Re: Default reply for username incorrect-s

[Alex M]

Ok I think i got the idea, will no go and try it out! thank you!
as to 2nd reply, yes my NAS supports Reply-Messages


2010/1/4 Charles (KOL-Goma) char...@goma.kivu-online.com

  Does your NAS support the option?

 - Original Message -
 *From:* EasyHorpak.com i...@easyhorpak.com
 *To:* FreeRadius users mailing listfreeradius-users@lists.freeradius.org
 *Sent:* Monday, January 04, 2010 6:27 AM
 *Subject:* Re: Default reply for username incorrect-s

 Alex M wrote:

 Happy New Year to you all!
 I have quick question: How can I send default reply to all users that have
 incorrect username / password combination, right now FR just rejects them
 w/o any message.
 I use MySQL i tried to add DEFAULT as user name in rad reply but that did
 not help :(
 Hope some one can help me?

 TNX

 --

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 try this man http://www.easyzonecorp.net/network/view.php?ID=1038
 it 's only accept not found username.

 for wrong password you must use unlang

 try this

 http://www.easyzonecorp.net/network/view.php?ID=1042




 --
 http://www.EasyHorpak.com -
 ???,???,???,?,??
 http://www.EasyZoneCorp.net - ? internet ? Hotpsot ???
 PPPoE ,Anti NetCut, Mac spoof
 http://www.thai-school.net - ,? ?
 EasyZone SuperLink http://www.easyhorpak.com/superlink-
 ??

 

 5 free Domains with Select Hosting Plans. Get yours!
 com net org info us name biz cc tv ws mobi

 --

 -

 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 __
  Buy a domain : http://www.1and1.com/?k_id=25085883

 

 5 free Domains with Select Hosting Plans. Get yours!
  com net org info us name biz cc tv ws mobi

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Default reply for username incorrect-s

[Alex M]

Happy New Year to you all!
I have quick question: How can I send default reply to all users that have
incorrect username / password combination, right now FR just rejects them
w/o any message.
I use MySQL i tried to add DEFAULT as user name in rad reply but that did
not help :(
Hope some one can help me?

TNX
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

Yes that helped =)
Thank you!

2009/12/27 zhongwei feng feng...@gmail.com

 hi ,

try to exchange sequece ?


 
 if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE
 mac='%{Calling-Station-Id}'}) {
 update reply{
 Reply-Message := Hello Hello Hello
}

reject

 
  }
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

Ok I still having trouble with this. Here is  my code:


if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE
mac='%{Calling-Station-Id}'}) {
 reject

update reply {
Reply-Message = Hello Hello Hello
   }

 }


The problem is that I don't see the Reply Message... I see other one that i
got from the Usergroup. My userr is the member of default user group that
sends reply message to every one saying that Username is incorrect that is
my way to output the message where Usename  Password (Probably there
should be a better way to do that and maybe that is a problem) but that what
i have now.
So that message is getting outputed even though the mac address is
banned

Here is copy of my output..

Hope you can help me out?
TNX

===

rad_recv: Access-Request packet from host x4.xxx.74.xxx port 62760, id=111,
length=139
NAS-IP-Address = 192.168.0.104
NAS-Identifier = xxx.com
User-Name = alexus7
User-Password = open
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 5
Framed-IP-Address = 192.168.1.199
Called-Station-Id = 00:0d:b9:06:xx:xx
Calling-Station-Id = 00:0b:6a:29:xx:xx
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = alexus7, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} - alexus7
[sql] sql_set_user escaped user -- 'alexus7'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
- SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'alexus7'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = 'alexus7'   ORDER BY id
WARNING: Found User-Password == 
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
- SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'alexus7'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op
FROM radreply   WHERE username = 'alexus7'   ORDER BY id
[sql]   expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority - SELECT
groupname   FROM radusergroup   WHERE username =
'alexus7'   ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname   FROM
radusergroup   WHERE username = 'alexus7'   ORDER BY
priority
[sql]   expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id - SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck   WHERE
groupname = 'Ban'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'Ban'
ORDER BY id
[sql]   expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id - SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck   WHERE
groupname = 'All'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname = 'All'
ORDER BY id
[sql] User found in group All
[sql]   expand: SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname =
'%{Sql-Group}'   ORDER BY id - SELECT id, groupname,
attribute,   value, op   FROM radgroupreply   WHERE
groupname = 'All'   ORDER BY id
rlm_sql_mysql: query:  SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname = 'All'
ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++? if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE
mac='%{Calling-Station-Id}'})
sql_xlat
expand: %{User-Name} - alexus7
sql_set_user escaped user -- 'alexus7'
expand:  SELECT mac FROM `lrc_banlist` WHERE

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

As suggested I just tried to replace  operator = with := and even with ==
but reply message is not getting outputted :(
Maybe I'm missing something?

if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist` WHERE
mac='%{Calling-Station-Id}'}) {
 reject
update reply{
Reply-Message := Hello Hello Hello
   }

 }

On Sat, Dec 26, 2009 at 12:08 PM, Alex M freerad...@lrcommunications.netwrote:

 lol true! I always use that one for reply messages... i guess i was too
 sleepy last night :(
 Thank you!


 On Sat, Dec 26, 2009 at 11:19 AM, Arran Cudbard-Bell 
 a.cudbard-b...@sussex.ac.uk wrote:

 On 26/12/2009 08:05, Alex M wrote:
  Ok I still having trouble with this. Here is  my code:
 
 
 
  if (Calling-Station-Id == %{sql: SELECT mac FROM `lrc_banlist`
  WHERE mac='%{Calling-Station-Id}'}) {
   reject
 
  update reply {
  Reply-Message = Hello Hello Hello
 }
 
   }

 Wrong operator.

 You want := to overwrite the attribute value that already exists...

update reply {
Reply-Message := Hello Hello Hello
   }



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

that worked well!
thank you
I guess once reject is sent there is no further processing of the code.


On Sat, Dec 26, 2009 at 1:16 PM, Arran Cudbard-Bell 
a.cudbard-b...@sussex.ac.uk wrote:

  On 26/12/2009 10:11, Alex M wrote:

 As suggested I just tried to replace  operator = with := and even with ==
 but reply message is not getting outputted :(
 Maybe I'm missing something?

 Try moving the reject to after the update stanza. I think a return code of
 reject stops the server processing the current section.

 -Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

I need to ask again for help.
So I added this code to Autorize section of Default config file it
blocks banned users well! But I need to tell them why they got banned so I
tried diferent ways to add Reply-Message in the logic
Nothing helped me so far...

So maybe some one can tell me how to add reply-message to this logic?

Thank you a lot and Marry Xmas



if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE
mac='%{Calling-Station-Id}'}) {
  reject
  #reply := Your account has been disabled.

}











On Wed, Dec 16, 2009 at 4:07 PM, Alex M freerad...@lrcommunications.netwrote:

 ok fair enough =) will go dig config file...
 How can I send the reason for rejection? Just add reply command somewhere
 along the lines? Can I link reply message to the reply message associated
 with reply in groups?
 Tnx again!



 On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote:

 Alex M wrote:
  Well i guess i'm back to my problem :(
  I tried group thing and i'm  getting som strange un-constant results :(
 
  Can some one tell me how the logic works for groupcheck?

   Why?  You were given a simple solution.  I suggest trying that.
 Trying to figure out how to get groups to do what you want is a waste of
 time when you *already* have a solution.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

o no wonder all my trys didnt work =)
Thanks a lot!

On Fri, Dec 25, 2009 at 7:10 PM, t...@kalik.net wrote:

  I need to ask again for help.
  So I added this code to Autorize section of Default config file it
  blocks banned users well! But I need to tell them why they got banned so
 I
  tried diferent ways to add Reply-Message in the logic
  Nothing helped me so far...
 
  So maybe some one can tell me how to add reply-message to this logic?
 
  Thank you a lot and Marry Xmas
 
 
 
  if (Calling-Station-Id == %{sql: SELECT mac FROM `banlist` WHERE
  mac='%{Calling-Station-Id}'}) {
reject

 update reply {
 Reply-Message = Your account has been disabled.
 }

#reply := Your account has been disabled.
 
  }


 Ivan Kalik

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

ok fair enough =) will go dig config file...
How can I send the reason for rejection? Just add reply command somewhere
along the lines? Can I link reply message to the reply message associated
with reply in groups?
Tnx again!


On Wed, Dec 16, 2009 at 3:25 AM, Alan DeKok al...@deployingradius.comwrote:

 Alex M wrote:
  Well i guess i'm back to my problem :(
  I tried group thing and i'm  getting som strange un-constant results :(
 
  Can some one tell me how the logic works for groupcheck?

   Why?  You were given a simple solution.  I suggest trying that.
 Trying to figure out how to get groups to do what you want is a waste of
 time when you *already* have a solution.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

wow... i managed to make it work w/ groups but i like your way better =)
Thank you!

On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote:

 Alex M wrote:
  Hey all, i'm coming back here w/ my old question of how to reject users
  based on their MAC address... but now im running FR 2.x.x
 
  So, we have trial access for free, and some people figured that they can
  re-register new accounts for trial all over again and have fun this way.
  Well thats not fun for us so we trying to figure out what we can do to
  reject reqyest from their machines no matter what name they put in. So
  maybe some one can help me out here.

   Create a table called blocked MACs, and put the MAC addresses in
 there.  Then, in the authorize section, do:

  if (Calling-Station-Id == %{sql: SELECT }) {
  reject
  }

  Fix the SQL statement to SELECT the row containing the Calling-Station-Id.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

Well i guess i'm back to my problem :(
I tried group thing and i'm  getting som strange un-constant results :(

Can some one tell me how the logic works for groupcheck?

If I have Calling-Station-Id and reply reject spesified for the same user
what should happen? what if i have 100 MAC addressed entered how do we check
for that?

I had 1 MAC address entered and geting rejected well. If 1 MAC is entered
but not my MAC then im not getting rejected, yet when 2 Mac addresses
entered im geting rejected regardless of my mac address. (My ban group has
priority of 1)

I would love to solve my problem w/ groups so I don't have to edit radius
xinfig files,,, but if im geting this trange results or if its not possible
i'm more or less ok w. adding more settings to configs...


Thanks for helping me out!





On Tue, Dec 15, 2009 at 2:41 PM, Alex M freerad...@lrcommunications.netwrote:

 wow... i managed to make it work w/ groups but i like your way better =)
 Thank you!


 On Tue, Dec 15, 2009 at 2:36 AM, Alan DeKok al...@deployingradius.comwrote:

 Alex M wrote:
  Hey all, i'm coming back here w/ my old question of how to reject users
  based on their MAC address... but now im running FR 2.x.x
 
  So, we have trial access for free, and some people figured that they can
  re-register new accounts for trial all over again and have fun this way.
  Well thats not fun for us so we trying to figure out what we can do to
  reject reqyest from their machines no matter what name they put in. So
  maybe some one can help me out here.

   Create a table called blocked MACs, and put the MAC addresses in
 there.  Then, in the authorize section, do:

  if (Calling-Station-Id == %{sql: SELECT }) {
  reject
  }

  Fix the SQL statement to SELECT the row containing the
 Calling-Station-Id.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rejecting User By their Calling-Station-Id (Mac Address)

[Alex M]

Hey all, i'm coming back here w/ my old question of how to reject users
based on their MAC address... but now im running FR 2.x.x

So, we have trial access for free, and some people figured that they can
re-register new accounts for trial all over again and have fun this way.
Well thats not fun for us so we trying to figure out what we can do to
reject reqyest from their machines no matter what name they put in. So maybe
some one can help me out here.

Here is what I tried:

*radusergroup* (username, groupename, priority)
all user-names registered Ban 
Test_User Home 1

*radgroupcheck* (groupname, attribute, op, value)
Ban Calling-Station-Id == 00:0b:6a:xx:xx:xx
Ban Reply-Message == You have been banned
Ban Auth-Type := Reject

*radcheck* (username, attribute, op, value)
Test_User password == letmein


So far that dint work at all... I tried changing priority but no matter what
I do the user still authorized to enter the network. I'm sure I did
something wrong but im not sure what?
So maybe some one can help me out?
Thanks a lot!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear Text PAP passwords - how to enable

[Alex M]

user password i guess is same as System?

On Mon, Oct 19, 2009 at 11:49 AM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote:

 Hi,

  But I still got small problem, when i run in de debug mode i saw this
  warning. I'm not fully sure what it asks me to do? Any advice on this?

 its fairly clear isnt it? the error is written very clearly. follow
 the advice.

  !!! Please update your configuration so that the known good
  !!! clear text password is in Cleartext-Password, and not in
 User-Password.

 somewhere in your config you are matching against 'User-Password'.
 change that attribute to 'Cleartext-Password'

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear Text PAP passwords - how to enable

[Alex M]

ok now since i know where autorize and authenticate and accounting modules
went i feel much better =)

But I still got small problem, when i run in de debug mode i saw this
warning. I'm not fully sure what it asks me to do? Any advice on this?

