espesially afther user went through succesfully. I double checked my shared secret and it is ok. It looks like your radius client has two shared secrets (probably two server settings as well) - one for authentication and one for accounting. One for authentication is OK, one for accounting - isn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject user by Calling-Station-Id
Hi, I'm using MySQL to store all configs. I want to reject some comuters by their MAC address (Calling-Station-Id) Ex: one user keeps creating new userrnames to avoid administratice actions, so I got bored playing tom and jerry with him and I just want to bun his MAC address regardless of what udername he/she whould use. I hope that is doable. Could some one point me in right direction here? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Prepaid Cards Setup
Hey all, I think it was asked once but I can't find anything in archives. How can I setup prepaid cards scenario? Basically I want my users to allow to get access lets say for 30 min in total and then I also want to have expiration date on the account. Can some help me on setting this thing up? Is there any module that I have to install? Tnx for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Prepaid Cards Setup
Ok thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Ivan Kalik Sent: Friday, March 28, 2008 5:50 PM To: FreeRadius users mailing list Subject: Re: Prepaid Cards Setup expiration date - Expiration attribute time limiting - counter or sqlcounter; examples in radiusd.conf and Wiki Ivan Kalik Kalik Informatika ISP Dana 28/3/2008, Alex M [EMAIL PROTECTED] piše: Hey all, I think it was asked once but I can't find anything in archives. How can I setup prepaid cards scenario? Basically I want my users to allow to get access lets say for 30 min in total and then I also want to have expiration date on the account. Can some help me on setting this thing up? Is there any module that I have to install? Tnx for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: A good Open Source Billing Program For Freeradius?
Ok fine will make it for free; just cover the cost of all our T1 lines for us. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Donny Jekels Sent: Sunday, March 23, 2008 1:55 AM To: FreeRadius users mailing list Subject: Re: A good Open Source Billing Program For Freeradius? Internet should be free On 3/21/08, Lance Buttars [EMAIL PROTECTED] wrote: I need to setup a hotspot with billing capabilities and was wondering if anyone had some recommendations. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Sent from Gmail for mobile | mobile.google.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
Well, it's not the question of money, its more question of my time and finding 2-3 unused machines that I can use for the test then. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Wednesday, April 18, 2007 12:21 AM To: FreeRadius users mailing list Subject: Re: Technical support step 1 for me is to get radius to auth against ADS via ldap (I got ntlm working fine). Unfortunately because this job is contracted by the govt it has to be done their specific way every step which means freeradius HAS TO auth against a 2003 ADS via LDAP. Unfortunately I cannot give out access to my work test pc's due to security restrictions out of my control (I could but then Id be in trouble). What would your asking price be for a working FR 1.1.6 config that can auth against 2003 ADS using LDAP. Regarding VLANS, I need users with a GID of students to be put onto vlan2 and users with GID staff to be put onto vlan3 On 4/18/07, Alex M [EMAIL PROTECTED] wrote: Well we are in New York. So the only way we can help you is to do SSH. Technically LDAP should work straight forward, unless your DC does not want to accept connections from remote PC and especially Linux. We don't use Widows in our company any more, but I can set up DC and see if my radius can access it and then just send you config file. As to VLANS, im not sure what u looking for, if you wanna do something like separation of Ethernet chanels for Ethernet service provider then it should be done by your NAS if that is supported. I would assume your NAS should be listening for some custom attribute to assign vlan tag to specific user group. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:52 PM To: FreeRadius users mailing list Subject: Re: Technical support I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M [EMAIL PROTECTED] wrote: What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Technical support
Well we are in New York. So the only way we can help you is to do SSH. Technically LDAP should work straight forward, unless your DC does not want to accept connections from remote PC and especially Linux. We don't use Widows in our company any more, but I can set up DC and see if my radius can access it and then just send you config file. As to VLANS, im not sure what u looking for, if you wanna do something like separation of Ethernet chanels for Ethernet service provider then it should be done by your NAS if that is supported. I would assume your NAS should be listening for some custom attribute to assign vlan tag to specific user group. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:52 PM To: FreeRadius users mailing list Subject: Re: Technical support I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M [EMAIL PROTECTED] wrote: What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: O'Reillys Radius Book - Worth buying
Yea, after reading that book I barely got able to install the FR. I would say it tells you more about radius protocol then actual FR -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Thor Spruyt Sent: Monday, April 16, 2007 5:06 PM To: FreeRadius users mailing list Subject: Re: O'Reillys Radius Book - Worth buying Alan DeKok wrote: If you're familiar with RADIUS, it will contain little useful information. I can confirm this. I was pretty disappointed about the value of the book when I bought it 3 years ago. I doesn't go indepth into anything. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: online users
Be careful with\ just SQL Count (*) Some times NASes terminate local session without radius session termination (ex: nas was powered off) in this case you may have some users who technically logged in but that is not true! To avoid that you can select all users in the interwal between Current time and CurentTime-X (where X is your Idle logout time) This one still not 100% accurate but it will trim off all old garbage. