One session per username
Hi All I have pptpd running with freeradius 2.0, all is fine but I want to limit each client to one session per username. Currently a user can logon using his username and password multiple times. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Values for MySQL tables for pptpd ?
Hi I did setup pptpd with freeradius + mysql http://poptop.sourceforge.net/dox/radius_mysql.html. pptpd poptop works fine without freeradius, with freeradius and mysql, all seems fine apart from me not knowing what values to enter into the mysql tables of freeradius. With no entries in database I get Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:45194, id=198, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User test not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User test not found in radgroupcheck rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User not found ### modcall[authorize]: module sql returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 198 to 127.0.0.1 port 45194 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 198 with timestamp 4fbc8c9d When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); I get rad_recv: Access-Request packet from host 127.0.0.1:46882, id=199, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = 193.227.186.146 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user -- 'test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): No matching entry in the database for request from user [test] modcall[authorize]: module sql returns notfound for request 1 modcall[authorize]: module mschap returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user # auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... ---
Re: Values for MySQL tables for pptpd ?
Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database I have microsoft and merit dictionary loaded Regards On Wed, May 23, 2012 at 10:44 AM, Ali Jawad ali.ja...@splendor.net wrote: Thanks Alan, I assumed Chap-Password because during testing I got auth: No User-Password or CHAP-Password attribute in the request Regards On Wed, May 23, 2012 at 10:16 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: When I do add to radcheck - INSERT INTO `radcheck` (`id`, `UserName`, `Attribute`, `op`, `Value`) VALUES (11, 'test', 'Chap-Password', '==', 'test'); That's wrong. See the FAQ. Use Cleartext-Password := test. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Fair enough, what is the value that forces use of Cleartext-Password ? Thanks ! On Wed, May 23, 2012 at 11:15 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Then you edited the default configuration and broke the server. I have microsoft and merit dictionary loaded What does that mean? DONT edit the dictionaries. The server WORKS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos thanks On Wed, May 23, 2012 at 11:17 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 05/23/2012 08:46 AM, Ali Jawad wrote: Hi Alan Sorry for the many mails I did test with Cleartext-Password and got rlm_sql: Failed to create the pair: Unknown attribute Cleartext-Password rlm_sql (sql): Error getting data from database Which version of FreeRADIUS? I have microsoft and merit dictionary loaded I you have fiddled with the dictionaries, you'll break everything. Don't do that. Leave the dictionaries alone. There's no problem loading them all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I switched to freeradius2. I did edit only sql.conf to the correct MySQL values and I did import schema.sql from sql/mysql/. I did add a user to the new tables and that is about all. Now I get the below, I did NOT edit any other settings, is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} and session{} +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 247 to 127.0.0.1 port 60798 Waking up in 4.9 seconds. Cleaning up request 0 ID 247 with timestamp +18 Ready to process requests. Regards On Wed, May 23, 2012 at 11:49 AM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: Hi Alan I did only add an include which I did remove now, the freeradius version is 1.1.3 + freeradius-mysql from CentOS 5 repos sigh It would have helped to say that at the start. Delete the 1.1.3 version. Install freeradius2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! I did try as LOCAL and it says set CHAP, I also tried mschap ## Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} - test [sql] sql_set_user escaped user -- 'test' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'normalusers' ORDER BY id [sql] User found in group normalusers [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'normalusers' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 36343 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +8 Ready to process requests. My DB entries are : INSERT INTO `radcheck` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Cleartext-Password', '==', '123456'), INSERT INTO `radgroupcheck` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Auth-Type', '==', 'chap'); INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'normalusers', 'Framed-Compression', '=', 'Van-Jacobson-TCP-IP'), (2, 'normalusers', 'Framed-Protocol', '=', 'PPP'), (3, 'normalusers', 'Service-Type', '=', 'Framed-User'); INSERT INTO `radreply` (`id`, `username`, `attribute`, `op`, `value`) VALUES (1, 'test', 'Framed-IP-Address', '=', '192.168.100.233'); INSERT INTO `radusergroup` (`username`, `groupname`, `priority`) VALUES ('test', 'normalusers', 1); On Wed, May 23, 2012 at 12:17 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, May 23, 2012 at 4:16 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, May 23, 2012 at 4:11 PM, Ali Jawad ali.ja...@splendor.net wrote: is there something that needs to be done so FR checks in the database like adding sql entries to authorize{} exactly. sites-available/default should be enough for pptpd since it doesn't use EAP. The comments on that file should be clear enough. Just uncomment sql on authorize section. ... and don't forget to read radiusd.conf as well. Read the commetns there, and uncomment the line that includes sql.conf (since you didn't mention it, you probably didn't do that either). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad
Re: Values for MySQL tables for pptpd ?