++[pap] returns updated
Found Auth-Type = PAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
+- entering group PAP {...}
[pap] login attempt with password 
[pap] Using clear text password 
[pap] User authenticated successfully
++[pap] returns ok



Thanks a lot for helping!





On Mon, Oct 19, 2009 at 7:03 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:

 Hi,
  My SQL include and module authorization is enabled in instantiate section
  Im not 100% sure what virtual server do in new radius.
 
  I guess you are probably right about that fact that my radius is not
  accsesing SQL to see the users there,.. so since my Include is enabled i
  guess i need to figure out what those virtual servers are and how to use
  them

 you need to ensure that 'sql' is listed in the correct section - eg
 in the authenticate section - see the files and comments in config files.

 alan
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear Text PAP passwords - how to enable

[Alex M]

Password is in SQL table raddcheck
Also will take a look at that FAQ

I know i had  the same problem w. FR 1.5 and there I just had to take out
DEFAULT Auth-Type: system so that we don't look for system password but I
didnt find anything like that on FR 2




On Sun, Oct 18, 2009 at 10:43 AM, Ivan Kalik t...@kalik.net wrote:

  hey all
  we keep upgrading FR servers and i got stuck with problem where I need
 PAP
  (I think) well i need clear text password and its not working for my
 user.
  When i send request through NTRAdping w/ CHAP all works well but when I'm
  using device as NAS nothing works :(
 
  I hope some one can point me out in right direction. Here is my output:

 Where is password supposed to be? It wasn't found in users (files) or
 system (unix) file.

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear Text PAP passwords - how to enable

[Alex M]

My SQL include and module authorization is enabled in instantiate section
Im not 100% sure what virtual server do in new radius.

I guess you are probably right about that fact that my radius is not
accsesing SQL to see the users there,.. so since my Include is enabled i
guess i need to figure out what those virtual servers are and how to use
them

tnx for helping!

On Sun, Oct 18, 2009 at 5:04 PM, Ivan Kalik t...@kalik.net wrote:

 Sql is not enabled in 2.x by default. Enable INCLUDE in radiusd.conf and
 sql entries you need in default virtual server
 (raddb/sites-enabled/default).

 Ivan Kalik
 Kalik Informatika ISP

  Password is in SQL table raddcheck
  Also will take a look at that FAQ
 
  I know i had  the same problem w. FR 1.5 and there I just had to take out
  DEFAULT Auth-Type: system so that we don't look for system password but I
  didnt find anything like that on FR 2
 
 
 
 
  On Sun, Oct 18, 2009 at 10:43 AM, Ivan Kalik t...@kalik.net wrote:
 
   hey all
   we keep upgrading FR servers and i got stuck with problem where I need
  PAP
   (I think) well i need clear text password and its not working for my
  user.
   When i send request through NTRAdping w/ CHAP all works well but when
  I'm
   using device as NAS nothing works :(
  
   I hope some one can point me out in right direction. Here is my
  output:
 
  Where is password supposed to be? It wasn't found in users (files) or
  system (unix) file.
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Clear Text PAP passwords - how to enable

[Alex M]

hey all
we keep upgrading FR servers and i got stuck with problem where I need PAP
(I think) well i need clear text password and its not working for my user.
When i send request through NTRAdping w/ CHAP all works well but when I'm
using device as NAS nothing works :(

I hope some one can point me out in right direction. Here is my output:





rad_recv: Access-Request packet from host XXX.XXX.XXX.11 port 64094, id=152,
length=136
NAS-IP-Address = 192.168.0.112
NAS-Identifier = XXX.XXX.com
User-Name = alex
User-Password = mypass
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 0
Framed-IP-Address = 192.168.2.254
Called-Station-Id = 00:0d:b9:XX:XX:XX
Calling-Station-Id = 00:0e:35:XX:XX:XX
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = alex, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - alex
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 152 to XXX.XXX.XXX.11 port 64094
Waking up in 4.9 seconds.
Cleaning up request 1 ID 152 with timestamp +827
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New install does not respond to requests

[Alex M]

ok so I added sql in instantiate section and it start loading NAS table as
i even saw my NAS ip.
Now im getting error on startup that crushes the server:

=
Failed binding to authentication address * port 1812: Address already in use
/usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0
port 1812
=

what could this be?




On Tue, Sep 29, 2009 at 4:33 AM, Ivan Kalik t...@kalik.net wrote:

  So i dont even see any access to my database at all, i see that SQL
 config
  is loaded but no request
  Do i have to add any parameters when compiling the code so that we have
  support of network functionality?

 No, but you need to list sql *somewhere* in order for it to be used. If
 you don't want to use it in AAA (ie. you don't want to use it in virtual
 servers) list it in instantiate section of radiusd.conf.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New install does not respond to requests

[Alex M]

dude why cant it just say that like all other programs do that Instance of
the server is already running?

On Tue, Sep 29, 2009 at 12:47 PM, John Dennis jden...@redhat.com wrote:

 On 09/29/2009 12:26 PM, Alex M wrote:

 ok so I added sql in instantiate section and it start loading NAS
 table as i even saw my NAS ip.
 Now im getting error on startup that crushes the server:

 =
 Failed binding to authentication address * port 1812: Address already in
 use
 /usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for
 0.0.0.0 port 1812
 =

 what could this be?


 You should be able to diagnose this yourself.

 Do you know what port 1812 is for? Go look it up and then ask yourself
 under what circumstances might port 1812 already be in use. Then fix that
 problem.

 --
 John Dennis jden...@redhat.com

 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

New install does not respond to requests

[Alex M]

hey all
we just upgraded from 1.x.x to latest version of FreeRadius
unfortunately its aint working :( well i see config files have changed
dramatically so maybe i did something wrong.

What we did we installed everything, unquoted SQL module in dadiusd.config
add proper MySQL info

When i start in -X mode i don't see any errors but the half of the log is
cut off (i guess output is too long)
When I send request i'm getting response that client is unknown. (I did add
nas info in the nas table)

I fugue that SQL statements are not executed but how can i debug that?

In sql config i enabled detailed output but it still does not show anything.
I  guess i'm doing something wrong and I hope i can get some help here?
Thanks a lot!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New install does not respond to requests

[Alex M]

Ok readclients was not enabled :(
Still enabling that did not help. (I did restart the server after enabling
it ;-)

How do I output screen to file? I tried radiusd -X radius_log.txt but that
just didnt execure anything :(



tnx for helping

On Mon, Sep 28, 2009 at 6:03 PM, Ivan Kalik t...@kalik.net wrote:

  When i start in -X mode i don't see any errors but the half of the log is
  cut off (i guess output is too long)

 So send the output to a file.

  When I send request i'm getting response that client is unknown. (I did
  add
  nas info in the nas table)

 Did you enable readclients in sql.conf?

  I fugue that SQL statements are not executed but how can i debug that?

 radiusd -X. It will show which clients are read from the nas table.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New install does not respond to requests

[Alex M]

So i dont even see any access to my database at all, i see that SQL config
is loaded but no request
Do i have to add any parameters when compiling the code so that we have
support of network functionality?

TNX a lot!

On Mon, Sep 28, 2009 at 7:26 PM, Alex M freerad...@lrcommunications.netwrote:

 tee worked =) tnx
 still no lack, not even errors, i mean i got output dump, but there is no
 trace of requesting MySQL or having an error loading my sql
 belo is the output.

 PS: im not good in linux or freeradius but the only way to become bbeter is
 try it and ask question otherwise i keep sucking =)
 



 FreeRADIUS Version 2.1.7, for host i686-pc-linux-gnu, built on Sep 26 2009
 at 17:24:15
 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.
 You may redistribute copies of FreeRADIUS under the terms of the
 GNU General Public License v2.
 Starting - reading configuration files ...
 including configuration file /usr/local/etc/raddb/radiusd.conf
 including configuration file /usr/local/etc/raddb/proxy.conf
 including configuration file /usr/local/etc/raddb/clients.conf
 including files in directory /usr/local/etc/raddb/modules/
 including configuration file /usr/local/etc/raddb/modules/acct_unique
 including configuration file /usr/local/etc/raddb/modules/expiration
 including configuration file /usr/local/etc/raddb/modules/krb5
 including configuration file /usr/local/etc/raddb/modules/echo
 including configuration file /usr/local/etc/raddb/modules/otp
 including configuration file /usr/local/etc/raddb/modules/realm
 including configuration file /usr/local/etc/raddb/modules/sradutmp
 including configuration file /usr/local/etc/raddb/modules/digest
 including configuration file /usr/local/etc/raddb/modules/ldap
 including configuration file /usr/local/etc/raddb/modules/chap
 including configuration file /usr/local/etc/raddb/modules/always
 including configuration file /usr/local/etc/raddb/modules/mac2vlan
 including configuration file /usr/local/etc/raddb/modules/expr
 including configuration file /usr/local/etc/raddb/modules/preprocess
 including configuration file /usr/local/etc/raddb/modules/mschap
 including configuration file /usr/local/etc/raddb/modules/policy
 including configuration file /usr/local/etc/raddb/modules/
 detail.example.com
 including configuration file /usr/local/etc/raddb/modules/detail
 including configuration file /usr/local/etc/raddb/modules/inner-eap
 including configuration file /usr/local/etc/raddb/modules/exec
 including configuration file
 /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
 including configuration file /usr/local/etc/raddb/modules/mac2ip
 including configuration file /usr/local/etc/raddb/modules/radutmp
 including configuration file /usr/local/etc/raddb/modules/logintime
 including configuration file /usr/local/etc/raddb/modules/smbpasswd
 including configuration file /usr/local/etc/raddb/modules/files
 including configuration file /usr/local/etc/raddb/modules/passwd
 including configuration file /usr/local/etc/raddb/modules/wimax
 including configuration file /usr/local/etc/raddb/modules/sql_log
 including configuration file /usr/local/etc/raddb/modules/pam
 including configuration file /usr/local/etc/raddb/modules/smsotp
 including configuration file /usr/local/etc/raddb/modules/perl
 including configuration file /usr/local/etc/raddb/modules/ippool
 including configuration file /usr/local/etc/raddb/modules/counter
 including configuration file /usr/local/etc/raddb/modules/pap
 including configuration file /usr/local/etc/raddb/modules/unix
 including configuration file /usr/local/etc/raddb/modules/cui
 including configuration file /usr/local/etc/raddb/modules/linelog
 including configuration file /usr/local/etc/raddb/modules/attr_rewrite
 including configuration file /usr/local/etc/raddb/modules/detail.log
 including configuration file /usr/local/etc/raddb/modules/etc_group
 including configuration file /usr/local/etc/raddb/modules/attr_filter
 including configuration file /usr/local/etc/raddb/modules/checkval
 including configuration file /usr/local/etc/raddb/eap.conf
 including configuration file /usr/local/etc/raddb/sql.conf
 including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
 including configuration file /usr/local/etc/raddb/policy.conf
 including files in directory /usr/local/etc/raddb/sites-enabled/
 including configuration file
 /usr/local/etc/raddb/sites-enabled/inner-tunnel
 including configuration file /usr/local/etc/raddb/sites-enabled/default
 including configuration file
 /usr/local/etc/raddb/sites-enabled/control-socket
 including dictionary file /usr/local/etc/raddb/dictionary
 main {
 prefix = /usr/local
 localstatedir = /usr/local/var
 logdir = /usr/local/var/log/radius
 libdir = /usr/local/lib
 radacctdir = /usr/local/var/log/radius/radacct

Re: Reject user by Calling-Station-Id

[Alex M]

will do
here is the thing... i did all that was sujested and tested on my comps and
gor rejections if my username belong to SQL Group that has reject reply or i
was able to block myyslef by mac address. Well I just looked at the log and
I see that 2 users that bloked by both mac and username, managed to sneak to
the network. I personally cant imagine how that happaned... whats more that
i cant imagine is how to debug that.

Any recomendations?

tnx!

On Sat, Feb 7, 2009 at 10:05 AM, t...@kalik.net wrote:

 ok well i guess i will do manuall replys for each user :(
 
 So freeRadius 2.x have taken care of my problem and I actually can use SQL
 to controll everything?
 