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 13, 2007 2:28 PM To: FreeRadius users mailing list Subject: Re: online users SELECT COUNT(*) FROM radacct WHERE AcctStopTime=0 That will give you the number of currently logged in users (according to the database). Ivan Kalik Kalik Informatika ISP Dana 13/4/2007, Mordor Networks [EMAIL PROTECTED] piše: i want to know how many user logged in mysql database/radius but it only show the number of user in my databse for example is says 61 logged out and 0 login so here is the problem //login users from// $login_users = ; what i have to write here ? which table i have to query? how i can fix that ? if i change the number from 0 to 1 it show me one user online so their must be a way to fix it? heres the code : ?php include (include/Artichow/class/jpgraph.php); include (include/Artichow/class/jpgraph_pie.php); include (include/Artichow/class/jpgraph_pie3d.php); include_once (class/Oreon.class.php); include_once (phpradmin.conf.php); $oreon_db = new OreonDatabase($conf_pra[host], $conf_pra[user], $conf_pra[password], $conf_pra[db]); $table = userinfo; //este si es valido $total_users_in_db = $oreon_db -getTotalRowsInTable($table); //$total_users_in_db = 500; //login users from DB (SELECT COUNT(*) FROM radacct??;) $login_users = ; //logoff users total_users_in_db - login_users $logoff_users = ($total_users_in_db - $login_users); //percent $percent_login = ($login_users * 100 / $total_users_in_db); $percent_logoff = ( 100 - $percent_login ); $data = array($percent_login,$percent_logoff); //$data = array(12,88); $graph = new PieGraph(350,170,auto); $graph-SetShadow(); //$graph-title-Set( $lang['pra_total_users_in_db']: $total_users_in_db); $graph-title-Set(Total users in Data Base: $total_users_in_db); $graph-title-SetFont(FF_FONT1,FS_BOLD); $p1 = new PiePlot3D($data); $p1-ExplodeSlice( 1); $p1-SetLabelType( PIE_VALUE_ABS); $p1-SetSize(0.40); $p1-SetCenter(0.33); $p1-SetSliceColors(array('green','blue')); $p1-setLegends(array( LogIN Users: $login_users, LogOUT Users: $logoff_users, )); $graph-Add($p1); $graph-Stroke(); ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [m0n0wall] Captive Portal and Radius
Are we talking about M0n0 as a NAS here? If yes, why not to mod the boxy to do internal counting of the section and then talk to the radius with final data? -Original Message- From: YvesDM [mailto:[EMAIL PROTECTED] Sent: Monday, April 09, 2007 11:37 AM To: Peter Boosten Cc: m0n0wall@lists.m0n0.ch Subject: Re: [m0n0wall] Captive Portal and Radius On 4/9/07, Peter Boosten [EMAIL PROTECTED] wrote: YvesDM wrote: When you use radius you can specify max-daily-session through sqlcounter. Yves, thanks for your answer, although it doesn't answer my question. Again: I defined a max-daily-session. Works like charm. But I don't want him to use this max-daily-session in one run. I would like him to take some breaks (say every two hours), so I defined a Session-Timeout of 7200 seconds. But nothing prevents him from logging in just after the Session-Timeout expired. So I would like to know if there's some parameter that defines the minimum time between two sessions. I see, sorry I missed that part. If I need to do this I usually use a linux firewall and change the iptables rules through cron. There are firewall distro's with ready to use examples for this, but of course they are off-topic on this list and I don't know if you actually want to use them at all. If you want more info on this you can e-mail me off list, no problem. But I think setting up a radius server is a little overkill when it's only to control your son's internet use. Let the ethics be my worry. It has proven its use already (we're talking internet addiction here...). Sounds familiar ;-) Just thinking, can't you add/delete a check item to radcheck through some script? expiration Attribute or something? Let the script set/delete a (passed by) expiration date in radcheck. When the attribute is there he won't be able to login cause his account will be expired, when the attribute is not there, he can login :-) Something like this: mysql select * from radcheck where `UserName` = 'hombrouckxeli'; +-+---+---++---+ | id | UserName | Attribute | op | Value | +-+---+---++---+ | 359 | hombrouckxeli | User-Password | := | masked | | 360 | hombrouckxeli | Expiration| := | 01 april 2007 | +-+---+---++---+ 2 rows in set (0.00 sec) mysql Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PHP coding request - give me a price
Easy project, really just and SQL, but damn $75, I spend more on Taxi each day... -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Gaddis, Jeremy L. Sent: Monday, January 08, 2007 2:03 AM To: FreeRadius users mailing list Subject: Re: PHP coding request - give me a price Sorry, Cory, I just realized you were in .au. I'm not able to make an international call from my current location. Please see inline comments below, however, as I want to make sure I am understanding things correctly. On 1/8/07, Cory Robson [EMAIL PROTECTED] wrote: I have an mysql backend from my accounting program that contains all my user details. This is a home-grown system that is completely independent of the FreeRADIUS database, correct? I'm assuming that your users are added to this database either manually by you (or others) or automatically by your sign-up system. This database should also contains all the information that I would need to get the users added into FreeRADIUS successfully (e.g. username/password details, etc.). I need a php script that I can run from cron that will Import all new users into freeradius that aren't already in its mysql db If the user is already in the freeradius db then see if any information is changed and update it. If the user is no longer in my mysql accounting system then also either remove it from freeradius or expire the user. You want to keep the databases in synch in both directions, correct? I have the sql select statement for my mysql accounting system with the relevant information. Anyone able to do this at a reasonable price then drop me an email. thanks This should be relatively straightforward and could be knocked out pretty easily. There are a few things I would need from you in order to complete this project: the schema of the database of your accounting system; an example row from this database; and the schema of the FreeRADIUS *if* you've modified it any from the default schema. As for price, assuming the complete scope of the project is as described above, I am offering to complete this project for you for $75.00 USD and can commit to having it completed by the end of this Friday -- it would likely be much sooner, but I prefer to allow myself plenty of time as often times other things seem to magically come up. Please let me know if you're interested or would like to discuss further. Thanks, -j -- Jeremy L. Gaddis, MCP, GCWN http://www.linuxwiz.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DEFAULT access-reject Reply-Message
Ok, I will try to play around with that although I'm feeling that I have no idea what I'm doing Thanks anyway! _ From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Garber, Neal Sent: Monday, December 04, 2006 3:23 PM To: FreeRadius users mailing list Subject: RE: DEFAULT access-reject Reply-Message In your code, $RAD_REQUEST{'Module-Failure-Message'} what that variable mean? It means look in the RAD_REQUEST hash for key named 'Module-Failure-Message'. RAD_REQUEST, RAD_CHECK and RAD_REPLY are hashes that rlm_perl creates that contain the request, check and reply attributes respectively. For single-value attributes, you can test the value by referring to the hash name and key name (as above). If the attribute has multiple values, then value for the requested key is an array. Is there any doc on how to write scripts for radius? FR comes with example.pl which is a sample perl script that can be called by the rlm_perl module. You can also find documentation for rlm_perl at the wiki: http://wiki.freeradius.org/Rlm_perl (the doc. says RAD_CONFIG is a hash that is created, but I believe the code to support that was only recently added..) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DEFAULT access-reject Reply-Message