Hi I did install freeradius2-mysql, configured /etc/raddb/sql.conf and included sql.conf in /etc/raddb/radius.conf and uncommented sql from authorize section of default. I did also import schema.sql from sql/mysql/. The queries show in the debug output but I am getting the error shown in the last email. Thanks Regards On Wed, May 23, 2012 at 12:46 PM, alan buxey a.l.m.bu...@lboro.ac.ukwrote: hi, sql support isnt turned on by default as you need to have SQL server,schema etc need to ensure sql.conf is read and sql is enabled in the relevant sections however, given that you are installing from package you probably also need to install freeradius2-mysql or freeradius2-sql package too...which might setup some things for you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config is : auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc/radiusclient/servers #dictionary /etc/raddb/dictionary dictionary /usr/share/radiusclient-ng/dictionary login_radius/usr/sbin/login.radius seqfile /var/run/radius.seq mapfile /etc/radiusclient/port-id-map default_realm radius_timeout 10 radius_retries 3 login_local /bin/login On Wed, May 23, 2012 at 12:54 PM, Alan DeKok al...@deployingradius.comwrote: Ali Jawad wrote: Thanks for your patience so far. I did edit include sql.conf and only edited authorize to uncomment sql line. Now I am getting the below. [chap] ERROR: You set 'Auth-Type = CHAP' for a request that does not contain a CHAP-Password attribute! Because you forced Auth-Type := CHAP. Don't do that. I did try as LOCAL and it says set CHAP, I also tried mschap It's MUCH better to *understand* what's going on. Trying random changes is terrible. Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 36343, id=0, length=67 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test Calling-Station-Id = NAS-IP-Address = 127.0.0.1 NAS-Port = 0 There's no password in this request. Use a RADIUS client that sends a password! Whatever RADIUS client you're using is broken. Don't use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
Hi I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4FBCBB330F5000,User-Name = test' [acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail]expand: %t - Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default options Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config is : auth_order radius login_tries 4 login_timeout 60 nologin /etc/nologin issue /etc/radiusclient/issue authserver localhost:1812 acctserver localhost:1813 servers /etc
Re: Values for MySQL tables for pptpd ?
In btw, I do not have any Auth-Type settings now. Thanks On Wed, May 23, 2012 at 1:42 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi I got it to work at least half way, I did change pptpd options from -chap -mschap +mschap-v2 require-mppe TO +chap +mschap +mschap-v2 #require-mppe And in MS Win 7 VPN settings I did set encryption to optional. This way I can connect, see ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = 4FBCBB330F5000,User-Name = test' [acct_unique] Acct-Unique-Session-ID = 6bbdd9f2f808f872. ++[acct_unique] returns ok [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} - 127.0.0.1 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d - /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20120523 [detail]expand: %t - Wed May 23 11:25:55 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - test ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 27 to 127.0.0.1 port 50177 Finished request 2. Cleaning up request 2 ID 27 with timestamp +15 Going to the next request Waking up in 4.7 seconds. However when I do try to use MSCHAPV2 in VPN settings or if I do require encryption with appropriate settings in pptpd it fails. Test example : Set in VPN client in Win 7 to require encryption and MSCHAPV2 - default options Set pptpd options to : -chap -mschap +mschap-v2 require-mppe I get the following in radius ++[sql] returns ok ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Al0800-1200' rlm_logintime: timestr returned accept rlm_logintime: Session-Timeout set to: 1200 ++[logintime] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. No User-Password or CHAP-Password attribute in the request. Cannot perform authentication. Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 12 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 12 Sending Access-Reject of id 45 to 127.0.0.1 port 60652 Waking up in 4.9 seconds. Cleaning up request 12 ID 45 with timestamp +591 Ready to process requests. In short it works for chap but not mschap, any input please ? Regards On Wed, May 23, 2012 at 1:13 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Thanks again I did remove Auth-Type entry from DB and error says now rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds I am using a pptpd server, it has plugin radius.so plugin radattr.so loaded. The radius client is : rpm -qa | grep radiusclient radiusclient-ng-utils-0.5.6-3.el5 radiusclient-ng-0.5.6-3.el5 It's radiusclient config
Re: Values for MySQL tables for pptpd ?
Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly See Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d433030354632344435303132433435414432344634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 4. but I get the following error on the pptpd side May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Regards On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote: On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Values for MySQL tables for pptpd ?
NM posted to quickly, secrets were wrong, fiddling around with Unsupported protocol 'IPv6 Control Protovol' (0x8057) received after that it should work, will definitively post it up in a howto. Regards On Wed, May 23, 2012 at 3:31 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi again I did do some more reading and finally got radius to authenticate mschap, I am using the users file to add users for the time being and no SQL. A user can authenticate properly See Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 100 with timestamp +136 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57868, id=101, length=132 Service-Type = Framed-User Framed-Protocol = PPP User-Name = test MS-CHAP-Challenge = 0x65c4689b30c27f604fcca7ba1370fdba MS-CHAP2-Response = 0x31004bfca25ae57e8617e1e2d3cebde28904c4cd490b424b34bfa53ad8b65fb786d994c6f647dbdd001a NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 101 to 127.0.0.1 port 57868 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP MS-CHAP2-Success = 0x31533d433030354632344435303132433435414432344634334344343931374636363944453733 MS-MPPE-Recv-Key = 0x494fa970f9bb475a70b1b37179089b1d MS-MPPE-Send-Key = 0x546cdc52da0bf3818284fe5e6c48332d MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 Finished request 4. but I get the following error on the pptpd side May 23 13:30:01 pptp-test-100-13 pppd[7512]: rc_check_reply: received invalid reply digest from RADIUS server Any input please ? Regards On Wed, May 23, 2012 at 3:17 PM, Matthew Newton m...@leicester.ac.ukwrote: On Wed, May 23, 2012 at 02:02:02PM +0200, Alan DeKok wrote: Matthew Newton wrote: I'm not sure who looks after them now, or if they are maintained. I've just found radiusclient-ng, which looks more recent, but have no experience of it. But this is all mildly off-topic for FreeRADIUS... radiusclient-ng is no longer developed. It has become freeradius-client. :) See http://freeradius.org Ah - thanks. I had it on my list to hack at the radiusclient code to try and update it. 30 minutes ago, that list entry changed to radiusclient-ng. Looks like I'll be looking at the freeradius-client code instead now... if I ever get time! Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which users are connected and when ?
Try..dialup admin... On 1/11/07, adreas Polyxronopoulos [EMAIL PROTECTED] wrote: Hello list, I have a wlan using freeradius for authentication. I want to create a user-managment application which will help me in monitoring the wlan. The main information i would like to provide with my application is the following : 1) How many users are connected on my wlan and how many are not connected ? 2) Which users are connected on my wlan and when did the connected ? As i have studied freeradius until now i can get this information from detail-file. But i would like to know if i could export detail-file in a mysql-format or if i could have info like detail-file provide in a mySql format. I am intersting in mySql because my application will be in php and the manipulation of mySql database is much easier. Any ideas would be usefulthanks Adreas Polyxronopoulos Send instant messages to your online friends http://uk.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin help
Try setting sql_debug..or debug_sql to on in the main config file of dialup admin and see if it yields any errors..to check if it is workin..just create a users using dialup admin..and then check the existance of the user in the mysql tables using phpmyadmin..the created user should be there... On 1/6/07, Greg Hartung [EMAIL PROTECTED] wrote: I have had FreeRadius and Mysql have been authenticating users for months but now I am trying to get dialup admin working for the first time. The main page loads fine. Find User does load a search page but won't return any users and Show Groups loads a header with no groups. The rest of the menu items are either a blank white or blank green screen. I am using Mysql and I have configured user,pwd, dbname, etc. in admin.conf and I have run the 4 create table scripts. Does it log anywhere? How do I tell if it's hitting the db? Or what should I try next? Thanks! Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access to internet by mac using freeradius
That would solve the problem of clients aqcuiring the IPs automatically but what about users who would enter the IPs statically.On 11/2/06, Zoltan Ori [EMAIL PROTECTED] wrote:On Thursday 02 November 2006 05:43, Ali Jawad wrote: I need something like the mac address filtering used in squid ...where only registered mac address are allowed through the proxy..any hints suggestions and/or tutorials are welcome. Use your DHCP server for that.Zoltan Ori-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database query failed: Table 'radius.radcheck' doesn't exist