 Read man unlang on freeradius site and you will see how much more you can
 do in 2.x.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

yey thats seam to work, but still getting one problem.
So the comp gets bloket regardless of username, but the Reply-message from
the bloked table is not being displayed. So I have bloked huntgroup name
and I have SQL group: Deny_Trial that sends Reply-Message + Reject for  all
its members (which works fine if i assign user to that group)

Here is my debug:

rad_recv: Access-Request packet from host xxx.147.xxx.xxx:60365, id=125,
length=138
NAS-IP-Address = xxx.147.xxx.xxx
NAS-Identifier = domain.com
User-Name = alexus
User-Password = 
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 1
Framed-IP-Address = 192.168.1.244
Called-Station-Id = 00:0d:b9:xx:xx:xx
Calling-Station-Id = 00:0b:6a:xx:xx:xx
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_sql (sql): - sql_groupcmp
radius_xlat:  'alexus'
rlm_sql (sql): sql_set_user escaped user -- 'alexus'
radius_xlat:  'SELECT GroupName FROM usergroup WHERE UserName='alexus''
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT GroupName FROM usergroup WHERE
UserName='alexus'
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): - sql_groupcmp finished: User does not belong in group
Deny_Trial
No huntgroup access: [alexus] (from client home_segment port 1 cli
00:0b:6a:xx:xx:xx)
  modcall[authorize]: module preprocess returns reject for request 2
modcall: leaving group authorize (returns reject) for request 2
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 125 to xxx.147.xxx.xxx port 60365
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 125 with timestamp 498cd334
Nothing to do.  Sleeping until we see a request.



2009/1/31 t...@kalik.net

 Here is a trick from the old days:

 Create a huntgroup like:

 blocked   Calling-Station-Id == whatever
   SQL-Group == suspend

 Where suspend is the group with Auth-Type := Reject in it. That will blok
 him if he is in suspend group or not (only the message in radius.log
 will be different). It means using huntgroups file and restart for each
 change to it but if it's only 3 users ...

 Ivan Kalik
 Kalik Informatika ISP



 Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše:

 damn, upgrade will be painfull for me :(
 I guess I will try to use other means to block missbehaving users. At
 least
 we got only 3 people who try to free ride.
 
 thanks for help
 
 2009/1/31 t...@kalik.net
 
  Ah, sql groups don't work properly in 1.x. Upgrade.
 
  Ivan Kalik
  Kalik Informatika ISP
 
 
  Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše:
 
  I guess its different in newer version of radius but in my 1.5 the only
  table that has PRIO is radgroupreply
  
  and there is table radusergroup instead there is a group called
 usergroup.
  
  I'm getting fustrated. :(
  
  On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote:
  
   Tried that...
   now i'm  getting all users rejected regardless of mac address in the
  given
   group :(
  
   That shouldn't happen. Post the debug.
  
   How do i set priorities?
  
   You have priority field in radusergroup table.
  
   I though priorities only apply to radreply.
  
   There are no priorities in radreply.
  
   
   Do I have to set fall through?
   
  
   No.
  
   Ivan Kalik
   Kalik Informatika ISP
  
   -
   List info/subscribe/unsubscribe? See
   http://www.freeradius.org/list/users.html
  
  
  
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

ok well i guess i will do manuall replys for each user :(

So freeRadius 2.x have taken care of my problem and I actually can use SQL
to controll everything?

On Fri, Feb 6, 2009 at 8:07 PM, t...@kalik.net wrote:

 yey thats seam to work, but still getting one problem.
 So the comp gets bloket regardless of username, but the Reply-message from
 the bloked table is not being displayed. So I have bloked huntgroup name
 and I have SQL group: Deny_Trial that sends Reply-Message + Reject for
  all
 its members (which works fine if i assign user to that group)
 

 I am afraid that sql group is just a gimick. As you have noticed user
 doesn't have to be a member of it to get rejected. It doesn't even
 have to exist. It's a trick to get something done, not a proper policy.

 You can send replies for individual macs:

 DEFAULT   Calling-Station-Id == whatever
 Reply-Message = Naughty boy

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

damn, upgrade will be painfull for me :(
I guess I will try to use other means to block missbehaving users. At least
we got only 3 people who try to free ride.

thanks for help

2009/1/31 t...@kalik.net

 Ah, sql groups don't work properly in 1.x. Upgrade.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 31/1/2009, Alex M freerad...@lrcommunications.net piše:

 I guess its different in newer version of radius but in my 1.5 the only
 table that has PRIO is radgroupreply
 
 and there is table radusergroup instead there is a group called usergroup.
 
 I'm getting fustrated. :(
 
 On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote:
 
  Tried that...
  now i'm  getting all users rejected regardless of mac address in the
 given
  group :(
 
  That shouldn't happen. Post the debug.
 
  How do i set priorities?
 
  You have priority field in radusergroup table.
 
  I though priorities only apply to radreply.
 
  There are no priorities in radreply.
 
  
  Do I have to set fall through?
  
 
  No.
 
  Ivan Kalik
  Kalik Informatika ISP
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply message to rejected users

[Alex M]

well i found that option in my config file but I cant find documentation in
man :(
How do I implement with MySQL?
Thanks for help!

On Fri, Jan 30, 2009 at 5:05 AM, Alan DeKok al...@deployingradius.comwrote:

 Alex M wrote:
  i'm trying to display reply message to users whos passwords get rejected.
  so I setup the group and added my test user there. then i went to
  groupreply table  and added reply message there.
  Now when I do my testing is password is ok the message is displayed BUT
  if password is incorrect the message is not displayed.

  Read raddb/sites-available/default.  Look in the post-auth section
 for the Post-Auth-Type Reject subsection.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

Hi i just tried to add following (as adviced) into my radcheck table in
MySQL:

UserName: DEFAULT
Attribute: Calling-Station-Id
op: ==
Value: 00:0b:6a:xx:xx:xx, Auth-Type := Reject

And it did not work
 guessI just can not add value with operator in it, but still how can i
reject user based on their mac address with MySQL only setup. I would assume
if i do the same in users tabe on the server then it should work? But I
prefere MySQL managment

Please help me out

Thanks a lot!

On Tue, Jan 20, 2009 at 8:34 PM, t...@kalik.net wrote:

  I'm using MySQL to store all configs. I want to reject some comuters by
 their MAC address (Calling-Station-Id) Ex: one user keeps creating new
 userrnames to avoid administratice actions, so I got bored playing tom and
 jerry with him and I just want to bun his MAC address regardless of what
 udername he/she whould use. I hope that is doable. Could some one point me
 in right direction here?

 DEFAULT   Calling-Station-Id == whatever, Auth-Type := Reject

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

Tried that...
now i'm getting all users rejected regardless of mac address in the given
group :(
How do i set priorities? I though priorities only apply to radreply.

Do I have to set fall through?

Or maybe i did something wrong?



On Fri, Jan 30, 2009 at 5:45 PM, t...@kalik.net wrote:

 Hi i just tried to add following (as adviced) into my radcheck table in
 MySQL:
 
 UserName: DEFAULT
 Attribute: Calling-Station-Id
 op: ==
 Value: 00:0b:6a:xx:xx:xx, Auth-Type := Reject
 
 And it did not work
  guessI just can not add value with operator in it, but still how can i
 reject user based on their mac address with MySQL only setup. I would
 assume
 if i do the same in users tabe on the server then it should work? But I
 prefere MySQL managment

 OK, use groups then. For group ban put:

 Calling-Station-Id == 00:0b:6a:xx:xx:xx and Auth-Type := Reject in
 radgroupcheck table

 you can also add Reply-Message = Oh, no, you won't! in radgroupreply (I
 see you are asking about reply message for rejected users as well)

 add all users to group ban with low priority.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user by Calling-Station-Id

[Alex M]

I guess its different in newer version of radius but in my 1.5 the only
table that has PRIO is radgroupreply

and there is table radusergroup instead there is a group called usergroup.

I'm getting fustrated. :(

On Fri, Jan 30, 2009 at 7:32 PM, t...@kalik.net wrote:

 Tried that...
 now i'm  getting all users rejected regardless of mac address in the given
 group :(

 That shouldn't happen. Post the debug.

 How do i set priorities?

 You have priority field in radusergroup table.

 I though priorities only apply to radreply.

 There are no priorities in radreply.

 
 Do I have to set fall through?
 

 No.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

reply message to rejected users

[Alex M]

i'm trying to display reply message to users whos passwords get rejected.
so I setup the group and added my test user there. then i went to groupreply
table  and added reply message there.
Now when I do my testing is password is ok the message is displayed BUT if
password is incorrect the message is not displayed.

I'm sure i did something wrong. So the question is: how do i display message
to the user if their username gets rejected by any reason?

thanks for help!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

allow Clear Text passwords

[Alex M]

Hey all,
My NAS sends only cleat text password and freeRadius seams to expect CHAP
passwors instead...
How can I configure FR to accespt clear text passwords?
Thanks a lot!

PS: My curent default auth-type = system... i tried local but that did not
help :(
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: allow Clear Text passwords

[Alex M]

ok here is the debug info. Note: there is an SQL error which is not a
problem... thats bug in mysql so it will onlyopen connection from second
request. also when i sue the same combination under radius ping with CHAP
all works good but w/o chap nothing works








rad_recv: Access-Request packet from host xxx.147.xxx.xxx:61750, id=154,
length=138
NAS-IP-Address = xxx.147.xxx.xxx
NAS-Identifier = 51.wireless.com
User-Name = homepc
User-Password = test
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 1
Framed-IP-Address = 192.168.1.244
Called-Station-Id = 00:0d:b9:xx:xx:xx
Calling-Station-Id = 00:0b:6a:xx:xx:xx
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = homepc, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 153
  modcall[authorize]: module files returns ok for request 0
radius_xlat:  'homepc'
rlm_sql (sql): sql_set_user escaped user -- 'homepc'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radcheck   WHERE Username = 'homepc'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radcheck   WHERE Username = 'homepc'   ORDER BY id
rlm_sql_mysql: MYSQL check_error: 2013, returning SQL_DOWN
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radcheck   WHERE Username = 'homepc'   ORDER BY id
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'homepc' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM
radreply   WHERE Username = 'homepc'   ORDER BY id'
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radreply   WHERE Username = 'homepc'   ORDER BY id
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'homepc' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module sql returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type System
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module unix returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 154 to 24.47.133.215 port 61750
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 154 with timestamp 497e16b5
Nothing to do.  Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: allow Clear Text passwords

[Alex M]

I'm using 1.5
(for some reason cold not install 2.x)
Ok let me se if i can enable PAP



On Mon, Jan 26, 2009 at 3:20 PM, t...@kalik.net wrote:

 ok here is the debug info. Note: there is an SQL error which is not a
 problem... thats bug in mysql so it will onlyopen connection from second
 request. also when i sue the same combination under radius ping with CHAP
 all works good but w/o chap nothing works
 

 What freeradius version is this? It looks old.

 ..
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 ..
   modcall[authorize]: module suffix returns noop for request 0
 ..
   modcall[authorize]: module eap returns noop for request 0
 users: Matched entry DEFAULT at line 153
   modcall[authorize]: module files returns ok for request 0

 You have been told to rem ove Auth-Type System.  It's still there.

 ..
   modcall[authorize]: module sql returns ok for request 0
 modcall: leaving group authorize (returns ok) for request 0

 pap is not listed in authorize (this *is* a pap request). List it last.

 Ivan Kalik
 Kalik Informatika iSP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: allow Clear Text passwords

[Alex M]

 secret is incorrect.)
Server rejecting request 2.
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 145 with timestamp 497e2a40
Nothing to do.  Sleeping until we see a request.




On Mon, Jan 26, 2009 at 3:59 PM, Alex M freerad...@lrcommunications.netwrote:

 I'm using 1.5
 (for some reason cold not install 2.x)
 Ok let me se if i can enable PAP



 On Mon, Jan 26, 2009 at 3:20 PM, t...@kalik.net wrote:

 ok here is the debug info. Note: there is an SQL error which is not a
 problem... thats bug in mysql so it will onlyopen connection from second
 request. also when i sue the same combination under radius ping with CHAP
 all works good but w/o chap nothing works
 

 What freeradius version is this? It looks old.

 ..
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 ..
   modcall[authorize]: module suffix returns noop for request 0
 ..
   modcall[authorize]: module eap returns noop for request 0
 users: Matched entry DEFAULT at line 153
   modcall[authorize]: module files returns ok for request 0

 You have been told to rem ove Auth-Type System.  It's still there.

 ..
   modcall[authorize]: module sql returns ok for request 0
 modcall: leaving group authorize (returns ok) for request 0

 pap is not listed in authorize (this *is* a pap request). List it last.

 Ivan Kalik
 Kalik Informatika iSP

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: allow Clear Text passwords

[Alex M]

wow hows thats possible? 8)
My nas has 2 ADIUS servers support, both filds are pointing to the same
location w/ same shared secret :(

I will try to reboot NAS and radius, maybe that would help

On Mon, Jan 26, 2009 at 6:39 PM, t...@kalik.net wrote:

 ok I removed the line from ysers sating that auth-type=system and that
 helped w/ authentication of the user... still have small problem... under
 the same conditions I get problem w. accounting stating that my shared
 secret is incorrect so accounting record is not accepted ... I dont get it
 completly espesially afther user went through succesfully.
 
 I double checked my shared secret and it is ok.
 

 It looks like your radius client has two shared secrets (probably two
 server settings as well) - one for authentication and one for
 accounting. One for authentication is OK, one for accounting - isn't.

