Re: SQL Accouting
I previously mentioned, the accounting section contains just 'sql'. I have no sql section in radiusd.conf though (perhaps this is my problem?) and no sql_accouting definitions in my sql.conf, but the sql accouting queries are defined there, and they are correct. The sql connection is working, and post auth data gets logged fine, just not the accouting stuff. Cheers, Ben On Wed, 2005-09-28 at 09:11 -0300, Paolo Rotela wrote: Yep, but I need some more info. Your sql section in radiusd.conf and your sql_accounting* definitions in sql.conf. Also the accounting section in radiusd.conf, in wich it must be a sql instance. Ing. Paolo Rotela Jefe Técnico Blue Telecom Eng. Paolo Rotela CTO Blue Telecom - Original Message - From: Ben Dowling [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 6:00 PM Subject: SQL Accouting Hi, I'm still having problems getting FreeRadius-1.0.4 to log accounting data to sql. I know it is receiving the data, as I can log it to file. In my accounting section I have 'sql', and the SQL queries are there in sql.conf. However, when looking at the sqltrace log the only queries are inserts to radpostauth. Can anyone help? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accouting
That is exactly the setup I have, but it doesn't seem to be working. There are no errors reported in radius.log, and no accounting queries in sqltrace.sql. Any ideas? Cheers, Ben On Wed, 2005-09-28 at 15:08 -0300, Paolo Rotela wrote: You should have something like this in your radiusd.conf $INCLUDE ${confdir}/sql.conf Then you should have this in sql.conf (or the file pointed to by the include, my example is with mysql, could be another engine) sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = user password = user # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct and then some accounting_*_query that inserts or updates the ${acct_table1} or ${acct_table2}. Then your accounting { section in radiusd.conf should have a line saying sql or the sql instance name (if you are using more than the default instance for sql module). And then you must have the radius database and the radacct table. If all this is ok, then I don't know for sure, you should check your radius.log for errors in the sql module. - Original Message - From: Ben Dowling [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 2:30 PM Subject: Re: SQL Accouting I previously mentioned, the accounting section contains just 'sql'. I have no sql section in radiusd.conf though (perhaps this is my problem?) and no sql_accouting definitions in my sql.conf, but the sql accouting queries are defined there, and they are correct. The sql connection is working, and post auth data gets logged fine, just not the accouting stuff. Cheers, Ben On Wed, 2005-09-28 at 09:11 -0300, Paolo Rotela wrote: Yep, but I need some more info. Your sql section in radiusd.conf and your sql_accounting* definitions in sql.conf. Also the accounting section in radiusd.conf, in wich it must be a sql instance. Ing. Paolo Rotela Jefe Técnico Blue Telecom Eng. Paolo Rotela CTO Blue Telecom - Original Message - From: Ben Dowling [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 6:00 PM Subject: SQL Accouting Hi, I'm still having problems getting FreeRadius-1.0.4 to log accounting data to sql. I know it is receiving the data, as I can log it to file. In my accounting section I have 'sql', and the SQL queries are there in sql.conf. However, when looking at the sqltrace log the only queries are inserts to radpostauth. Can anyone help? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accouting
I am running it with -X, and it all seems fine. It shows the sql module loading, and all the accounting queries. What could I be missing? Ben On Wed, 2005-09-28 at 16:42 -0300, Paolo Rotela wrote: That is exactly the setup I have, but it doesn't seem to be working. There are no errors reported in radius.log, and no accounting queries in sqltrace.sql. Any ideas? Yep, reinstall it ;) No, really, you should try to shutdown the daemon and try running radiusd -X, then test it, and see if the debugging mode tells you something :) Cheers, Ben On Wed, 2005-09-28 at 15:08 -0300, Paolo Rotela wrote: You should have something like this in your radiusd.conf $INCLUDE ${confdir}/sql.conf Then you should have this in sql.conf (or the file pointed to by the include, my example is with mysql, could be another engine) sql { # Database type # Current supported are: rlm_sql_mysql, rlm_sql_postgresql, # rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds driver = rlm_sql_mysql # Connect info server = localhost login = user password = user # Database table configuration radius_db = radius # If you want both stop and start records logged to the # same SQL table, leave this as is. If you want them in # different tables, put the start table in acct_table1 # and stop table in acct_table2 acct_table1 = radacct acct_table2 = radacct and then some accounting_*_query that inserts or updates the ${acct_table1} or ${acct_table2}. Then your accounting { section in radiusd.conf should have a line saying sql or the sql instance name (if you are using more than the default instance for sql module). And then you must have the radius database and the radacct table. If all this is ok, then I don't know for sure, you should check your radius.log for errors in the sql module. - Original Message - From: Ben Dowling [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 28, 2005 2:30 PM Subject: Re: SQL Accouting I previously mentioned, the accounting section contains just 'sql'. I have no sql section in radiusd.conf though (perhaps this is my problem?) and no sql_accouting definitions in my sql.conf, but the sql accouting queries are defined there, and they are correct. The sql connection is working, and post auth data gets logged fine, just not the accouting stuff. Cheers, Ben On Wed, 2005-09-28 at 09:11 -0300, Paolo Rotela wrote: Yep, but I need some more info. Your sql section in radiusd.conf and your sql_accounting* definitions in sql.conf. Also the accounting section in radiusd.conf, in wich it must be a sql instance. Ing. Paolo Rotela Jefe Técnico Blue Telecom Eng. Paolo Rotela CTO Blue Telecom - Original Message - From: Ben Dowling [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 27, 2005 6:00 PM Subject: SQL Accouting Hi, I'm still having problems getting FreeRadius-1.0.4 to log accounting data to sql. I know it is receiving the data, as I can log it to file. In my accounting section I have 'sql', and the SQL queries are there in sql.conf. However, when looking at the sqltrace log the only queries are inserts to radpostauth. Can anyone help? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Accouting