Ok I got the idea how to initiate the the script on reject event, but what should go in post_auth_reject.pl? I have absolutely no experience with Perl. I probably would be able to figure out something but not sure how. I assume I would listen to something like if username exist, if username exist and password incorrect. Still I have no idea how to do this :-( _ From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Garber, Neal Sent: Friday, December 01, 2006 10:40 AM To: FreeRadius users mailing list Subject: RE: DEFAULT access-reject Reply-Message How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password? I looked at the user's file but it seams that I have no way to determine if access-accept or reject was sent. it only has example how to send the message to a reject group. If you're using LDAP, it already creates a Module-Failure-Message request attribute upon failure. Also, I submitted bug 398 which Alan incorporated into CVS head to provide the same functionality for MS-CHAP (I assume this will be in FR 1.1.4). You could execute a Perl script in a reject section of post_auth that looks for this request attribute and, if found, set the Reply-Message reply attribute. If you're using a different authentication method, it may be possible to change the code to accomplish what you want. As someone else pointed out, it's not a good idea to tell someone they entered the wrong password as it makes brute-force password attacks easier (because you're telling them the userid is valid). I believe ntlm_auth gives a generic (invalid userid or password) response to a bad password. If the response you see is too specific, you may want to obfuscate it.. Here's an example of what you would put in radiusd.conf (this assumes you have a sub in your perl script called post_auth_reject): modules { . . . perl set_reject_message { module = /usr/local/etc/raddb/set_reject_message.pl func_post_auth = post_auth_reject } . . . } . . . post-auth { Post-Auth-Type REJECT { set_reject_message } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DEFAULT access-reject Reply-Message
Well I know BASH, PHP, MS VB, Java, Pascal, and Assembler. I'm sure if I look at brief docks on Perl I'll get it. In your code, $RAD_REQUEST{'Module-Failure-Message'} what that variable mean? Is there any doc on how to write scripts for radius? As to Windows that doesn't read reply message, I don't care we will never use windows, only Linux _ From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Garber, Neal Sent: Friday, December 01, 2006 2:30 PM To: FreeRadius users mailing list Subject: RE: DEFAULT access-reject Reply-Message Ok I got the idea how to initiate the the script on reject event, but what should go in post_auth_reject.pl? I have absolutely no experience with Perl. I probably would be able to figure out something but not sure how. I assume I would listen to something like if username exist, if username exist and password incorrect. Still I have no idea how to do this :-( I don't have enough time or patience to teach you perl via E-mail. Do you know other scripting languages? Have you ever done any script programming? If not, I would suggest you find someone in your organization that has the appropriate experience. Here is an excerpt of perl code to check for the existence of the Module-Failure-Message request attribute and if it exists will set the Reply-Message reply attribute.. sub post_auth_reject { if (defined($RAD_REQUEST{'Module-Failure-Message'})) { $RAD_REPLY{'Reply-Message'} = $RAD_REQUEST{'Module-Failure-Message'}; } return RLM_MODULE_OK; } Since I don't know exactly what you want to do this probably doesn't exactly match your requirements. Also, as someone else pointed out, many clients ignore the Reply-Message attribute (e.g., windows supplicant) so this could all be a waste of time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Slow Aceess-Reject if pasword id INVALID
Hi, For some reason I'm getting slow response of access-reject when user uses wrong passwords. I'm using MySQL and first I thought that the delay is due to db, but if user password is ok im getting access-accept in 1.9ms. Where if user pass is incorrect im getting access-rject only after 1 minute. And if I run radius in debug mode im getting system message that password is invalid like in 2ms and only after 4000ms in getting the access-reject on the screen Any ideas how to fix that? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT access-reject Reply-Message
Hi, How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password? I looked at the user's file but it seams that I have no way to determine if access-accept or reject was sent. it only has example how to send the message to a reject group. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New PHP for interface
What type of operations are u using? Local only w/ direct access to FR or remote w/ only configs of BD? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of JasonN Sent: Friday, April 28, 2006 3:01 PM To: FreeRadius users mailing list Subject: New PHP for interface I've have a set of new code for the PHP web-based interface to control users, specifically in relation to the MySQL and FreeRADIUS combo. These features are complete: add user[s] remove user[s] disable user[s] check user[s] password It is however clean PHP with straightforward readable code and is PHP4/5 compliant. Anyone interested in working on this new approach, please let me know. It's simple, nothing fancy, no frames, etc. in the HTML. And, it already works for the basic necessary features. I would like to see a few people code up some additional features. It works right now, as is, for most ISP needs. -- Please address your interest directly to me: [EMAIL PROTECTED], so you don't get filtered to my FreeRADIUS box. You'll get quicker attention, since I don't read this list every day. -- Jason A. Nunnelley http://www.jasonn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Module does not recognize shared secret
Hi I just found out that im getting error in accounting module. It say that shared secret is incorrect, but it was working fine for more then a week. Also im using DNS name in the NAS Name filed instead of ip address. Why am I getting this error? Here is the error message? rad_recv: Accounting-Request packet from host 192.168.0.10:61296, id=39, length=143 Received Accounting-Request packet from 192.168.0.10 with invalid signature! (Shared secret is incorrect.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
What do you mean by Have it do nothing more than log data? And how would I do that? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 1:24 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) I have seen it before where a firewall drops state, and it looks like the SQL server is down. New connections go through fine, but old connections are dead. One way to test this would be to edit rlm_sql so that it opens a new connection to the SQL server for *every* request. That would be slower than what it does now, but it might work. I would also suggest putting a test SQL server on the same subnet as the RADIUS server. Havr it do nothing more than log data, and if connections to it are OK, the problem is most likely the firewall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
Ok, will do that and post back with results Thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Saturday, April 08, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: What do you mean by Have it do nothing more than log data? And how would I do that? You can configure the SQL module in either the authorize section, where it will affect user authentication, or in the accounting section, where it won't affect anything. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radaccounting, what does octets mean?