 Ivan Kalik
 Kalik Informatika ISP

 -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reject user by Calling-Station-Id

[Alex M]

Hi,
I'm using MySQL to store all configs. I want to reject some comuters by
their MAC address (Calling-Station-Id) Ex: one user keeps creating new
userrnames to avoid administratice actions, so I got bored playing tom and
jerry with him and I just want to bun his MAC address regardless of what
udername he/she whould use. I hope that is doable. Could some one point me
in right direction here?

Thanks a lot!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Prepaid Cards Setup

[Alex M]

Hey all, I think it was asked once but I can't find anything in archives. 

How can I setup prepaid cards scenario? Basically I want my users to allow
to get access lets say for 30 min in total and then I also want to have
expiration date on the account. Can some help me on setting this thing up?
Is there any module that I have to install? Tnx for help!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Prepaid Cards Setup

[Alex M]

Ok thanks!

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Ivan Kalik
Sent: Friday, March 28, 2008 5:50 PM
To: FreeRadius users mailing list
Subject: Re: Prepaid Cards Setup

expiration date - Expiration attribute

time limiting - counter or sqlcounter; examples in radiusd.conf and Wiki

Ivan Kalik
Kalik Informatika ISP


Dana 28/3/2008, Alex M [EMAIL PROTECTED] piše:

Hey all, I think it was asked once but I can't find anything in archives.

How can I setup prepaid cards scenario? Basically I want my users to allow
to get access lets say for 30 min in total and then I also want to have
expiration date on the account. Can some help me on setting this thing up?
Is there any module that I have to install? Tnx for help!




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: A good Open Source Billing Program For Freeradius?

[Alex M]

Ok fine will make it for free; just cover the cost of all our T1 lines for
us. 
 

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Donny Jekels
Sent: Sunday, March 23, 2008 1:55 AM
To: FreeRadius users mailing list
Subject: Re: A good Open Source Billing Program For Freeradius?

Internet should be free



On 3/21/08, Lance Buttars [EMAIL PROTECTED] wrote:
 I need to setup a hotspot with billing capabilities and was wondering if
 anyone had some recommendations.


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


-- 
Sent from Gmail for mobile | mobile.google.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Technical support

[Alex M]

Well, it's not the question of money, its more question of my time and
finding 2-3 unused machines that I can use for the test then.  

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Jacob Jarick
Sent: Wednesday, April 18, 2007 12:21 AM
To: FreeRadius users mailing list
Subject: Re: Technical support

step 1 for me is to get radius to auth against ADS via ldap (I got
ntlm working fine).
Unfortunately because this job is contracted by the govt it has to be
done their specific way every step which means freeradius HAS TO auth
against a 2003 ADS via LDAP.

Unfortunately I cannot give out access to my work test pc's due to
security restrictions out of my control (I could but then Id be in
trouble).

What would your asking price be for a working FR 1.1.6 config that can
auth against 2003 ADS using LDAP.

Regarding VLANS, I need users with a GID of students to be put onto
vlan2 and users with GID staff to be put onto vlan3

On 4/18/07, Alex M [EMAIL PROTECTED] wrote:
 Well we are in New York. So the only way we can help you is to do SSH.
 Technically LDAP should work straight forward, unless your DC does not
want
 to accept connections from remote PC and especially Linux. We don't use
 Widows in our company any more, but I can set up DC and see if my radius
can
 access it and then just send you config file. As to VLANS, im not sure
what
 u looking for, if you wanna do something like separation of Ethernet
chanels
 for Ethernet service provider then it should be done by your NAS if that
is
 supported. I would assume your NAS should be listening for some custom
 attribute to assign vlan tag to specific user group.

 -Original Message-
 From:

[EMAIL PROTECTED]
 .org

[mailto:[EMAIL PROTECTED]
 eeradius.org] On Behalf Of Jacob Jarick
 Sent: Tuesday, April 17, 2007 10:52 PM
 To: FreeRadius users mailing list
 Subject: Re: Technical support

 I am In Western Australia Perth.

 Current having major issues with ldap authentication (done correctly
 as far as I can tell but I dont get replys from forums / mailing
 groups) and once that is sorted I need to figure out vlan assignment
 bassed on ou or group.

 On 4/18/07, Alex M [EMAIL PROTECTED] wrote:
  What's your location?
 
 
  -Original Message-
  From:
 

[EMAIL PROTECTED]
  .org
 

[mailto:[EMAIL PROTECTED]
  eeradius.org] On Behalf Of Jacob Jarick
  Sent: Tuesday, April 17, 2007 10:25 PM
  To: FreeRadius users mailing list
  Subject: Technical support
 
  Hello, Im looking for a company that can provide professional level of
  technical support.
 
  If any one here can reccomend one I would appreciate it.
 
  I am after technical support, due to lack of good documentation on the
  freeradius project. Most the stuff I need done has only incomplete
  docs.
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Technical support

[Alex M]

What's your location?


-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Jacob Jarick
Sent: Tuesday, April 17, 2007 10:25 PM
To: FreeRadius users mailing list
Subject: Technical support

Hello, Im looking for a company that can provide professional level of
technical support.

If any one here can reccomend one I would appreciate it.

I am after technical support, due to lack of good documentation on the
freeradius project. Most the stuff I need done has only incomplete
docs.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Technical support

[Alex M]

Well we are in New York. So the only way we can help you is to do SSH.
Technically LDAP should work straight forward, unless your DC does not want
to accept connections from remote PC and especially Linux. We don't use
Widows in our company any more, but I can set up DC and see if my radius can
access it and then just send you config file. As to VLANS, im not sure what
u looking for, if you wanna do something like separation of Ethernet chanels
for Ethernet service provider then it should be done by your NAS if that is
supported. I would assume your NAS should be listening for some custom
attribute to assign vlan tag to specific user group. 

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Jacob Jarick
Sent: Tuesday, April 17, 2007 10:52 PM
To: FreeRadius users mailing list
Subject: Re: Technical support

I am In Western Australia Perth.

Current having major issues with ldap authentication (done correctly
as far as I can tell but I dont get replys from forums / mailing
groups) and once that is sorted I need to figure out vlan assignment
bassed on ou or group.

On 4/18/07, Alex M [EMAIL PROTECTED] wrote:
 What's your location?


 -Original Message-
 From:

[EMAIL PROTECTED]
 .org

[mailto:[EMAIL PROTECTED]
 eeradius.org] On Behalf Of Jacob Jarick
 Sent: Tuesday, April 17, 2007 10:25 PM
 To: FreeRadius users mailing list
 Subject: Technical support

 Hello, Im looking for a company that can provide professional level of
 technical support.

 If any one here can reccomend one I would appreciate it.

 I am after technical support, due to lack of good documentation on the
 freeradius project. Most the stuff I need done has only incomplete
 docs.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: O'Reillys Radius Book - Worth buying

[Alex M]

Yea, after reading that book I barely got able to install the FR.
I would say it tells you more about radius protocol then actual FR

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Thor Spruyt
Sent: Monday, April 16, 2007 5:06 PM
To: FreeRadius users mailing list
Subject: Re: O'Reillys Radius Book - Worth buying

Alan DeKok wrote:
  If you're familiar with RADIUS, it will contain little useful
 information.

I can confirm this.
I was pretty disappointed about the value of the book when I bought it 3 
years ago.
I doesn't go indepth into anything.

Thor.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: online users

[Alex M]

Be careful with\ just SQL Count (*)
Some times NASes terminate local session without radius session termination
(ex: nas was powered off) in this case you may have some users who
technically logged in but that is not true! To avoid that you can select all
users in the interwal between Current time and CurentTime-X (where X is your
Idle logout time)

This one still not 100% accurate but it will trim off all old garbage.


-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, April 13, 2007 2:28 PM
To: FreeRadius users mailing list
Subject: Re: online users

SELECT COUNT(*) FROM radacct WHERE AcctStopTime=0

That will give you the number of currently logged in users (according to
the database).

Ivan Kalik
Kalik Informatika ISP

Dana 13/4/2007, Mordor Networks [EMAIL PROTECTED] piše:

i want to know how many user logged in mysql database/radius but it only
show the number of user in my databse for example is says 61 logged out
and 0 login
so here is the problem
//login users from//
$login_users = ;  what i have to write here ? which table i have to query?

how i can fix that ?
if i change the number from 0 to 1 it show me one user online so their
must be a way to fix it?
heres the code :

?php

include (include/Artichow/class/jpgraph.php);
include (include/Artichow/class/jpgraph_pie.php);
include (include/Artichow/class/jpgraph_pie3d.php);
include_once (class/Oreon.class.php);
include_once (phpradmin.conf.php);

$oreon_db = new OreonDatabase($conf_pra[host], $conf_pra[user],
$conf_pra[password], $conf_pra[db]);
$table = userinfo;

//este si es valido
$total_users_in_db = $oreon_db -getTotalRowsInTable($table);
//$total_users_in_db = 500;

//login users from DB (SELECT COUNT(*) FROM radacct??;)
$login_users = ;
//logoff users total_users_in_db - login_users
$logoff_users = ($total_users_in_db - $login_users);
//percent
$percent_login = ($login_users * 100 / $total_users_in_db);
$percent_logoff = ( 100 - $percent_login );
$data = array($percent_login,$percent_logoff);
//$data = array(12,88);

$graph = new PieGraph(350,170,auto);
$graph-SetShadow();
//$graph-title-Set( $lang['pra_total_users_in_db']:
$total_users_in_db);
$graph-title-Set(Total users in Data Base: $total_users_in_db);

$graph-title-SetFont(FF_FONT1,FS_BOLD);
$p1 = new PiePlot3D($data);
$p1-ExplodeSlice( 1);
$p1-SetLabelType( PIE_VALUE_ABS);
$p1-SetSize(0.40);
$p1-SetCenter(0.33);
$p1-SetSliceColors(array('green','blue'));
$p1-setLegends(array(
LogIN Users: $login_users,
LogOUT Users: $logoff_users,
));

$graph-Add($p1);
$graph-Stroke();

?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [m0n0wall] Captive Portal and Radius

[Alex M]

Are we talking about M0n0 as a NAS here? If yes, why not to mod the boxy to
do internal counting of the section and then talk to the radius with final
data?

-Original Message-
From: YvesDM [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 09, 2007 11:37 AM
To: Peter Boosten
Cc: m0n0wall@lists.m0n0.ch
Subject: Re: [m0n0wall] Captive Portal and Radius

On 4/9/07, Peter Boosten [EMAIL PROTECTED] wrote:

 YvesDM wrote:
  When you use radius you can specify max-daily-session through
 sqlcounter.

 Yves, thanks for your answer, although it doesn't answer my question.

 Again: I defined a max-daily-session. Works like charm. But I don't want
 him to use this max-daily-session in one run. I would like him to take
 some breaks (say every two hours), so I defined a Session-Timeout of
 7200 seconds. But nothing prevents him from logging in just after the
 Session-Timeout expired.

 So I would like to know if there's some parameter that defines the
 minimum time between two sessions.


I see, sorry I missed that part.
If I need to do this I usually use a linux firewall and change the iptables
rules through cron.
There are firewall distro's with ready to use examples for this, but of
course they are off-topic
on this list and I don't know if you actually want to use them at all.
If you want more info on this you can e-mail me off list, no problem.


 But I think setting up a radius server is a little overkill when it's only
  to control
  your son's internet use.
 

 Let the ethics be my worry. It has proven its use already (we're talking
 internet addiction here...).


Sounds familiar ;-)
Just thinking, can't you add/delete a check item to radcheck through some
script?
expiration Attribute or something? Let the script set/delete a (passed by)
expiration date in radcheck.
When the attribute is there he won't be able to login cause his account will
be expired, when the attribute
is not there, he can login :-)

Something like this:

mysql select * from radcheck where `UserName` = 'hombrouckxeli';
+-+---+---++---+
| id  | UserName  | Attribute | op | Value |
+-+---+---++---+
| 359 | hombrouckxeli | User-Password | := | masked   |
| 360 | hombrouckxeli | Expiration| := | 01 april 2007 |
+-+---+---++---+
2 rows in set (0.00 sec)

mysql

Kind regards
Yves

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PHP coding request - give me a price

[Alex M]

Easy project, really just and SQL, but damn $75, I spend more on Taxi each
day...

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Gaddis, Jeremy L.
Sent: Monday, January 08, 2007 2:03 AM
To: FreeRadius users mailing list
Subject: Re: PHP coding request - give me a price

Sorry, Cory, I just realized you were in .au.  I'm not able to make an
international call from my current location.  Please see inline
comments below, however, as I want to make sure I am understanding
things correctly.


On 1/8/07, Cory Robson [EMAIL PROTECTED] wrote:
 I have an mysql backend from my accounting program that contains all my
user
 details.

This is a home-grown system that is completely independent of the
FreeRADIUS database, correct?  I'm assuming that your users are added
to this database either manually by you (or others) or automatically
by your sign-up system.  This database should also contains all the
information that I would need to get the users added into FreeRADIUS
successfully (e.g. username/password details, etc.).