Please note that you have to use the .sql files provided for the freeradiues server and for dialupadminOn 11/2/06, Dusan Djordjevic Liste [EMAIL PROTECTED] wrote:Hi all,I am trying to install dialup admin. I followed HOWTO located in doc/ directory. I created all tables in radius database using provided .sqlfiles in sql/ dir. Now i have 4 tables in radius database: badusers,mtotacct, totacct, userinfo.When I connect to dialup admin and try to create new user, it gives me following error:Database query failed: Table 'radius.radcheck' doesn't exist(after bunch of error messages that some queries and inserts are not valid).I am not good with databases, but AFAIK this means that there is no radcheck table in radius database. Also, if i understand admin.confproperly, there is part that sayst following:sql_database: radiussql_accounting_table: radacctsql_badusers_table: baduserssql_check_table: radcheck sql_reply_table: radreplysql_user_info_table: userinfosql_groupcheck_table: radgroupchecksql_groupreply_table: radgroupreplysql_usergroup_table: usergroupsql_total_accounting_table: totacctsql_nas_table: nas Also lot of tables mentioned here do not exist.Did I missed something or ?TIADusanhttp://dj-dule.blogspot.com-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database query failed: Table 'radius.radcheck' doesn't exist
Well Ive tried dialupadmin..apart from the fact that it might be troubleling to set up...it worked just fine for me..I used it to authenicate ISP clients through pppoe..and to Dusan..as Vasea said...find the .sql file containing the tables for freeradius and import them using phpmyadmin or the mysql shell.On 11/2/06, Vasea Marii [EMAIL PROTECTED] wrote: radcheck is one of the most important tables in freeradius if working with mysql! Is the table where users username, passwors and other data is stored for authenticating users when they are connecting!find! In you freeradius distribution find mysql.sql file and create the tables that are missing! By the way dialup-admin has a lot of bugs! You'll have a lot of work:)try phpmyprepaid!Dusan Djordjevic Liste [EMAIL PROTECTED] wrote: Hi all,I am trying to install dialup admin. I followed HOWTO located in doc/ directory. I created all tables in radius database using provided .sqlfiles in sql/ dir. Now i have 4 tables in radius database: badusers,mtotacct, totacct, userinfo.When I connect to dialup admin and try to create new user, it gives me following error:Database query failed: Table 'radius.radcheck' doesn't exist(after bunch of error messages that some queries and inserts are not valid).I am not good with databases, but AFAIK this means that there is noradcheck table in radius database. Also, if i understand admin.confproperly, there is part that sayst following:sql_database: radiussql_accounting_table: radacctsql_badusers_table: baduserssql_check_table: radchecksql_reply_table: radreplysql_user_info_table: userinfo sql_groupcheck_table: radgroupchecksql_groupreply_table: radgroupreplysql_usergroup_table: usergroupsql_total_accounting_table: totacctsql_nas_table: nasAlso lot of tables mentioned here do not exist. Did I missed something or ?TIADusanhttp://dj-dule.blogspot.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Get your email and see which of your friends are online - Right on the new Yahoo.com -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit access to internet by mac using freeradius
Hi Ive got a micro ISP with 50 clients running on pppoe and freeradius for authenication, each client has a username and password. When a customer dials through his winbox to create pppoe connection the pppoe server on the server loads radius.so to do the authenication. What I want to do now is the following... I want to authenicate based on mac address and i do not want to use pppoe anymore..so everybody plugging in a network cable into my switch will have immediate internet access only if I have registered his mac address for him previously, otherwise everybody plugging his network cable into my swithces will have access to my internet connection. I mean I need something like the mac address filtering used in squid ...where only registered mac address are allowed through the proxy..any hints suggestions and/or tutorials are welcome.-- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database query failed: Table 'radius.radcheck' doesn't exist
Dear Dusan.. Please note before you proceed to phpmyprepaid that the error is msot propably related to your freeradius installation not your dialupadmin installation. Check John's response concerning that matter.On 11/2/06, Dusan Djordjevic Liste [EMAIL PROTECTED] wrote:Vasea Marii wrote: radcheck is one of the most important tables in freeradius if working with mysql! Is the table where users username, passwors and other data is stored for authenticating users when they are connecting!find!In you freeradius distribution find mysql.sql file and create the tables that are missing! By the way dialup-admin has a lot of bugs! You'll have a lot of work:)tryphpmyprepaid!Thank you very much for response.I will check phpmyprepaid.btw. I am trying to sort out solution for VoIP termination, that is whyI need radius. Can someone recommend me good software for that. It should work on Red Hat Enterprise Linux and support freeradius.TIADusanhttp://dj-dule.blogspot.com-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access to internet by mac using freeradius