Yeah it is getting accounting packets, because I can log them to file with 'detail'. Just not to sql. Ben On Wed, 2005-09-28 at 16:32 -0400, Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: I previously mentioned, the accounting section contains just 'sql'. I have no sql section in radiusd.conf though (perhaps this is my problem?) and no sql_accouting definitions in my sql.conf, but the sql accouting queries are defined there, and they are correct. Is it getting accounting packets? Run it in debugging mode, and use radclient to send it accounting packets. See what happens. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Hi, I still haven't figured this one out, and would really appreciate some help. I've tried playing around with the DEFAULT profile in the users file, giving it Auth-Type: Reject, but certificates with CN not in the database are still authenticated. How do I get freeradius to check for the username in mysql with EAP-TLS? Cheers, Ben Ben Dowling wrote: Hi, I have freeradius-1.04 configured with MySQL using EAP-TLS and PEAP for authentication. I wish to reject users whose common name (CN) is not included in the MySQL database. I have read the thread regarding this exact problem at: http://lists.cistron.nl/pipermail/freeradius-users/2004-May/032110.html and it seems I need to set the DEFAULT profile to reject. I don't quite understand the thread though, is this the DEFAULT profile in the users file, or can I configure this in MySQL. Either way, could someone please provide me with an example of what the DEFAULT profile entry should look like in order to achieve this? Thanks for the help, Ben Dowling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS reject if CN not in MySQL
Sorry I was referring to the username, the CN in the certificate gets sent as the username. My problem is how to reject users with valid certificates, but no entry in the database? Cheers, Ben On Tue, 2005-09-27 at 14:01 -0400, Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: I still haven't figured this one out, and would really appreciate some help. I've tried playing around with the DEFAULT profile in the users file, giving it Auth-Type: Reject, but certificates with CN not in the database are still authenticated. How do I get freeradius to check for the username in mysql with EAP-TLS? I don't recall if you can get at the CN from the certificate. Maybe try keying off of the User-Name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS reject if CN not in MySQL
Hi, I have freeradius-1.04 configured with MySQL using EAP-TLS and PEAP for authentication. I wish to reject users whose common name (CN) is not included in the MySQL database. I have read the thread regarding this exact problem at: http://lists.cistron.nl/pipermail/freeradius-users/2004-May/032110.html and it seems I need to set the DEFAULT profile to reject. I don't quite understand the thread though, is this the DEFAULT profile in the users file, or can I configure this in MySQL. Either way, could someone please provide me with an example of what the DEFAULT profile entry should look like in order to achieve this? Thanks for the help, Ben Dowling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
Hi, Am I to take it that it is not possible to use SQL for the clients.conf file? And if that it the case could someone please explain what the nas table is for in the database schema? Cheers, Ben On Wed, 2005-09-14 at 22:42 +0100, Ben Dowling wrote: Hi, Is it possible to replace clients.conf with an SQL table? I assume that is what the NAS table is for in the schema, but I have seen no mention of it being used, or any documentation, for it on the web. If it is possible could you please provide me with an example setup. Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL replacement for clients.conf?
On Wed, 2005-09-14 at 22:42 +0100, Ben Dowling wrote: Hi, Is it possible to replace clients.conf with an SQL table? I assume that is what the NAS table is for in the schema, but I have seen no mention of it being used, or any documentation, for it on the web. If it is possible could you please provide me with an example setup. Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging accouting data to SQL
Hi, I am using freeradius 1.0.4. I have enabled the 'sql' module in the accouting section of radiusd.conf but the accouting data is logged to /var/log/radius/radacct and not to mysql. How do I configure this? Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CRL rejects all certificates
Fixed the problem, didn't realise the CRL has to be appended to the CA certificate. Cheers On Wed, 2005-09-14 at 08:31 +1000, Ben Walding wrote: We need to see the log from FreeRADIUS (radiusd -X) There are a couple of reasons that all certs will be rejected * CA is not designated a CRL issuer * CRL is out of date (CRLs have limited validity period) * something else On 9/14/05, Ben Dowling [EMAIL PROTECTED] wrote: Hi, I have managed to get EAP-TLS authentication working with freeradius 1.04 and a windows XP supplicant. However, when I enable CRL all certificates seem to be rejected not just those in the CRL. Could anyone help me with this issue? Let me know if you require any more information. Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL replacement for clients.conf?