 I need a php script that I can run from cron that will

 Import all new users into freeradius that aren't already in its mysql db
 If the user is already in the freeradius db then see if any information is
 changed and update it.
 If the user is no longer in my mysql accounting system then also either
 remove it from freeradius or expire the user.

You want to keep the databases in synch in both directions, correct?

 I have the sql select statement for my mysql accounting system with the
 relevant information.

 Anyone able to do this at a reasonable price then drop me an email. thanks

This should be relatively straightforward and could be knocked out
pretty easily.  There are a few things I would need from you in order
to complete this project:  the schema of the database of your
accounting system; an example row from this database; and the schema
of the FreeRADIUS *if* you've modified it any from the default schema.

As for price, assuming the complete scope of the project is as
described above, I am offering to complete this project for you for
$75.00 USD and can commit to having it completed by the end of this
Friday -- it would likely be much sooner, but I prefer to allow myself
plenty of time as often times other things seem to magically come
up.

Please let me know if you're interested or would like to discuss further.

Thanks,
-j

-- 
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: DEFAULT access-reject Reply-Message

[Alex M]

Ok, I will try to play around with that although I'm feeling that I have no
idea what I'm doing

Thanks anyway!

 

 

  _  

From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Garber, Neal
Sent: Monday, December 04, 2006 3:23 PM
To: FreeRadius users mailing list
Subject: RE: DEFAULT access-reject Reply-Message

 

 In your code, $RAD_REQUEST{'Module-Failure-Message'} what that variable
mean?

 

It means look in the RAD_REQUEST hash for key named
'Module-Failure-Message'.  RAD_REQUEST, RAD_CHECK and RAD_REPLY are hashes
that rlm_perl creates that contain the request, check and reply attributes
respectively.  For single-value attributes, you can test the value by
referring to the hash name and key name (as above).  If the attribute has
multiple values, then value for the requested key is an array. 

 

 Is there any doc on how to write scripts for radius?

 

FR comes with example.pl which is a sample perl script that can be called by
the rlm_perl module.  You can also find documentation for rlm_perl at the
wiki: http://wiki.freeradius.org/Rlm_perl  (the doc. says RAD_CONFIG is a
hash that is created, but I believe the code to support that was only
recently added..)

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: DEFAULT access-reject Reply-Message

[Alex M]

Ok I got the idea how to initiate the the script on reject event, but what
should go in post_auth_reject.pl? I have absolutely no experience with Perl.
I probably would be able to figure out something but not sure how. I assume
I would listen to something like if username exist, if username exist and
password incorrect. Still I have no idea how to do this :-(

 

 

 

 

  _  

From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Garber, Neal
Sent: Friday, December 01, 2006 10:40 AM
To: FreeRadius users mailing list
Subject: RE: DEFAULT access-reject Reply-Message

 

 How can I add default Reply-Message to the situation where Access-Reject
was sent because of incorrect password?

 I looked at the user's file but it seams that I have no way to determine
if access-accept or reject was sent. it only has example how to send the
message to a reject  group. 

 

If you're using LDAP, it already creates a Module-Failure-Message request
attribute upon failure.  Also, I submitted bug 398 which Alan incorporated
into CVS head to provide the same functionality for MS-CHAP (I assume this
will be in FR 1.1.4).  You could execute a Perl script in a reject section
of post_auth that looks for this request attribute and, if found, set the
Reply-Message reply attribute.  If you're using a different authentication
method, it may be possible to change the code to accomplish what you want.
As someone else pointed out, it's not a good idea to tell someone they
entered the wrong password as it makes brute-force password attacks easier
(because you're telling them the userid is valid).  I believe ntlm_auth
gives a generic (invalid userid or password) response to a bad password.  If
the response you see is too specific, you may want to obfuscate it..

 

Here's an example of what you would put in radiusd.conf (this assumes you
have a sub in your perl script called post_auth_reject):

 

modules { 

.

.

.

   perl set_reject_message {

  module = /usr/local/etc/raddb/set_reject_message.pl

  func_post_auth = post_auth_reject

   }

.

.

.

}

.

.

.

post-auth {

Post-Auth-Type REJECT {

   set_reject_message

}

}

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: DEFAULT access-reject Reply-Message

[Alex M]

Well I know BASH, PHP, MS VB, Java, Pascal, and Assembler. I'm sure if I
look at brief docks on Perl I'll get it.

 

In your code, $RAD_REQUEST{'Module-Failure-Message'} what that variable
mean? Is there any doc on how to write scripts for radius?

 

As to Windows that doesn't read reply message, I don't care we will never
use windows, only Linux

 

  

 

  _  

From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Garber, Neal
Sent: Friday, December 01, 2006 2:30 PM
To: FreeRadius users mailing list
Subject: RE: DEFAULT access-reject Reply-Message

 

Ok I got the idea how to initiate the the script on reject event, but what
should go in post_auth_reject.pl? I have absolutely no experience with Perl.
I probably would be able to figure out something but not sure how. I assume
I would listen to something like if username exist, if username exist and
password incorrect. Still I have no idea how to do this :-(

 

I don't have enough time or patience to teach you perl via E-mail.  Do you
know other scripting languages?  Have you ever done any script programming?
If not, I would suggest you find someone in your organization that has the
appropriate experience.  Here is an excerpt of perl code to check for the
existence of the Module-Failure-Message request attribute and if it exists
will set the Reply-Message reply attribute..

 

sub post_auth_reject {

 if (defined($RAD_REQUEST{'Module-Failure-Message'})) {

  $RAD_REPLY{'Reply-Message'} =
$RAD_REQUEST{'Module-Failure-Message'};

 }

 return RLM_MODULE_OK;

}

 

Since I don't know exactly what you want to do this probably doesn't exactly
match your requirements.  Also, as someone else pointed out, many clients
ignore the Reply-Message attribute (e.g., windows supplicant) so this could
all be a waste of time.

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Slow Aceess-Reject if pasword id INVALID

[Alex M]

Hi,

For some reason I'm getting slow response of access-reject when user uses
wrong passwords. I'm using MySQL and first I thought that the delay is due
to db, but if user password is ok im getting access-accept in 1.9ms. Where
if user pass is incorrect im getting access-rject only after 1 minute.  And
if I run radius in debug mode im getting system message that password is
invalid like in 2ms and only after 4000ms in getting the access-reject on
the screen

 

Any ideas how to fix that?

 

Thanks!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

DEFAULT access-reject Reply-Message

[Alex M]

Hi,

How can I add default Reply-Message to the situation where Access-Reject was
sent because of incorrect password?

I looked at the user's file but it seams that I have no way to determine if
access-accept or reject was sent. it only has example how to send the
message to a reject group. 

 

Thanks!

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: New PHP for interface

[Alex M]

What type of operations are u using? Local only w/ direct access to FR or
remote w/ only configs of BD?




-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of JasonN
Sent: Friday, April 28, 2006 3:01 PM
To: FreeRadius users mailing list
Subject: New PHP for interface

I've have a set of new code for the PHP web-based interface to control
users, specifically in relation to the MySQL and FreeRADIUS combo.

These features are complete:
add user[s]
remove user[s]
disable user[s]
check user[s] password

It is however clean PHP with straightforward readable code and is
PHP4/5 compliant.  Anyone interested in working on this new approach,
please let me know.  It's simple, nothing fancy, no frames, etc. in
the HTML.  And, it already works for the basic necessary features.

I would like to see a few people code up some additional features.  It
works right now, as is, for most ISP needs.

--

Please address your interest directly to me: [EMAIL PROTECTED], so
you don't get filtered to my FreeRADIUS box.  You'll get quicker
attention, since I don't read this list every day.

--

Jason A. Nunnelley

http://www.jasonn.com/

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting Module does not recognize shared secret

[Alex M]

Hi

I just found out that im getting error in accounting module.
It say that shared secret is incorrect, but it was working fine for more then a
week. Also im using DNS name in the NAS Name filed instead of ip address. Why
am I getting this error?



Here is the error message?



rad_recv: Accounting-Request packet from host 192.168.0.10:61296,
id=39, length=143

Received Accounting-Request packet from 192.168.0.10 with
invalid signature! (Shared secret is incorrect.)







 






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS stops responding after a while

[Alex M]

What do you mean by Have it do nothing more than log data? And how would I
do that?




-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Saturday, April 08, 2006 1:24 PM
To: FreeRadius users mailing list
Subject: Re: RADIUS stops responding after a while 

Alex M [EMAIL PROTECTED] wrote:
 I'm using MySQL 4.1.7 and it is located on remote server (not even on the
 same subnet as the radius)

  I have seen it before where a firewall drops state, and it looks
like the SQL server is down.  New connections go through fine, but old
connections are dead.

  One way to test this would be to edit rlm_sql so that it opens a new
connection to the SQL server for *every* request.  That would be
slower than what it does now, but it might work.

  I would also suggest putting a test SQL server on the same subnet as
the RADIUS server.  Havr it do nothing more than log data, and if
connections to it are OK, the problem is most likely the firewall.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS stops responding after a while

[Alex M]

Ok, will do that and post back with results

Thanks!

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Saturday, April 08, 2006 3:54 PM
To: FreeRadius users mailing list
Subject: Re: RADIUS stops responding after a while 

Alex M [EMAIL PROTECTED] wrote:
 What do you mean by Have it do nothing more than log data? And how would
I
 do that?

  You can configure the SQL module in either the authorize section,
where it will affect user authentication, or in the accounting
section, where it won't affect anything.

  Alan DEKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radaccounting, what does octets mean?

[Alex M]

In accounting, what does an octet mean?



Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS stops responding after a while

[Alex M]

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Friday, April 07, 2006 1:53 AM
To: FreeRadius users mailing list
Subject: Re: RADIUS stops responding after a while 

Alex M [EMAIL PROTECTED] wrote:
 I've just went to my radius server and found out that it doesn't want to
 handle requests.. I restarted it in debug and it told me that SQL module
is
 unknown.

= Who edited the config file since the last time the server started?
I've edited the script long time ago, but haven't change anything before the
frees




 So does any one knows what could cause such a behavior (not accepting
 requests, due to module malfunction) and more importantly is there any way
 to monitor the server functionality? Let's say something like send testing
 request each 30min or something and if server doesn't reply send email
 notification?

  =It should be trivial to write a shell script to do that.
I think I will do that in php

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS stops responding after a while

[Alex M]

I'm using MySQL 4.1.7 and it is located on remote server (not even on the
same subnet as the radius)



-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Stefan Winter
Sent: Friday, April 07, 2006 5:22 AM
To: FreeRadius users mailing list
Subject: Re: RADIUS stops responding after a while

Hi!

 I've just went to my radius server and found out that it doesn't want to
 handle requests.. I restarted it in debug and it told me that SQL module
is
 unknown. (was working fine for 1 month) I restarted again in debug and now
 it went OK and works fine, but this thing is not acceptable in the field .

Are you using mySQL? It would be great if you could tell us the *exact* 
version number.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RADIUS stops responding after a while

[Alex M]

Yea got one firewall in between... but if it is time out I assume it should
just drop like couple requests and then work fine, but in my case it just
stop responding for everything 

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Peter Nixon
Sent: Friday, April 07, 2006 2:46 PM
To: FreeRadius users mailing list
Subject: Re: RADIUS stops responding after a while

On Fri 07 Apr 2006 20:57, Alex M wrote:
 I'm using MySQL 4.1.7 and it is located on remote server (not even on the
 same subnet as the radius)

Do you have a statefull firewall (Checkpoint etc) between radius and the sql

server? That can cause timeout problems accessing the database, although not

problems finding a module..

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS stops responding after a while

[Alex M]

Ive got strange behavior on y FR, need to find the way to
prevent it, and find out what caused it.

Ive just went to my radius server and found out that it doesnt
want to handle requests. I restarted it in debug and it told me that SQL
module is unknown (was working fine for 1 month) I restarted again in
debug and now it went OK and works fine, but this thing is not acceptable in
the field  So does any one knows what could cause such a behavior (not
accepting requests, due to module malfunction) and more importantly is there
any way to monitor the server functionality? Lets say something like
send testing request each 30min or something and if server doesnt reply
send email notification?





Thanks!








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RedHat Security updates for FR

[Alex M]

Do you know bugs that  this update fixes applies to any installs o n redhat
or only to RPMs?




-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Dennis Skinner
Sent: Tuesday, April 04, 2006 9:13 AM
To: FreeRadius users mailing list
Subject: RedHat Security updates for FR

RedHat Enterprise (and CentOS) has finally released security updates for
their FreeRADIUS rpms:

https://rhn.redhat.com/errata/RHSA-2006-0271.html

Incase anyone is interested

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Couldn't stop freeradius server!!