Dear Alan, thanks for your suggestion however the setup is rather small at 50 users and the switch is not managable..Iam a CCNA nothing special about that and I wish I had the means to apply the setup on managable switch using port security however I still care about the accounting features of radius even if the managable switch was a feasible solution.On 11/2/06, Alan DeKok [EMAIL PROTECTED] wrote: Ali Jawad [EMAIL PROTECTED] wrote: I want to authenicate based on mac address and i do not want to use pppoe anymore..so everybody plugging in a network cable into my switch will have immediate internet access only if I have registered his mac address for himSee the switch documentation for how to do port-based authenticationusing MAC addresses.Alan DeKok.-- http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenicate internet access through MACs
Hi Ive got a debian router and a switch through which I provide internet access to some of the residents of my building...I want to implement a mechanism so that only the computers I specify can access the Internet...I could do it through squid but if I do so it would allow me only to restrict traffic going through port 80 what about Internet applications that use other ports such as ftp, smtp, yahoo and msn. I want to use a mechanism that allows me to authenicate PCs based on mac address and only those computers are allowed to access the internet. One particular solution could be blocking all access to the router unless the request have the source mac from an authorised PC..but I would prefer another approach if available...since Iam not going to operate the router..and the firewall script was written using VIM and the oprerator needs a web interface to operate the router. I ve got a freeradius server setup and running on the router with the dialup admin interface..I have done this setup previoulsy with pppoe and freeradius. I can not use pppoe this time..so I would like to know if there is a mechanism that allows me to redirect all the requests coming to the router through radius and access is granted upon the authenication info found in the radius database. I use to do that by loading radius.so each time a request to the pppoe server is made by including radius.so in the pppoe.options file..but I have no clue on how to do it this time. Any suggestions are welcome -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenicate internet access through MACs
Hi Ive got a debian router and a switch through which I provide internet access to some of the residents of my building...I want to implement a mechanism so that only the computers I specify can access the Internet...I could do it through squid but if I do so it would allow me only to restrict traffic going through port 80 what about Internet applications that use other ports such as ftp, smtp, yahoo and msn. I want to use a mechanism that allows me to authenicate PCs based on mac address and only those computers are allowed to access the internet. One particular solution could be blocking all access to the router unless the request have the source mac from an authorised PC..but I would prefer another approach if available...since Iam not going to operate the router..and the firewall script was written using VIM and the oprerator needs a web interface to operate the router. I ve got a freeradius server setup and running on the router with the dialup admin interface..I have done this setup previoulsy with pppoe and freeradius. I can not use pppoe this time..so I would like to know if there is a mechanism that allows me to redirect all the requests coming to the router through radius and access is granted upon the authenication info found in the radius database. I use to do that by loading radius.so each time a request to the pppoe server is made by including radius.so in the pppoe.options file..but I have no clue on how to do it this time. Any suggestions are welcome -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
This happened to me once with another application..because I had global_registers off...in the php.ini file..you might wana check that On 10/12/06, Andy Dixon [EMAIL PROTECTED] wrote: On 11 Oct 2006, at 19:11, Ali Jawad wrote: Could be a permissions issue..you might wana investigate that I thought it may have been an issue with PHP and / or apache. I tailed the logs from Apache and got nothing, but PHP threw up lots of notices about un-initialized constants / variables / etc, a warning about a for loop being given something dodgy, and another error about a security risk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
You might want to set sql_debug or something like it to on in the dialupadmin config file..this will run sql queries in debugging mode..and will might help you to reveal the problem On 10/12/06, Kostas Kalevras [EMAIL PROTECTED] wrote: Andy Dixon wrote: On 11 Oct 2006, at 19:11, Ali Jawad wrote: Could be a permissions issue..you might wana investigate that I thought it may have been an issue with PHP and / or apache. I tailed the logs from Apache and got nothing, but PHP threw up lots of notices about un-initialized constants / variables / etc, a warning about a for loop being given something dodgy, and another error about a security risk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Usually when you get a blank page in dialupadmin the reason is that php is lacking mysql support. I would suggest to check that one - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