In accounting, what does an octet mean? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
-Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Friday, April 07, 2006 1:53 AM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Alex M [EMAIL PROTECTED] wrote: I've just went to my radius server and found out that it doesn't want to handle requests.. I restarted it in debug and it told me that SQL module is unknown. = Who edited the config file since the last time the server started? I've edited the script long time ago, but haven't change anything before the frees So does any one knows what could cause such a behavior (not accepting requests, due to module malfunction) and more importantly is there any way to monitor the server functionality? Let's say something like send testing request each 30min or something and if server doesn't reply send email notification? =It should be trivial to write a shell script to do that. I think I will do that in php Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Stefan Winter Sent: Friday, April 07, 2006 5:22 AM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while Hi! I've just went to my radius server and found out that it doesn't want to handle requests.. I restarted it in debug and it told me that SQL module is unknown. (was working fine for 1 month) I restarted again in debug and now it went OK and works fine, but this thing is not acceptable in the field . Are you using mySQL? It would be great if you could tell us the *exact* version number. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS stops responding after a while
Yea got one firewall in between... but if it is time out I assume it should just drop like couple requests and then work fine, but in my case it just stop responding for everything -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Peter Nixon Sent: Friday, April 07, 2006 2:46 PM To: FreeRadius users mailing list Subject: Re: RADIUS stops responding after a while On Fri 07 Apr 2006 20:57, Alex M wrote: I'm using MySQL 4.1.7 and it is located on remote server (not even on the same subnet as the radius) Do you have a statefull firewall (Checkpoint etc) between radius and the sql server? That can cause timeout problems accessing the database, although not problems finding a module.. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS stops responding after a while
Ive got strange behavior on y FR, need to find the way to prevent it, and find out what caused it. Ive just went to my radius server and found out that it doesnt want to handle requests. I restarted it in debug and it told me that SQL module is unknown (was working fine for 1 month) I restarted again in debug and now it went OK and works fine, but this thing is not acceptable in the field So does any one knows what could cause such a behavior (not accepting requests, due to module malfunction) and more importantly is there any way to monitor the server functionality? Lets say something like send testing request each 30min or something and if server doesnt reply send email notification? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RedHat Security updates for FR
Do you know bugs that this update fixes applies to any installs o n redhat or only to RPMs? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Dennis Skinner Sent: Tuesday, April 04, 2006 9:13 AM To: FreeRadius users mailing list Subject: RedHat Security updates for FR RedHat Enterprise (and CentOS) has finally released security updates for their FreeRADIUS rpms: https://rhn.redhat.com/errata/RHSA-2006-0271.html Incase anyone is interested -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Couldn't stop freeradius server!!
I had the same problem on RedHat (well name was the way it supposed to be) it was caused by some conflict between fr and something with os... still investigating the problem, but in my case kill and reboot, halt command where blocked I think that was cased because SSH connection was lost during execution of the command. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of debik Sent: Wednesday, April 05, 2006 2:26 PM To: FreeRadius users mailing list Subject: Re: Couldn't stop freeradius server!! Try killall radiusd or killall freeradius. I have debian and that commands are allwright. - Original Message - From: lmyho [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, April 04, 2006 6:19 PM Subject: Re: Couldn't stop freeradius server!! --- monish ar [EMAIL PROTECTED] wrote: Instead of using the command to stop the radius daemon, herez another simple way. At the console type ps -ax | grep radiusd , this will give u the list of radius servers currently along with its process IDs. The next thing u do is type kill pid# , PID# refers to the process id number of ur currently running radius daemon. Hope it helps... Dunno bout the NAS list though... Hi Monish, Thank you for the idea! I checked, and found the process. but on this debian system, the process is actually named freeradius, instead of the traditional radiusd.:( So there are indeed some changes on how the freeradius is run on debian. Do you have more idea about it? Can anyone tell me more on how the debian is running the freeradius and how I can stop the server from command line in debian system? (pls see problem detail below) Thanks a lot!! leo On 4/4/06, lmyho [EMAIL PROTECTED] wrote: Hi All, Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686). The radius server started automatically well each time when the system booting. But I wanted to stop it to do some testing using my modified configuration files. I tried to stop the server using command: 'freeradius stop' ('radiusd' doesn't work on this debian - anyone knows why??) But so werid, no matter what command I gave, with parameter stop|start|restart, the server ALWAYS goes to START again!! even from the /etc/init.d/freeradius I can read that the 'stop' param should stop the server! Can anyone tell me why the command couldn't stop the server?? and how should I stop it?? The log file shows entries like this for each of my trying, even the command given was to stop: Tue Apr 4 01:14:13 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Apr 4 01:14:13 2006 : Error: There appears to be another RADIUS server running on the authenticat What is happenning here? (I couldn't top the running deamon, so is the 2nd line above) Also, from the log file I noticed: even when the system automatically started the freeradius server deamon, it was Using deprecated naslist file. Log entries show like this: Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Fri Mar 31 13:51:55 2006 : Info: Ready to process requests. Can anyone tell me what is happenning here?? Why it's using the deprecating naslist file? The installed radiusd.conf file doesn't show the server will use the naslist file at all! from where I can stop the server to use this deprecating file? Also what does the 2nd line of the above log entries mean? Any help would be greatly appreciated! Thank you so much for help in advance!! Best regrads, leo __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How Getting accounting informations ?