[Alex M]

I had the same problem on RedHat (well name was the way it supposed to be)
it was caused by some conflict between fr and something with os... still
investigating the problem, but in my case kill and reboot, halt command
where blocked  I think that was cased because SSH connection was lost
during execution of the command. 

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of debik
Sent: Wednesday, April 05, 2006 2:26 PM
To: FreeRadius users mailing list
Subject: Re: Couldn't stop freeradius server!!

Try killall radiusd  or killall freeradius.
I have debian and that commands are allwright.


- Original Message - 
From: lmyho [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, April 04, 2006 6:19 PM
Subject: Re: Couldn't stop freeradius server!!



 --- monish ar [EMAIL PROTECTED] wrote:
  Instead of using the command to stop the radius daemon, herez another
 simple way.
  At the console type  ps -ax | grep radiusd , this will give u the list

 of
 radius servers currently
  along with its process IDs. The next thing u do is type  kill pid#  ,
 PID# refers to the process
  id number of ur currently running radius daemon. Hope it helps...
  Dunno bout the NAS list though...

 Hi Monish,

 Thank you for the idea!  I checked, and found the process.  but on this 
 debian
 system, the process is actually named freeradius, instead of the 
 traditional
 radiusd.:(  So there are indeed some changes on how the freeradius is 
 run on
 debian.  Do you have more idea about it?
 Can anyone tell me more on how the debian is running the freeradius and 
 how I can
 stop the server from command line in debian system?  (pls see problem 
 detail below)

 Thanks a lot!!
 leo

 On 4/4/06, lmyho [EMAIL PROTECTED] wrote:
 
  Hi All,
 
  Installed freeradius 1.1.0-1 on debian system (2.6.15-1-686).  The 
  radius
  server started automatically well each time when the system booting. 
  But I
 wanted to stop it to do some testing using my modified configuration 
 files. I tried
 to stop the server using command: 'freeradius stop' ('radiusd' doesn't 
 work on this
 debian - anyone knows why??)
 
  But so werid, no matter what command I gave, with parameter
  stop|start|restart, the server ALWAYS goes to START again!! even from 
  the
 /etc/init.d/freeradius I can read that the 'stop' param should stop the 
 server!  Can
 anyone tell me why the command couldn't stop the server?? and how should I

 stop it??
 
  The log file shows entries like this for each of my trying, even the
  command given was to stop:
 
  Tue Apr  4 01:14:13 2006 : Info: Using deprecated naslist file. 
  Support
  for this will go away soon.
  Tue Apr  4 01:14:13 2006 : Error: There appears to be another RADIUS
  server running on the authenticat
 
  What is happenning here?  (I couldn't top the running deamon, so is the
  2nd line above)
 
  Also, from the log file I noticed: even when the system automatically
  started the freeradius server deamon, it was Using deprecated naslist 
  file.
 Log entries show like this:
 
  Fri Mar 31 13:51:54 2006 : Info: Using deprecated naslist file. 
  Support
  for this will go away soon.
  Fri Mar 31 13:51:54 2006 : Info: rlm_exec: Wait=yes but no output 
  defined.
  Did you mean output=none?
  Fri Mar 31 13:51:55 2006 : Info: Ready to process requests.
 
  Can anyone tell me what is happenning here?? Why it's using the
  deprecating naslist file? The installed radiusd.conf file doesn't show 
  the
 server will use the naslist
  file at all! from where I can stop the server to use this deprecating
  file?  Also what does the 2nd line of the above log entries mean?
 
  Any help would be greatly appreciated!  Thank you so much for help in
  advance!!
 
  Best regrads,
  leo





 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html 

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How Getting accounting informations ?

[Alex M]

If im not mistaken DWLs should send accounting info. I have to check though.


-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Vincent MARGUERIE
Sent: Sunday, March 26, 2006 7:10 PM
To: freeradius
Subject: How Getting accounting informations ?

Hi guys,

I would like to kkow, how I can get accounting informations from my 
client ?

I use a dlink DWL-2000ap+ as NAS (is it compatible ?) and my client is 
connecting from a windows XP computer.

Could you confirm that only the NAS can send accounting informations and 
not the client...am I right ? If it is, do you know if this dlink is 
compatible with accounting request ?  Do you know another Acces point 
that sure make this task or is there a software that can be behind my 
acces point to do this right (a sort of NAS in fact) ?

Thanks for your help,
Vincent


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Table radacct is empty

[Alex M]

I dono, maybe it is some error in 1.1.1 ? Im still runnin 1.1.0 and didn’t
have any problems like this yet

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Vincent MARGUERIE
Sent: Thursday, March 23, 2006 12:29 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Table radacct is empty

[EMAIL PROTECTED] a écrit :

Send Freeradius-Users mailing list submissions to
   freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
   http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
   [EMAIL PROTECTED]

You can reach the person managing the list at
   [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...


Today's Topics:

   1. RE: Table radacct is empty (Vincent MARGUERIE)
   2. RE: Table radacct is empty (Alex M)


--

Message: 1
Date: Thu, 23 Mar 2006 01:57:27 +0100
From: Vincent MARGUERIE [EMAIL PROTECTED]
Subject: RE: Table radacct is empty
To: freeradius freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi,

Yes, SQL is ok to query in accounting section. Here is a part of my
radiusd.conf :

#  The rlm_sql_log module appends the SQL queries in a log
#  file which is read later by the radsqlrelay program.
#
#  This module only performs the dynamic expansion of the
#  variables found in the SQL statements. No operation is
#  executed on the database server. (this could be done
#  later by an external program) That means the module is
#  useful only with non-SELECT statements.
#
#  See rlm_sql_log(5) manpage.
#
sql_log {
path = ${radacctdir}/sql-relay
acct_table = radacct
postauth_table = radpostauth

Start = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '%S', '0', '0', '');
Stop = INSERT INTO ${acct_table} (AcctSessionId, UserName,
\
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}',
\
 '%{Acct-Terminate-Cause}');
Alive = INSERT INTO ${acct_table} (AcctSessionId,
UserName, \
 NASIPAddress, FramedIPAddress, AcctStartTime,
AcctStopTime, \
 AcctSessionTime, AcctTerminateCause) VALUES
\
 ('%{Acct-Session-Id}', '%{User-Name}',
'%{NAS-IP-Address}', \
 '%{Framed-IP-Address}', '0', '0',
'%{Acct-Session-Time}','');

Post-Auth = INSERT INTO ${postauth_table}
\
 (user, pass, reply, date) VALUES
\
 ('%{User-Name}', '%{User-Password:-Chap-Password}',
\
 '%{reply:Packet-Type}', '%S');
}

..
..
$INCLUDE  ${confdir}/sql.conf
..
..
authorize {

   sql
...
...
accounting {
   sql
   sql_log


session
   sql


post-auth {
   sql
   sql_log




Moreover, the information are written in a file (sql-relay) which (is I
have understand correctly) is used by the radsqlrelay binary to put the
information in database.

The fact is that for the post-auth part, it works bacause i get all the
information of the post authorisation in the radpostauth table. But in
this sql-relay file, there's only information about post-auth...nothing
about accounting !!

The strange thing is that there's some informations about accounting in
others file auth-detail and reply-detail, but not in sql format.

some lines of the files :

sql-relay

INSERT INTO radpostauth  (user, pass,
reply, date) VALUES('joseph',
'Chap-Password', 'Access-Accept', '2006-03-21
15:28:48');

-

reply-detail

Packet-Type = Access-Accept
Wed Mar 22 18:04:18 2006
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 1
Framed-Compression = Van-Jacobson-TCP-IP
Service-Type = Login-User
Session-Timeout = 1000
Idle-Timeout = 500
Port-Limit = 10
Reply-Message = Bye Mr Joseph !
MS-MPPE-Recv-Key

RE: Clear text passwords

[Alex M]

Yes u can hide or crypt passwords in freeradius, this question was raised in
freeradius users mailing list, and if you search archives, the answer is
there

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Corey Burks
Sent: Thursday, March 23, 2006 2:55 PM
To: freeradius-users@lists.freeradius.org
Subject: Clear text passwords

I have recently built up a freeradius server V1.1.0, I am new to freeradius,
since we were using and old version of Navisradius.  In Navisradius it would
compare the crypt password strings and log the crypt sting verses the clear
text password.

Is it possible to have freeradius not log the clear text passwords, while
still logging the auth request?  Or have it log the crypt password strings
instead?

My radius server is binding to a Netscape LDAP server which is storing the
passwords using UNIX crypt.  Yet the radius server is logging the clear test
password.

Thank you for your help.
Corey


Detail log shows:

Packet-Type = Access-Request
Thu Mar 23 11:23:30 2006
User-Name = cburks
User-Password = abc123
Vendor-3076-Attr-32 = 0x0004
NAS-IP-Address = 172.16.15.251
NAS-Port-Type = Virtual
Client-IP-Address = 172.16.15.251



Debug output shows
rad_recv: Access-Request packet from host 172.16.15.251:2264, id=1,
length=70
User-Name = cburks
User-Password = abc123
Vendor-3076-Attr-32 = 0x0004
NAS-IP-Address = 172.16.15.251
NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/172.16.15.251/detail
'
rlm_detail: %A/%{Client-IP-Address}/detail expands to
/usr/local/freeradius/var/
log/radius/radacct/172.16.15.251/detail
  modcall[authorize]: module auth_log returns ok for request 0
  modcall[authorize]: module chap returns noop for request 0
  modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = cburks, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 234
  modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for cburks
radius_xlat:  '(uid=cburks)'
radius_xlat:  'ou=people,o=zhone.com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap-master.oak.zhone.com:389, authentication 0
rlm_ldap: bind as cn=Directory Manager/secret to
ldap-master.oak.zhone.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=zhone.com, with filter
(uid=cburks)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user cburks authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap
auth: type LDAP
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by cburks with password abc123
rlm_ldap: user DN: uid=CBurks,ou=People, o=zhone.com
rlm_ldap: (re)connect to ldap-master.oak.zhone.com:389, authentication 1
rlm_ldap: bind as uid=CBurks,ou=People, o=zhone.com/abc123 to
ldap-master.oak.zh
one.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user cburks authenticated succesfully
  modcall[authenticate]: module ldap returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat:
'/usr/local/freeradius/var/log/radius/radacct/172.16.15.251/reply-
detail-20060323'
rlm_detail:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/re
ply-detail-%Y%m%d expands to
/usr/local/freeradius/var/log/radius/radacct/172.16
.15.251/reply-detail-20060323
  modcall[post-auth]: module reply_log returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 1 to 172.16.15.251 port 2264
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Table radacct is empty

[Alex M]

Did u authorize SQL in accounting section?




-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Vincent MARGUERIE
Sent: Wednesday, March 22, 2006 4:14 AM
To: freeradius
Subject: Table radacct is empty

Hi,

I've installed freeradius 1.1.1 on a Debian Sarge distribution, and the 
connection works fine with my wireless windows XP client but I have a 
problem to get information into radacct table in my mysql database.

Does anyone get solution for this ?

Rq : I use a Dlink-DWL-2000AP+  as Acces Point

Regards,
Vincent
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Failed Compilation of Freeradius with Mysql since 1.1.0 (Works on1.0.5)

[Alex M]

I've Installed Generic Static Developer RPMs and then compiled FreeRadius,
and works fine...






-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Philippe JOYEZ
Sent: Wednesday, March 22, 2006 9:09 AM
To: freeradius-users@lists.freeradius.org
Subject: Failed Compilation of Freeradius with Mysql since 1.1.0 (Works
on1.0.5)

Hello All, 

I've seen many topics about that problem but no one of them has solved my
problem. 