Could be a permissions issue..you might wana investigate that On 10/11/06, Andy Dixon [EMAIL PROTECTED] wrote: On 10 Oct 2006, at 10:17, Ali Jawad wrote: All the detailed info about setting up dialup admin is found in the howto file..it even explains how to import the sql files for your chosen database. Thats what I did. Just in case I missed something out, someone else went through the howto and got the same results. Any ideas? Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
All the detailed info about setting up dialup admin is found in the howto file..it even explains how to import the sql files for your chosen database. On 10/10/06, Andy Dixon [EMAIL PROTECTED] wrote: Hello, I am having problems getting dialupadmin to work on FreeBSD 6.1. If I go to any of the pages (eg add user) I just get a blank screen.. Also, if anyone could point me in the direction of where I can find some information on what needs to go into the tables in a postgres database for RADIUS users, I would be greatful. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maximum timed out Session
Yes there is you can set the maximum time out for every session...Iam actually using the dialup admin web interface to do that. So I cant really tell you in wich configuration file the option is. But I hope this helps you anyway. On 9/14/06, Elie Hani [EMAIL PROTECTED] wrote: Hi; Is there a way to disconnect a user after a certain time automatically using freeradius? I've tried the entry:Max-All-Session in the database, but it didn't work. Thanks Elie Hani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac authenication
Hi Guys Ive got my pppoe server up and running and the authenication process is just fine. What I want to do now is to bind the username and password combination to a mac..so that that the mentioned user/password combination can only be used on a per pc i.e. per mac basis. Can anyone help me on how to do this, please. -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Dialupadmin page not loading
You clearly have not configured apache to work with php4,even if you click open instead of save it will open the file an editor. You have to do that first before you can use php on apache. search for something like php3 or php4 in the config file of apache and uncomment it. You also have to install the php4 module for apache. Apart from having mysql installed to make dialupadmin work. There are many howtos online which explain how to do that. If you are using debian Iam willing to help you on that issue too. On 9/13/06, Nico Gazzano [EMAIL PROTECTED] wrote: I've got php4 installed and for some reason when I try to load the admin page it asks if I want to open or save the buttons.html.php3 file, I wasn't thinking and clicked save and now it saves the file instead of opening the admin page. Can someone help? I'm doing this locally on the server. Nico Gazzano Network Systems Admin MIS Choice Inc. 1699 Wall ST Suite 602 Mount Prospect, IL 60056 Phone 847-690-1900 ext206 Fax 847-690-1350 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Probs with pppoe-server + radius
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Guys Iam using freeradius on a debian sarge box. I use the following : noccbox:~# freeradius -v freeradius: FreeRADIUS Version 1.1.2, for host , built on Jul 2 2006 at 11:19:11 noccbox:~# uname -a Linux noccbox 2.6.8-3-686 #1 Sat Jul 15 10:32:25 UTC 2006 i686 GNU/Linux I have dialup-admin installed and configured sql.conf accordingly. I have downloaded NTRadping and added my windows machine to the /etc/raddb/clients file. Then I sent an authenication request using my root password WITH CHAP TURNED OFF. It was successfull and I got the following reply. Sending authenication request to server 192.168.1.1:1812 Transmitting packet, code=1 id=12 length=44 receied reponse from server in 16 milliseconds reply packet code=2 id = 12 length=20 reponse: Access-Accept Then I did the same test with CHAP TURNED ON the test failed and returned the following: Sending authenication request to server 192.168.1.1:1812 Transmitting packet, code=1 id=13 length=45 receied reponse from server in 2000 milliseconds reply packet code=3 id = 13 length=20 reponse: Access-Reject The info above is to help you guys in helping me pinpoint my prolem, my real problem is that I can dial into my server using pppoe and simple chap and/or pap authenication. However once I use radius to authenicate the pppoe-dialup requests into the server. I get the following output in pppd.log Using interface ppp0 Connect: ppp0 -- /dev/pts/1 rc_read_mapfile: can't read /etc/radiusclient/port-id-map: No such file or directory RADIUS: Can't read map file /etc/radiusclient/port-id-map Peer root failed CHAP authentication Connection terminated. pppoe: read (asyncReadFromPPP): Session 4: Input/output error Terminating on signal 15 Using interface ppp0 Connect: ppp0 -- /dev/pts/1 Terminating on signal 15 Connection terminated. Modem hangup pppoe: read (asyncReadFromPPP): Session 5: Input/output error Any help would be welcome. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBl7rkgA8mKGs24MRAjgCAKChmFQ5NRD3v06cz22AKLe9INM2gACeK/ja teE0/8nQfY7xagP3BJ2CT7o= =+Vfz -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html