If im not mistaken DWLs should send accounting info. I have to check though. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Vincent MARGUERIE Sent: Sunday, March 26, 2006 7:10 PM To: freeradius Subject: How Getting accounting informations ? Hi guys, I would like to kkow, how I can get accounting informations from my client ? I use a dlink DWL-2000ap+ as NAS (is it compatible ?) and my client is connecting from a windows XP computer. Could you confirm that only the NAS can send accounting informations and not the client...am I right ? If it is, do you know if this dlink is compatible with accounting request ? Do you know another Acces point that sure make this task or is there a software that can be behind my acces point to do this right (a sort of NAS in fact) ? Thanks for your help, Vincent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Table radacct is empty
I dono, maybe it is some error in 1.1.1 ? Im still runnin 1.1.0 and didnt have any problems like this yet -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Vincent MARGUERIE Sent: Thursday, March 23, 2006 12:29 PM To: freeradius-users@lists.freeradius.org Subject: Re: Table radacct is empty [EMAIL PROTECTED] a écrit : Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: Table radacct is empty (Vincent MARGUERIE) 2. RE: Table radacct is empty (Alex M) -- Message: 1 Date: Thu, 23 Mar 2006 01:57:27 +0100 From: Vincent MARGUERIE [EMAIL PROTECTED] Subject: RE: Table radacct is empty To: freeradius freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi, Yes, SQL is ok to query in accounting section. Here is a part of my radiusd.conf : # The rlm_sql_log module appends the SQL queries in a log # file which is read later by the radsqlrelay program. # # This module only performs the dynamic expansion of the # variables found in the SQL statements. No operation is # executed on the database server. (this could be done # later by an external program) That means the module is # useful only with non-SELECT statements. # # See rlm_sql_log(5) manpage. # sql_log { path = ${radacctdir}/sql-relay acct_table = radacct postauth_table = radpostauth Start = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '%S', '0', '0', ''); Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \ '%{Acct-Terminate-Cause}'); Alive = INSERT INTO ${acct_table} (AcctSessionId, UserName, \ NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctTerminateCause) VALUES \ ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \ '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}',''); Post-Auth = INSERT INTO ${postauth_table} \ (user, pass, reply, date) VALUES \ ('%{User-Name}', '%{User-Password:-Chap-Password}', \ '%{reply:Packet-Type}', '%S'); } .. .. $INCLUDE ${confdir}/sql.conf .. .. authorize { sql ... ... accounting { sql sql_log session sql post-auth { sql sql_log Moreover, the information are written in a file (sql-relay) which (is I have understand correctly) is used by the radsqlrelay binary to put the information in database. The fact is that for the post-auth part, it works bacause i get all the information of the post authorisation in the radpostauth table. But in this sql-relay file, there's only information about post-auth...nothing about accounting !! The strange thing is that there's some informations about accounting in others file auth-detail and reply-detail, but not in sql format. some lines of the files : sql-relay INSERT INTO radpostauth (user, pass, reply, date) VALUES('joseph', 'Chap-Password', 'Access-Accept', '2006-03-21 15:28:48'); - reply-detail Packet-Type = Access-Accept Wed Mar 22 18:04:18 2006 Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Login-User Session-Timeout = 1000 Idle-Timeout = 500 Port-Limit = 10 Reply-Message = Bye Mr Joseph ! MS-MPPE-Recv-Key
RE: Clear text passwords
Yes u can hide or crypt passwords in freeradius, this question was raised in freeradius users mailing list, and if you search archives, the answer is there -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Corey Burks Sent: Thursday, March 23, 2006 2:55 PM To: freeradius-users@lists.freeradius.org Subject: Clear text passwords I have recently built up a freeradius server V1.1.0, I am new to freeradius, since we were using and old version of Navisradius. In Navisradius it would compare the crypt password strings and log the crypt sting verses the clear text password. Is it possible to have freeradius not log the clear text passwords, while still logging the auth request? Or have it log the crypt password strings instead? My radius server is binding to a Netscape LDAP server which is storing the passwords using UNIX crypt. Yet the radius server is logging the clear test password. Thank you for your help. Corey Detail log shows: Packet-Type = Access-Request Thu Mar 23 11:23:30 2006 User-Name = cburks User-Password = abc123 Vendor-3076-Attr-32 = 0x0004 NAS-IP-Address = 172.16.15.251 NAS-Port-Type = Virtual Client-IP-Address = 172.16.15.251 Debug output shows rad_recv: Access-Request packet from host 172.16.15.251:2264, id=1, length=70 User-Name = cburks User-Password = abc123 Vendor-3076-Attr-32 = 0x0004 NAS-IP-Address = 172.16.15.251 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/172.16.15.251/detail ' rlm_detail: %A/%{Client-IP-Address}/detail expands to /usr/local/freeradius/var/ log/radius/radacct/172.16.15.251/detail modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = cburks, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 234 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for cburks radius_xlat: '(uid=cburks)' radius_xlat: 'ou=people,o=zhone.com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap-master.oak.zhone.com:389, authentication 0 rlm_ldap: bind as cn=Directory Manager/secret to ldap-master.oak.zhone.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,o=zhone.com, with filter (uid=cburks) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cburks authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by cburks with password abc123 rlm_ldap: user DN: uid=CBurks,ou=People, o=zhone.com rlm_ldap: (re)connect to ldap-master.oak.zhone.com:389, authentication 1 rlm_ldap: bind as uid=CBurks,ou=People, o=zhone.com/abc123 to ldap-master.oak.zh one.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user cburks authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: '/usr/local/freeradius/var/log/radius/radacct/172.16.15.251/reply- detail-20060323' rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/re ply-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/172.16 .15.251/reply-detail-20060323 modcall[post-auth]: module reply_log returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 1 to 172.16.15.251 port 2264 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Table radacct is empty
Did u authorize SQL in accounting section? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Vincent MARGUERIE Sent: Wednesday, March 22, 2006 4:14 AM To: freeradius Subject: Table radacct is empty Hi, I've installed freeradius 1.1.1 on a Debian Sarge distribution, and the connection works fine with my wireless windows XP client but I have a problem to get information into radacct table in my mysql database. Does anyone get solution for this ? Rq : I use a Dlink-DWL-2000AP+ as Acces Point Regards, Vincent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed Compilation of Freeradius with Mysql since 1.1.0 (Works on1.0.5)