I'm trying to upgrade my 1.0.5 Freeradius server to 1.1.1 on my Solaris 
8 system but it fails to find mysql libs. On the same server, I use the 
same configure scripts options: 

./configure  --localstatedir=/var --with-logdir=/var/log/radius/log 
--with-radacctdir=/var/log/radius/radacct 
--with-mysql-lib-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc/l-
ib 
--with-mysql-include-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-spa-
rc/include 
--with-mysql-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc 

It works for 1.0.5 but not for 1.1.1 (and also KO for 1.1.0): 

configuring in ./drivers/rlm_sql_mysql 
running /bin/sh ./configure  --localstatedir=/var 
--with-logdir=/var/log/radius/log 
--with-radacctdir=/var/log/radius/radacct 
--with-mysql-lib-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc/l-
ib 
--with-mysql-include-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-spa-
rc/include 
--with-mysql-dir=/usr/local/mysql-standard-4.1.7-sun-solaris2.8-sparc 
--enable-ltdl-install --cache-file=../../../../.././config.cache 
--srcdir=. 
loading cache ../../../../.././config.cache 
checking for gcc... (cached) gcc 
checking whether the C compiler (gcc  -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5   -Wall -D_GNU_SOURCE 
-DNDEBUG ) works... yes 
checking whether the C compiler (gcc  -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5   -Wall -D_GNU_SOURCE 
-DNDEBUG ) is a cross-compiler... no 
checking whether we are using GNU C... (cached) yes 
checking whether gcc accepts -g... (cached) yes 
checking for mysql_config... (cached) no 
checking for pthread_create in -lpthread... (cached) yes 
checking for mysql_init in -lmysqlclient_r... no 
configure: warning: mysql libraries not found. Use 
--with-mysql-lib-dir=path. 
checking for mysql/mysql.h... yes 
configure: warning: sql submodule 'mysql' disabled 
creating ./config.status 
creating Makefile 
creating config.h 
config.h is unchanged 

Best regards



-- Disclaimer 
Ce message ainsi que les eventuelles pieces jointes constituent une
correspondance privee et confidentielle a l'attention exclusive du
destinataire designe ci-dessus. Si vous n'etes pas le destinataire du
present message ou une personne susceptible de pouvoir le lui delivrer, il
vous est signifie que toute divulgation, distribution ou copie de cette
transmission est strictement interdite. Si vous avez recu ce message par
erreur, nous vous remercions d'en informer l'expediteur par telephone ou de
lui retourner le present message, puis d'effacer immediatement ce message de
votre systeme.
***
This e-mail and any attachments is a confidential correspondence intended
only for use of the individual or entity named above. If you are not the
intended recipient or the agent responsible for delivering the message to
the intended recipient, you are hereby notified that any disclosure,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify the sender by phone
or by replying this message, and then delete this message from your system.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication problem if CHAP is not used

[Alex M]

Hi,
I found the solution for my problem, but... I want to know what and why
that's going on?

When I add Auth-Type := Local to the usernames then they are working OK
without CHAP. Why do I need to have that for non Chap methods? And is there
anything else I should know about this?


Thanks!











-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, March 16, 2006 1:58 AM
To: FreeRadius users mailing list
Subject: Re: Authentication problem if CHAP is not used 

Alex M [EMAIL PROTECTED] wrote:
 Ok, I here is full debug info...
...
 [EMAIL PROTECTED] root]# radiusd -x

  Uh, no.  Try reading the FAQ, README, INSTALL, and half of the
messages to this list.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Associating username to a specific NAS only

[Alex M]

Is it possible to set directives for some users so that they
only can login to the specific NAS (by the NAS Called Station Id [NAS MAC Address])?



























Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Different source NAS for Differnet privilege Level

[Alex M]

I think you can use radreply directive with your variable, if your NAS
supports that.




-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Jeff Stout
Sent: Thursday, March 16, 2006 11:44 AM
To: FreeRadius users mailing list
Subject: Different source NAS for Differnet privilege Level

I am using freeradius rev 1.1.0 I have everything running great
I am using AAA authorization on different Network Devices,
Cisco Routers, Cisco Switches, Foundry Switches, Juniper FW's.

I have setup VSA's to respond to the user to set their privilege level
upon successful authentication, then the authorization portion actually
sets the privilege level

I need to have different privilege levels based upon which NAS they
are coming from, eg... Connecting while on the Corporate Network
privilege level = 8, same user Connecting thru IPass out of the office
privilege level = 5.

Any assistance with this would be greatly appreciated.

Thank you in advance for your help

Jeff Stout
CCT
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication problem if CHAP is not used

[Alex M]

User-Name = homepc
User-Password = homepc
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radcheck   WHERE Username = 'homepc'   ORDER BY id
rlm_sql_mysql: query:  SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'homepc' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radreply   WHERE Username = 'homepc'   ORDER BY id
rlm_sql_mysql: query:  SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = 'homepc' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 2
Sending Access-Reject of id 1 to 192.168.0.107 port 2849


























-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, March 15, 2006 12:51 AM
To: FreeRadius users mailing list
Subject: Re: Authentication problem if CHAP is not used 

Alex M [EMAIL PROTECTED] wrote:
 I'm using default configuration except I enabled My SQL support.
 The error I'm getting in debug mode is this:
 
   rlm_unix: [alexus]: invalid password

  Well, if you're going to look at small pieces of the debug log, I
would presume you will only be able to solve small pieces of the
problem.

  or no error whatsoever for any oher user, it just quits (terminates the
 procces) on 
 
   rlm_sql (sql): Released sql socket id: 2
 
 I don't know what is wrong? Maybe PAP module was compiled wrong?

  Maybe try reading the rest of the debug log?  It's not like the text
is randomly generated.  It's there to help you solve your problems.

  But you *do* have to read it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problems configuring Free Radius

[Alex M]

Your MySQL config is in your sql.conf
file, in the beginning you enter all info about username, DB etc also
you have to authorize SQL use in radiusd.conf 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Atkins, Dwane P
Sent: Wednesday, March 15, 2006
11:39 AM
To: freeradius-users@lists.freeradius.org
Subject: Problems configuring Free
Radius





Is there a free radius for Dummies book out there? I know that
most of the instruction probably make sense to everyone, but me.



I am trying to configure Freeradius 1.1 on a mysql database using
fedora 4.



I can get to a point where I do the radiusd X and it starts the
radius server. 



Is there something I need to do with the sql.conf file to tie all of this
together?



How do I enter my users in mysql?



Is there a web interface for the users?


Can I put in a start date for a user and a stop date for a user?



Is there a web site that I can go to for answers to these
questions? I have been to the archives.



Thank you and if this all cannot be done, please let me know so I can
scrap this project and move onto something different.



Dwane



Dwane Atkins

TN

210-567-0158










- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication problem if CHAP is not used

[Alex M]

User-Name = homepc
User-Password = homepc
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radcheck   WHERE Username = 'homepc'   ORDER BY id
rlm_sql_mysql: query:  SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'homepc' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op
FROM radreply   WHERE Username = 'homepc'   ORDER BY id
rlm_sql_mysql: query:  SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = 'homepc' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 2
Sending Access-Reject of id 1 to 192.168.0.107 port 2849

















-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, March 15, 2006 12:51 AM
To: FreeRadius users mailing list
Subject: Re: Authentication problem if CHAP is not used 

Alex M [EMAIL PROTECTED] wrote:
 I'm using default configuration except I enabled My SQL support.
 The error I'm getting in debug mode is this:
 
   rlm_unix: [alexus]: invalid password

  Well, if you're going to look at small pieces of the debug log, I
would presume you will only be able to solve small pieces of the
problem.

  or no error whatsoever for any oher user, it just quits (terminates the
 procces) on 
 
   rlm_sql (sql): Released sql socket id: 2
 
 I don't know what is wrong? Maybe PAP module was compiled wrong?

  Maybe try reading the rest of the debug log?  It's not like the text
is randomly generated.  It's there to help you solve your problems.

  But you *do* have to read it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication problem if CHAP is not used

[Alex M]

Hi, I have a problem; I always get Access Reject saying that
password is invalid. But when Im using NTRadPing Test Utility, the same username
and password works fine if I check to use CHAP, but when the CHAP check box is
not selected then Im getting the same problem as I have with my NAS. 



So can some one tell me how to make FreeRadius work so that
if Im using NTRadPing without CHAP it would still work!



Thanks!!!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PAP Question

[Alex M]

Hi

I want to use PAP protocol; do I have to set it in Authorization
section? Because there is no commented line for PAP while there is every other
module included.















Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ignoring request from unknown client 1.2.3.4.:****

[Alex M]

This is because you didn not allow your
radius to accept request from your client with IP 202.117.49.26.
If you are using regular config files you need to edit Clients config, If u are
using MySQL you need to set, radiusd.config to read NAS table im MuSQL (look et
the end of the config file, I think its a last line) and then add your
NAS clients to NAS table im db

















From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of yao guoxian
Sent: Sunday, March 12, 2006 8:49
PM
To:
freeradius-users@lists.freeradius.org
Subject: Ignoring request from
unknown client 1.2.3.4.:







 Having installed Mysql4.0, I recompile Freeradius
1.0.5. It seems Freeradius and Mysql works well when I enter : radiusd -X.





 However, when I use the 'UserName' and 'Password' in the
'radcheck' table to test , I get the following output from Radius Server:





 rad_recv: Access-Request packet from host 202.117.49.26:3978, id=12, length=47
 Ignoring request from unknown client 202.117.49.26:3978 
 --- Walking the entire request list ---






Any suggestions?








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS MAC Addres Atribute

[Alex M]

Hi

Is the attribute for NAS MAC address is: NAS-Identifier?





Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

password rejected when CHAP is not used

[Alex M]

When I do not use CHAP my password gets rejected, and when I
do use it everything goes OK; but not all my NAS support chap!

So what should I do to configure radius to support NAS that
doesnt send CHAP passwords?





THANKS!








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting of MAC of the NAS

[Alex M]

Hi

Ive noticed while running in debug mode, I can see
the MAC of the NAS, but when I go to the Accounting logs (that are stored in
MySQL) I dont see any place for MAC of the NAS, it only has the space
for NAS IP. So is it possible to make freeradius to log the MAC address of the
nas too?





Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS MAC VAriable

[Alex M]

What is the variable for NAS MAC address, so that I can setup
the rule fot mysql to log the MAC address of the NAS when the client sends
request






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: accounting of MAC of the NAS

[Alex M]

I don't know what attribute and what packet, I regular install for MySql ...
I do see the quires in SQL.config but I don't know what variable is used for
NAS MAC address? That why I asked.



-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, March 08, 2006 5:26 PM
To: FreeRadius users mailing list
Subject: Re: accounting of MAC of the NAS 

Alex M [EMAIL PROTECTED] wrote:
 I've noticed while running in debug mode, I can see the MAC of the NAS,

  In what attribute, in what kind of packet?

  but when I go to the Accounting logs (that are stored in MySQL) I
 don't see any place for MAC of the NAS, it only has the space for
 NAS IP. So is it possible to make freeradius to log the MAC address
 of the nas too?

  Sure.  Update the SQL chema and the queries.  That's why they're
editable.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: accounting of MAC of the NAS

[Alex M]

Hm yea interesting idea! Thanks!
I will try that

-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, March 08, 2006 6:18 PM
To: FreeRadius users mailing list
Subject: Re: accounting of MAC of the NAS 

Alex M [EMAIL PROTECTED] wrote:
 I don't know what attribute and what packet, 

  You have to be joking.  You already said you see the MAC address in
debug mode.  How hard is it to read that to find out the attribute
name, and packet?  Debug mode prints all that information!

 I do see the quires in SQL.config but I don't know what variable is used
for
 NAS MAC address? That why I asked.

  Read debugging mode.  The attribute name that you see next to the
MAC address is the name of the attribute to use.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 802.1x

[Alex M]

Now im totally lost...
Can u give me an example what 802.1x does?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, November 02, 2005 11:04 AM
To: FreeRadius users mailing list
Subject: Re: 802.1x 

Alex M [EMAIL PROTECTED] wrote:
 So then such features as bandwidth and port blocking could be controlled
via
 802.1x?

  No.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 802.1x

[Alex M]

Ok I got it

By the way what is AV pair?

And how do you get NAS related attributes to
control bandwidth from vendors? Like if im using D-Link how could I get attributes
from them?



Thanks!











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly
Sent: Wednesday, November 02, 2005
11:53 AM
To: FreeRadius users mailing list
Subject: RE: 802.1x





Alex,

Features such as 'bandwidth and port blocking (if any) are
allocated/configured on the _NAS_
(in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x
Supplicant (Client/Endpoint) in simple terms... provides a
secure/standardconduit which facilitates the communication of credentials
(from the Supplicant to the Authenticator). The '802.1x
Authenticator (or NAS) _MAY_provision/enforce Authorization for the
specific endpoint in the context of a user or group... 



The management  granularity of this functionality verifies greatly
by switch vendor as a result providing this functionality across a multi-vendor
environment... in a large scale deployment... is often too complex to seriously
consider.?









jmr






 Original Message 
Subject: RE: 802.1x
From: Alex M [EMAIL PROTECTED]
Date: Wed, November 02, 2005 9:10 am
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org

Now im totally lost...
Can u give me an example what 802.1x does?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, November 02, 2005 11:04 AM
To: FreeRadius users mailing list
Subject: Re: 802.1x 

Alex M [EMAIL PROTECTED] wrote:
 So then such features as bandwidth and port blocking could be controlled
via
 802.1x?

No.

Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 802.1x

[Alex M]

Ok, thanks











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Davies
Sent: Wednesday, November 02, 2005
12:38 PM
To: FreeRadius users mailing list
Subject: RE: 802.1x





Which Vendor
Specific Attributes are implemented by a Vendor are, as the name suggests,
specific to the vendor and totally up to them to choose. I would not be
surprised if DLink implement *NO* VSAs. Given the market into which
they're pitching their kit, I doubt very much that their kit will do bandwidth
control. Authenticating access to the port is the basic function of
802.1x so ifDLink claim 802.1x support, then you can configure your NAS
so that you don't get any access without authenticating first.