Hi, Is it possible to replace clients.conf with an SQL table? I assume that is what the NAS table is for in the schema, but I have seen no mention of it being used, or any documentation, for it on the web. If it is possible could you please provide me with an example setup. Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CRL rejects all certificates
Hi, I have managed to get EAP-TLS authentication working with freeradius 1.04 and a windows XP supplicant. However, when I enable CRL all certificates seem to be rejected not just those in the CRL. Could anyone help me with this issue? Let me know if you require any more information. Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and mysqld.sock location problem
Hi, I am having problems with freeradius connecting to a mysql database. Freeradius reports the error: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) The mysqld.sock file is acutally located at /home/system/var/run/mysqld/mysqld.sock, so I created a symlink to that file in /var/run/mysqld, and now freeradius reports the same error, but with a (13) at the end instead of a (2). Is there anyway to configure freeradius to look in the correct location, or is there another work around? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server not responding to radtest
It is in clients.conf with the secret 'test'. Scanning it with -P0 shows that port 1812 is open|filtered, but scanning without -P0 shows host is down. Cheers, Ben Benedikt Panzer wrote: Hello, do you have localhost with that shared secret in your clients.conf file? Is there a firewall blocking the requests? (nmap -sU -p 1812 localhost) Regards, Benedikt bratislava:/usr/local/etc/raddb# radtest test test localhost 0 test - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Hi, I am having problems with freeradius 1.04 on debian. I previously installed the deb package, but later found out it doesn't support EAP-TLS, so had to build from source. I built it with the following command: ./configure --with-rlm_eap_tls --disable-shared make make install I have setup eap.conf and installed the required certificates. When starting radiusd it seems to get past loading the config and then seg faults. The output is below. Can anyone let me know what is causing the crash and how to get round it? Thanks in advance, Ben bratislava:/usr/local/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = TLS eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
I've loaded up radiusd into gdb and the bug looks the same as http://bugs.freeradius.org/show_bug.cgi?id=98. That page says the solution is to pass configure the --disable-shared flag, which I have done, yet the bug remains. Any help would be greatly appreciated, Ben Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 22174)] 0x402a3e3a in lt_dlsym (handle=0x814ba78, symbol=0xbfffe6f8 rlm_eap_tls) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) (gdb) where #0 0x402a3e3a in lt_dlsym (handle=0x814ba78, symbol=0xbfffe6f8 rlm_eap_tls) at ltdl.c:3330 #1 0x08061404 in eaptype_load () #2 0x40489ad7 in eap_instantiate (cs=0x809f8d8, instance=0x814b0b8) at rlm_eap.c:134 #3 0x080575ff in find_module_instance () #4 0x0805874a in modcall () #5 0x080587b3 in compile_modsingle () #6 0x080579f4 in find_module_instance () #7 0x08057e75 in setup_modules () #8 0x0804ff76 in main () #9 0x40337e36 in __libc_start_main () from /lib/libc.so.6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Is this the freeradius libs it cannot find? And if so will adding the fr lib directory to /etc/ld.so.conf fix the problem? Thanks in advance, Ben Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: I've loaded up radiusd into gdb and the bug looks the same as http://bugs.freeradius.org/show_bug.cgi?id=98. That page says the solution is to pass configure the --disable-shared flag, which I have done, yet the bug remains. Then put the libraries some place where the run-time dynamic linker can find them. The root cause of this problem is that your linker cannot find libraries on your system. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius-1.04 install seg faults after install (using EAP-TLS)
Ahh I've solved it - the library directory wasn't set correctly in the radius conf file, I updated and it worked fine. Thanks for the help, Ben Alan DeKok wrote: Ben Dowling [EMAIL PROTECTED] wrote: Is this the freeradius libs it cannot find? And if so will adding the fr lib directory to /etc/ld.so.conf fix the problem? No, it's probably the SSL libraries. And, because libltdl is garbage, it can't handle this case. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
build problem - mysql header files not found
Hi, I am having a problem building freeradius-1.04 on linux. I have installed mysql 4.1.10 but when running make it bails out complaining that mysql.h and errmsg.h cannot be found. The files can be located in /usr/local/mysql/include. As a hack I copied these files into the corresponding build directory and I also added /usr/local/mysql/lib to /etc/ld.so.conf but the build bails out saying a mysql library cannot be found. Searching on the net it seems that these problems are a result of mysql-devel not being installed, but I don't believe this package exists for mysql 4.1.10, as the header files and libraries are included in the standard package. Do I need to set some enviroment variables to get this to work, or am I using an incompatable version of mysql? Thanks in advance, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html