I've Installed Generic Static Developer RPMs and then compiled FreeRadius, and works fine... -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Philippe JOYEZ Sent: Wednesday, March 22, 2006 9:09 AM To: freeradius-users@lists.freeradius.org Subject: Failed Compilation of Freeradius with Mysql since 1.1.0 (Works on1.0.5) Hello All, I've seen many topics about that problem but no one of them has solved my problem. I'm trying to upgrade my 1.0.5 Freeradius server to 1.1.1 on my Solaris 8 system but it fails to find mysql libs. On the same server, I use the same configure scripts options: ./configure --localstatedir=/var --with-logdir=/var/log/radius/log --with-radacctdir=/var/log/radius/radacct --with-mysql-lib-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc/l- ib --with-mysql-include-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-spa- rc/include --with-mysql-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc It works for 1.0.5 but not for 1.1.1 (and also KO for 1.1.0): configuring in ./drivers/rlm_sql_mysql running /bin/sh ./configure --localstatedir=/var --with-logdir=/var/log/radius/log --with-radacctdir=/var/log/radius/radacct --with-mysql-lib-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc/l- ib --with-mysql-include-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-spa- rc/include --with-mysql-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc --enable-ltdl-install --cache-file=../../../../.././config.cache --srcdir=. loading cache ../../../../.././config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) works... yes checking whether the C compiler (gcc -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking for mysql_config... (cached) no checking for pthread_create in -lpthread... (cached) yes checking for mysql_init in -lmysqlclient_r... no configure: warning: mysql libraries not found. Use --with-mysql-lib-dir=path. checking for mysql/mysql.h... yes configure: warning: sql submodule 'mysql' disabled creating ./config.status creating Makefile creating config.h config.h is unchanged Best regards -- Disclaimer Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme. *** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem if CHAP is not used
Hi, I found the solution for my problem, but... I want to know what and why that's going on? When I add Auth-Type := Local to the usernames then they are working OK without CHAP. Why do I need to have that for non Chap methods? And is there anything else I should know about this? Thanks! -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Thursday, March 16, 2006 1:58 AM To: FreeRadius users mailing list Subject: Re: Authentication problem if CHAP is not used Alex M [EMAIL PROTECTED] wrote: Ok, I here is full debug info... ... [EMAIL PROTECTED] root]# radiusd -x Uh, no. Try reading the FAQ, README, INSTALL, and half of the messages to this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Associating username to a specific NAS only
Is it possible to set directives for some users so that they only can login to the specific NAS (by the NAS Called Station Id [NAS MAC Address])? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different source NAS for Differnet privilege Level
I think you can use radreply directive with your variable, if your NAS supports that. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jeff Stout Sent: Thursday, March 16, 2006 11:44 AM To: FreeRadius users mailing list Subject: Different source NAS for Differnet privilege Level I am using freeradius rev 1.1.0 I have everything running great I am using AAA authorization on different Network Devices, Cisco Routers, Cisco Switches, Foundry Switches, Juniper FW's. I have setup VSA's to respond to the user to set their privilege level upon successful authentication, then the authorization portion actually sets the privilege level I need to have different privilege levels based upon which NAS they are coming from, eg... Connecting while on the Corporate Network privilege level = 8, same user Connecting thru IPass out of the office privilege level = 5. Any assistance with this would be greatly appreciated. Thank you in advance for your help Jeff Stout CCT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem if CHAP is not used
User-Name = homepc User-Password = homepc rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'homepc' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'homepc' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 Sending Access-Reject of id 1 to 192.168.0.107 port 2849 -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, March 15, 2006 12:51 AM To: FreeRadius users mailing list Subject: Re: Authentication problem if CHAP is not used Alex M [EMAIL PROTECTED] wrote: I'm using default configuration except I enabled My SQL support. The error I'm getting in debug mode is this: rlm_unix: [alexus]: invalid password Well, if you're going to look at small pieces of the debug log, I would presume you will only be able to solve small pieces of the problem. or no error whatsoever for any oher user, it just quits (terminates the procces) on rlm_sql (sql): Released sql socket id: 2 I don't know what is wrong? Maybe PAP module was compiled wrong? Maybe try reading the rest of the debug log? It's not like the text is randomly generated. It's there to help you solve your problems. But you *do* have to read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems configuring Free Radius
Your MySQL config is in your sql.conf file, in the beginning you enter all info about username, DB etc also you have to authorize SQL use in radiusd.conf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Atkins, Dwane P Sent: Wednesday, March 15, 2006 11:39 AM To: freeradius-users@lists.freeradius.org Subject: Problems configuring Free Radius Is there a free radius for Dummies book out there? I know that most of the instruction probably make sense to everyone, but me. I am trying to configure Freeradius 1.1 on a mysql database using fedora 4. I can get to a point where I do the radiusd X and it starts the radius server. Is there something I need to do with the sql.conf file to tie all of this together? How do I enter my users in mysql? Is there a web interface for the users? Can I put in a start date for a user and a stop date for a user? Is there a web site that I can go to for answers to these questions? I have been to the archives. Thank you and if this all cannot be done, please let me know so I can scrap this project and move onto something different. Dwane Dwane Atkins TN 210-567-0158 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem if CHAP is not used
User-Name = homepc User-Password = homepc rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'homepc' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'homepc' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 Sending Access-Reject of id 1 to 192.168.0.107 port 2849 -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, March 15, 2006 12:51 AM To: FreeRadius users mailing list Subject: Re: Authentication problem if CHAP is not used Alex M [EMAIL PROTECTED] wrote: I'm using default configuration except I enabled My SQL support. The error I'm getting in debug mode is this: rlm_unix: [alexus]: invalid password Well, if you're going to look at small pieces of the debug log, I would presume you will only be able to solve small pieces of the problem. or no error whatsoever for any oher user, it just quits (terminates the procces) on rlm_sql (sql): Released sql socket id: 2 I don't know what is wrong? Maybe PAP module was compiled wrong? Maybe try reading the rest of the debug log? It's not like the text is randomly generated. It's there to help you solve your problems. But you *do* have to read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problem if CHAP is not used