Rgds,



Guy









From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex M
Sent: 02 November 2005 17:04
To: 'FreeRadius users mailing
list'
Subject: RE: 802.1x

Ok I got it

By the way what is AV pair?

And how do you get NAS related attributes
to control bandwidth from vendors? Like if im using D-Link how could I get
attributes from them?



Thanks!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jeff Reilly
Sent: Wednesday, November 02, 2005
11:53 AM
To: FreeRadius users mailing list
Subject: RE: 802.1x





Alex,

Features such as 'bandwidth and port blocking (if any) are
allocated/configured on the _NAS_
(in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x
Supplicant (Client/Endpoint) in simple terms... provides a
secure/standardconduit which facilitates the communication of credentials
(from the Supplicant to the Authenticator). The '802.1x
Authenticator (or NAS) _MAY_provision/enforce Authorization for the
specific endpoint in the context of a user or group... 



The management  granularity of this functionality verifies greatly
by switch vendor as a result providing this functionality across a multi-vendor
environment... in a large scale deployment... is often too complex to seriously
consider.?









jmr






 Original Message 
Subject: RE: 802.1x
From: Alex M [EMAIL PROTECTED]
Date: Wed, November 02, 2005 9:10 am
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org

Now im totally lost...
Can u give me an example what 802.1x does?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, November 02, 2005 11:04 AM
To: FreeRadius users mailing list
Subject: Re: 802.1x 

Alex M [EMAIL PROTECTED] wrote:
 So then such features as bandwidth and port blocking could be controlled
via
 802.1x?

No.

Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 








This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 802.1x

[Alex M]

Ok, will call Dlink to see if that have something
(the hotspot itself has that functionality internally though)

Also do you know if opensources such as
NoCAT and ChillBox support such features?

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jeff Reilly
Sent: Wednesday, November 02, 2005
1:08 PM
To: FreeRadius users mailing list
Subject: RE: 802.1x







AV = ATTRIBUTE VALUE





?





D-Link what? D-Link makes lots of stuff... generally great
price... but not the most feature rich products.











To get the features you desire you'll likely need a higher-end
box. I'm not a big proponent of pitchingspecific
productsin this forum. Suffice it to say there are vendors that
will (or attempt) to provide CoS / filtering on Wireless... 











jmr






 Original Message 
Subject: RE: 802.1x
From: Alex M [EMAIL PROTECTED]
Date: Wed, November 02, 2005 10:04 am
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org

Ok I got it

By the way what is AV pair?

And how do you get NAS related attributes
to control bandwidth from vendors? Like if im using D-Link how could I get
attributes from them?



Thanks!











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly
Sent: Wednesday, November 02, 2005
11:53 AM
To: FreeRadius users mailing list
Subject: RE: 802.1x





Alex,

Features such as 'bandwidth and port blocking (if any) are
allocated/configured on the _NAS_
(in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x
Supplicant (Client/Endpoint) in simple terms... provides a
secure/standardconduit which facilitates the communication of credentials
(from the Supplicant to the Authenticator). The '802.1x
Authenticator (or NAS) _MAY_provision/enforce Authorization for the
specific endpoint in the context of a user or group... 



The management  granularity of this functionality verifies greatly
by switch vendor as a result providing this functionality across a multi-vendor
environment... in a large scale deployment... is often too complex to seriously
consider.??









jmr






 Original Message 
Subject: RE: 802.1x
From: Alex M [EMAIL PROTECTED]
Date: Wed, November 02, 2005 9:10 am
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org

Now im totally lost...
Can u give me an example what 802.1x does?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, November 02, 2005 11:04 AM
To: FreeRadius users mailing list
Subject: Re: 802.1x 

Alex M [EMAIL PROTECTED] wrote:
 So then such features as bandwidth and port blocking could be controlled
via
 802.1x?

No.

Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 









- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 








- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 802.1x

[Alex M]

Wikipedia well, can it show me how to block ports like port 88 on user side?
Yea I should learn how to use goggle he he

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Seferovic Edvin
Sent: Wednesday, November 02, 2005 4:42 PM
To: 'FreeRadius users mailing list'
Subject: RE: 802.1x

Maybe you should learn how to do a research with google ;) or just use an
encyclopedia...

http://en.wikipedia.org/wiki/802.1x

have fun !

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex M
Sent: Mittwoch, 02. November 2005 22:34
To: 'FreeRadius users mailing list'
Subject: RE: 802.1x

That what I started with... but it returns me all very very expansive
enterprise equipment, and other junk... well I maybe I'm using wrong keyword
but goggle doesn't give me anything I'm looking for

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oliver
Graf
Sent: Wednesday, November 02, 2005 4:14 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: 802.1x

On Wed, Nov 02, 2005 at 11:10:20AM -0500, Alex M wrote:
 Now im totally lost...
 Can u give me an example what 802.1x does?

Can u use google?

Oliver.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

802.1x

[Alex M]

What is the difference between plain Radius identification
compare to 802.1x?

What are additional functionality that 802.1x gives to
radius?



Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bandwith controll

[Alex M]

Im a newbie here, please tell me where I can find
info on controlling user bandwidth and allowed TCP/IP ports!!













Appreciate your help!!!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Bandwith controll

[Alex M]

Are there any general variable, because I'm using different NASes, although
mostly D-Link DSA-3100

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, October 31, 2005 4:15 PM
To: FreeRadius users mailing list
Subject: Re: Bandwith controll 

Alex M [EMAIL PROTECTED] wrote:
 I'm a newbie here, please tell me where I can find info on controlling
user
 bandwidth and allowed TCP/IP ports!!

  Read your NAS documentation.

  Then, configure FreeRADIUS to send the attributes the NAS expects.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Post authentication Bandwidth control

[Alex M]

How can I use Post authentication to control the users
bandwidth???

























Thanks!


























- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem using Calling-Station-Id-Attribute in radcheck

[Alex M]

Im about to try to do the same but to log
the MAC addresses. Im newbie to freerad, but some times depends on
swiches and routers that you have on your netror, your MAC addrs gets hashed
along the way ( I saw that on MS IAS). So check in logs if you can see
the Mac of the user first, although how to do that is my question?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of kdr akm
Sent: Friday, October 28, 2005
10:16 AM
To:
freeradius-users@lists.freeradius.org
Subject: Problem using
Calling-Station-Id-Attribute in radcheck







Hello,

I´m using freeradius-1.0.1-0.FC2.i386.rpm and
freeradius-mysql-1.0.1-0.FC2.i386.rpm with Mysql for Authentication
for my lan client . 











Now, I want also to check the MAC-Address of this Lan Client.
Therefore I added the Calling-Station-Id-Attribute to the radcheck
table.


mysql select * from radcheck;
++--+++--+
| id | UserName | Attribute
| op | Value  |
++--+++--+
| 1 |tala |
User-Password | == |
123123 |
| 2 |tala | Calling-Station-Id
| == | 000d88522f1f |
++--+++--+
2 rows in set (0.00 sec)


Unfortunatelly, freeradius cannot validate this user anymore. Are there
any config-files I have to change? or i use this attribut w! rong i.am a
beginner in radius











and thanks in advanced .









Yahoo!
FareChase - Search multiple travel sites in one click. 






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

controling bandwidth

[Alex M]

Hi,

How can I control bandwidth for specific users? And how can
I block all ports except one, for their connection?



Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

cheking mysql requests

[Alex M]

Hi

Im having problem with that freeradius doesnt recognize
the clients (NAS) in the NAS table of MySQL.



It keeps throwing me: Unknown client nothing to do



So, I have set up sql.conf to trace mysql qureys in X
debug mode to YES, but I still dont see any qureys shown to the NAS
table to see is the client is authorized 

So how can I check if freeradius sends the query to the NAS
table of the DB to SELECT * NAS where NASNAME = xxx.xxx.xxx.xxx
and SECRET=testing123 ???



I MUST make this work!!!



Please help!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cheking mysql requests

[Alex M]

Ok, that information is good thing to know, which will creates another two
questions:

1. How can I find if server obtained the records from the table?
2. If you add lets say new user (user as user, not a NAS) to DB, when I have
to restart the server in order for settings to take affect?





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, October 26, 2005 2:06 PM
To: FreeRadius users mailing list
Subject: Re: cheking mysql requests 

Alex M [EMAIL PROTECTED] wrote:
 So, I have set up sql.conf to trace mysql qureys in -X debug mode to YES,
 but I still don't see any qureys shown to the NAS table to see is the
client
 is authorized. 

  The queries are NOT done live.  They are done once when the server
starts.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cheking mysql requests

[Alex M]

 1. How can I find if server obtained the records from the table?

Read the debug output on startup.
  I can read that, but the question if I can understand what it is saying,
cause its not usual SQL Reply outputs there

Or, send it a packet from a client configured in SQL.
  That wher im getting rely that client is unknown

Or, read the sqltrace file
  Can you sagest where to look for it? I can't find it... :-(


Thanks!


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, October 26, 2005 2:27 PM
To: FreeRadius users mailing list
Subject: Re: cheking mysql requests 

Alex M [EMAIL PROTECTED] wrote:
 1. How can I find if server obtained the records from the table?

  Read the debug output on startup.  Or, send it a packet from a
client configured in SQL.  Or, read the sqltrace file, I *think* the
queries are in there.

 2. If you add lets say new user (user as user, not a NAS) to DB, when I
have
 to restart the server in order for settings to take affect?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: cheking mysql requests

[Alex M]

Ok, here are the answers to my own questions:
1. In order to read NAS table you have to unquote reedclients=yes to allow
to connect to NAS table in sql.config (at the end of the file)

2. My table was modified as was suggested by another post, but freeradius
qureys the table in TABULAR frmat, so results obrained where messed up

3. Despite that the short name in the table is set to allow null, the server
will not allow to use the record without short name so you have to have
nasname, shirtname, and secret field fielded up


Hope it will help to ppl who have same questions that I did


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Wednesday, October 26, 2005 2:27 PM
To: FreeRadius users mailing list
Subject: Re: cheking mysql requests 

Alex M [EMAIL PROTECTED] wrote:
 1. How can I find if server obtained the records from the table?

  Read the debug output on startup.  Or, send it a packet from a
client configured in SQL.  Or, read the sqltrace file, I *think* the
queries are in there.

 2. If you add lets say new user (user as user, not a NAS) to DB, when I
have
 to restart the server in order for settings to take affect?

  No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL NAS table

[Alex M]

Can some one point me to the documentation on use of SQL NAS
table?

So that I can add nas devices to the DB and not a text file?





Thanks!






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: SQL NAS table

[Alex M]

Ok I have this table,

id  SERIAL PRIMARY KEY,
nasname VARCHAR(128),
shortname   VARCHAR(32) NOT NULL,
typeVARCHAR(30),
ports   int4,
secret  VARCHAR(60) NOT NULL,
community   VARCHAR(50),
description TEXT

So assuming ill will add this filds that have ip address too

ipaddr  INET PRIMARY KEY,
snmpVARCHAR(10),
naslocation VARCHAR(32)

Now if I eneter secret and ip adrees it supposed to work I assume?
If it is not hard can you tell me what other fields are normaly stend for?



Thanks!


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy
Fraser
Sent: Tuesday, October 25, 2005 1:06 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: SQL NAS table

On Tue, 2005-25-10 at 12:52 -0400, Alex M wrote:
 Can some one point me to the documentation on use of SQL NAS table?
 
 So that I can add nas devices to the DB and not a text file?
 
...snip...

There has been discussion on this in the past, here is a 
message I sent as a response to this list, that might point 
you in the right direction.


---Copied message from archive---
On Thu, 2005-15-09 at 15:08 -0400, Alan DeKok wrote:
  Am I to take it that it is not possible to use SQL for the
clients.conf
  file? And if that it the case could someone please explain what the
nas
  table is for in the database schema?
 
   It's possible.  You do need at least one entry in clients.conf,
 though.  I suggest 127.0.0.1
 
   Then, read sql.conf, and set readclients=yes
 
   Alan DeKok.

Cool.

I am working with FreeBSD and the updates for 1.0.5 are not 
in the cvsup repository yet, so my comment is in regards to 
1.0.4, but may apply to 1.0.5.

I to a look at the postgresql stuff and it appears as though 
the schema will need a little tweak in order to be compitible 
with rlm_sql.c's requirements.

A SERIAL column named Id will need to be added.

This will make it compatible :

-- SQL clients table
CREATE TABLE nas (
id  SERIAL PRIMARY KEY,
nasname VARCHAR(128),
shortname   VARCHAR(32) NOT NULL,
typeVARCHAR(30),
ports   int4,
secret  VARCHAR(60) NOT NULL,
community   VARCHAR(50),
description TEXT
);

This is not required, but this info used to be in the nas
table in the postgresql schema.

-- additional nas info table included in previous nas table
CREATE TABLE nas (
id  int4 NOT NULL,
ipaddr  INET PRIMARY KEY,
snmpVARCHAR(10),
naslocation VARCHAR(32)
);

---End of message---


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html