Hi, I have a problem; I always get Access Reject saying that password is invalid. But when Im using NTRadPing Test Utility, the same username and password works fine if I check to use CHAP, but when the CHAP check box is not selected then Im getting the same problem as I have with my NAS. So can some one tell me how to make FreeRadius work so that if Im using NTRadPing without CHAP it would still work! Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Question
Hi I want to use PAP protocol; do I have to set it in Authorization section? Because there is no commented line for PAP while there is every other module included. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ignoring request from unknown client 1.2.3.4.:****
This is because you didn not allow your radius to accept request from your client with IP 202.117.49.26. If you are using regular config files you need to edit Clients config, If u are using MySQL you need to set, radiusd.config to read NAS table im MuSQL (look et the end of the config file, I think its a last line) and then add your NAS clients to NAS table im db From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of yao guoxian Sent: Sunday, March 12, 2006 8:49 PM To: freeradius-users@lists.freeradius.org Subject: Ignoring request from unknown client 1.2.3.4.: Having installed Mysql4.0, I recompile Freeradius 1.0.5. It seems Freeradius and Mysql works well when I enter : radiusd -X. However, when I use the 'UserName' and 'Password' in the 'radcheck' table to test , I get the following output from Radius Server: rad_recv: Access-Request packet from host 202.117.49.26:3978, id=12, length=47 Ignoring request from unknown client 202.117.49.26:3978 --- Walking the entire request list --- Any suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS MAC Addres Atribute
Hi Is the attribute for NAS MAC address is: NAS-Identifier? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password rejected when CHAP is not used
When I do not use CHAP my password gets rejected, and when I do use it everything goes OK; but not all my NAS support chap! So what should I do to configure radius to support NAS that doesnt send CHAP passwords? THANKS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting of MAC of the NAS
Hi Ive noticed while running in debug mode, I can see the MAC of the NAS, but when I go to the Accounting logs (that are stored in MySQL) I dont see any place for MAC of the NAS, it only has the space for NAS IP. So is it possible to make freeradius to log the MAC address of the nas too? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS MAC VAriable
What is the variable for NAS MAC address, so that I can setup the rule fot mysql to log the MAC address of the NAS when the client sends request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting of MAC of the NAS
I don't know what attribute and what packet, I regular install for MySql ... I do see the quires in SQL.config but I don't know what variable is used for NAS MAC address? That why I asked. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, March 08, 2006 5:26 PM To: FreeRadius users mailing list Subject: Re: accounting of MAC of the NAS Alex M [EMAIL PROTECTED] wrote: I've noticed while running in debug mode, I can see the MAC of the NAS, In what attribute, in what kind of packet? but when I go to the Accounting logs (that are stored in MySQL) I don't see any place for MAC of the NAS, it only has the space for NAS IP. So is it possible to make freeradius to log the MAC address of the nas too? Sure. Update the SQL chema and the queries. That's why they're editable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting of MAC of the NAS
Hm yea interesting idea! Thanks! I will try that -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, March 08, 2006 6:18 PM To: FreeRadius users mailing list Subject: Re: accounting of MAC of the NAS Alex M [EMAIL PROTECTED] wrote: I don't know what attribute and what packet, You have to be joking. You already said you see the MAC address in debug mode. How hard is it to read that to find out the attribute name, and packet? Debug mode prints all that information! I do see the quires in SQL.config but I don't know what variable is used for NAS MAC address? That why I asked. Read debugging mode. The attribute name that you see next to the MAC address is the name of the attribute to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Ok, thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Davies Sent: Wednesday, November 02, 2005 12:38 PM To: FreeRadius users mailing list Subject: RE: 802.1x Which Vendor Specific Attributes are implemented by a Vendor are, as the name suggests, specific to the vendor and totally up to them to choose. I would not be surprised if DLink implement *NO* VSAs. Given the market into which they're pitching their kit, I doubt very much that their kit will do bandwidth control. Authenticating access to the port is the basic function of 802.1x so ifDLink claim 802.1x support, then you can configure your NAS so that you don't get any access without authenticating first. Rgds, Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: 02 November 2005 17:04 To: 'FreeRadius users mailing list' Subject: RE: 802.1x Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 1:08 PM To: FreeRadius users mailing list Subject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of pitchingspecific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 10:04 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Wikipedia well, can it show me how to block ports like port 88 on user side? Yea I should learn how to use goggle he he -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Wednesday, November 02, 2005 4:42 PM To: 'FreeRadius users mailing list' Subject: RE: 802.1x Maybe you should learn how to do a research with google ;) or just use an encyclopedia... http://en.wikipedia.org/wiki/802.1x have fun ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Mittwoch, 02. November 2005 22:34 To: 'FreeRadius users mailing list' Subject: RE: 802.1x That what I started with... but it returns me all very very expansive enterprise equipment, and other junk... well I maybe I'm using wrong keyword but goggle doesn't give me anything I'm looking for -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Wednesday, November 02, 2005 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x On Wed, Nov 02, 2005 at 11:10:20AM -0500, Alex M wrote: Now im totally lost... Can u give me an example what 802.1x does? Can u use google? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x
What is the difference between plain Radius identification compare to 802.1x? What are additional functionality that 802.1x gives to radius? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bandwith controll
Im a newbie here, please tell me where I can find info on controlling user bandwidth and allowed TCP/IP ports!! Appreciate your help!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bandwith controll
Are there any general variable, because I'm using different NASes, although mostly D-Link DSA-3100 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, October 31, 2005 4:15 PM To: FreeRadius users mailing list Subject: Re: Bandwith controll Alex M [EMAIL PROTECTED] wrote: I'm a newbie here, please tell me where I can find info on controlling user bandwidth and allowed TCP/IP ports!! Read your NAS documentation. Then, configure FreeRADIUS to send the attributes the NAS expects. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post authentication Bandwidth control
How can I use Post authentication to control the users bandwidth??? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem using Calling-Station-Id-Attribute in radcheck
Im about to try to do the same but to log the MAC addresses. Im newbie to freerad, but some times depends on swiches and routers that you have on your netror, your MAC addrs gets hashed along the way ( I saw that on MS IAS). So check in logs if you can see the Mac of the user first, although how to do that is my question? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of kdr akm Sent: Friday, October 28, 2005 10:16 AM To: freeradius-users@lists.freeradius.org Subject: Problem using Calling-Station-Id-Attribute in radcheck Hello, I´m using freeradius-1.0.1-0.FC2.i386.rpm and freeradius-mysql-1.0.1-0.FC2.i386.rpm with Mysql for Authentication for my lan client . Now, I want also to check the MAC-Address of this Lan Client. Therefore I added the Calling-Station-Id-Attribute to the radcheck table. mysql select * from radcheck; ++--+++--+ | id | UserName | Attribute | op | Value | ++--+++--+ | 1 |tala | User-Password | == | 123123 | | 2 |tala | Calling-Station-Id | == | 000d88522f1f | ++--+++--+ 2 rows in set (0.00 sec) Unfortunatelly, freeradius cannot validate this user anymore. Are there any config-files I have to change? or i use this attribut w! rong i.am a beginner in radius and thanks in advanced . Yahoo! FareChase - Search multiple travel sites in one click. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
controling bandwidth
Hi, How can I control bandwidth for specific users? And how can I block all ports except one, for their connection? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cheking mysql requests
Hi Im having problem with that freeradius doesnt recognize the clients (NAS) in the NAS table of MySQL. It keeps throwing me: Unknown client nothing to do So, I have set up sql.conf to trace mysql qureys in X debug mode to YES, but I still dont see any qureys shown to the NAS table to see is the client is authorized So how can I check if freeradius sends the query to the NAS table of the DB to SELECT * NAS where NASNAME = xxx.xxx.xxx.xxx and SECRET=testing123 ??? I MUST make this work!!! Please help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cheking mysql requests
Ok, that information is good thing to know, which will creates another two questions: 1. How can I find if server obtained the records from the table? 2. If you add lets say new user (user as user, not a NAS) to DB, when I have to restart the server in order for settings to take affect? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 26, 2005 2:06 PM To: FreeRadius users mailing list Subject: Re: cheking mysql requests Alex M [EMAIL PROTECTED] wrote: So, I have set up sql.conf to trace mysql qureys in -X debug mode to YES, but I still don't see any qureys shown to the NAS table to see is the client is authorized. The queries are NOT done live. They are done once when the server starts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cheking mysql requests
1. How can I find if server obtained the records from the table? Read the debug output on startup. I can read that, but the question if I can understand what it is saying, cause its not usual SQL Reply outputs there Or, send it a packet from a client configured in SQL. That wher im getting rely that client is unknown Or, read the sqltrace file Can you sagest where to look for it? I can't find it... :-( Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 26, 2005 2:27 PM To: FreeRadius users mailing list Subject: Re: cheking mysql requests Alex M [EMAIL PROTECTED] wrote: 1. How can I find if server obtained the records from the table? Read the debug output on startup. Or, send it a packet from a client configured in SQL. Or, read the sqltrace file, I *think* the queries are in there. 2. If you add lets say new user (user as user, not a NAS) to DB, when I have to restart the server in order for settings to take affect? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cheking mysql requests
Ok, here are the answers to my own questions: 1. In order to read NAS table you have to unquote reedclients=yes to allow to connect to NAS table in sql.config (at the end of the file) 2. My table was modified as was suggested by another post, but freeradius qureys the table in TABULAR frmat, so results obrained where messed up 3. Despite that the short name in the table is set to allow null, the server will not allow to use the record without short name so you have to have nasname, shirtname, and secret field fielded up Hope it will help to ppl who have same questions that I did -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 26, 2005 2:27 PM To: FreeRadius users mailing list Subject: Re: cheking mysql requests Alex M [EMAIL PROTECTED] wrote: 1. How can I find if server obtained the records from the table? Read the debug output on startup. Or, send it a packet from a client configured in SQL. Or, read the sqltrace file, I *think* the queries are in there. 2. If you add lets say new user (user as user, not a NAS) to DB, when I have to restart the server in order for settings to take affect? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL NAS table
Can some one point me to the documentation on use of SQL NAS table? So that I can add nas devices to the DB and not a text file? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL NAS table
Ok I have this table, id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, typeVARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description TEXT So assuming ill will add this filds that have ip address too ipaddr INET PRIMARY KEY, snmpVARCHAR(10), naslocation VARCHAR(32) Now if I eneter secret and ip adrees it supposed to work I assume? If it is not hard can you tell me what other fields are normaly stend for? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Fraser Sent: Tuesday, October 25, 2005 1:06 PM To: freeradius-users@lists.freeradius.org Subject: Re: SQL NAS table On Tue, 2005-25-10 at 12:52 -0400, Alex M wrote: Can some one point me to the documentation on use of SQL NAS table? So that I can add nas devices to the DB and not a text file? ...snip... There has been discussion on this in the past, here is a message I sent as a response to this list, that might point you in the right direction. ---Copied message from archive--- On Thu, 2005-15-09 at 15:08 -0400, Alan DeKok wrote: Am I to take it that it is not possible to use SQL for the clients.conf file? And if that it the case could someone please explain what the nas table is for in the database schema? It's possible. You do need at least one entry in clients.conf, though. I suggest 127.0.0.1 Then, read sql.conf, and set readclients=yes Alan DeKok. Cool. I am working with FreeBSD and the updates for 1.0.5 are not in the cvsup repository yet, so my comment is in regards to 1.0.4, but may apply to 1.0.5. I to a look at the postgresql stuff and it appears as though the schema will need a little tweak in order to be compitible with rlm_sql.c's requirements. A SERIAL column named Id will need to be added. This will make it compatible : -- SQL clients table CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128), shortname VARCHAR(32) NOT NULL, typeVARCHAR(30), ports int4, secret VARCHAR(60) NOT NULL, community VARCHAR(50), description TEXT ); This is not required, but this info used to be in the nas table in the postgresql schema. -- additional nas info table included in previous nas table CREATE TABLE nas ( id int4 NOT NULL, ipaddr INET PRIMARY KEY, snmpVARCHAR(10), naslocation VARCHAR(32) ); ---End of message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html