Re: Help with 802.1x Certificate
You have three possible issues. 1). You need to chain all of the certs into one file. 2). MS requires that the cert have a "special purpose". This is documented and needs to be included in the CSR. BS, but that's MS for you. 3). MS might not like wild cards. Not sure about this but it may be an issue. Easy enough to test. If 1 and 2 don't work, try with a non-wildcard cert +1 and 2. Post your results so we can all learn from it. Carl Peterson On Sep 14, 2012, at 10:44 AM, Tyller D wrote: On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok wrote: > Tyller D wrote: > > I have everything configured and working when I disabled "validate > > server Certificate" on windows. > > I have a wildcard certificate purchased from godaddy.com. > > I'm not sure that will work. > Is there a reason for that? Godaddy is in the list of servers to validate against? > > I had a problem when using it with apache as I had to add the > > intermediate chain in the config but can't find a place to do that in > > FreeRaius. > > You should have the CA cert, and all of the certs leading to the > server certificate. > Correct, I do. But which one do add as "certificate_file" in eap.conf? > > > When Auth fails because of validation then I get this in Freeradius debug > > So... did you read eap.conf, and configure the certificates as > documented there? > > Are you referring to this? - Windows requires the root certificates to be on the client PC. If it doesn't have them, you will see the same issue as above. I'm just guessing but it seems like that would be the cause. > > Is there something that I can do to get this to work? > > Read the documentation? > My question is, all the certificates leading to the server certifcate - where do I add them? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set expiry timeout after first login
I'm sure there are other ways to do this but I do it with a post auth query matching a specific max all session value. If it matches, it updates the attribute to expiration and sets the value 24hr from now. When I wrote it, freeradius only supported one post auth query so I use cases to match an hour, day, week, etc with an else for a non-match. On Aug 8, 2012, at 6:50 AM, Andrei Petru Mura wrote: > I have a user that has Session-Timeout set to 2 hours (7200sec). I want that > user to have time for using its connection one day after first login. So, if > after one day after he logged in first time, he didn't use his full amount of > time, his account will be expired. Is there an attribute that can set expiry > timeout after first login? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different versions of sql.conf
Thanks Alan,
I've been working with a modified version of sql.conf for years and just
copying it over to new servers and must have missed the move of config options
to dialup.conf assuming that dialup had something to do with dialup modems. I
purged freeradius-mysql and reinstalled it and now have the config files in
/sql/mysql/.
Thanks again,
Carl
On Apr 23, 2012, at 5:54 PM, alan buxey wrote:
> Hi,
>
>> The version of sql.conf found in
>> ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz
>> seems to be quite different from the version found at
>> http://freeradius.org/radiusd/raddb/sql.conf
>>
>> I was expecting the latter file on a new build but was wondering what
>> happened to all the other options. I can't find them in any other config
>> file. Is something amiss?
>
> you didnt look at the sql.conf proprly.
>
>
> sql.conf contains all the details for driving the SQL engine... but the
> operational
> stuff lives in the sql/${database}/dialup.conf file - and has done for some
> time
> nowso if you look there, you will see all the queries.
>
>
> the latter file you mentioned http://freeradius.org/radiusd/raddb/sql.conf is
> old, old old old.
> (freeradius v1 old)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different versions of sql.conf
The version of sql.conf found in ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz seems to be quite different from the version found at http://freeradius.org/radiusd/raddb/sql.conf I was expecting the latter file on a new build but was wondering what happened to all the other options. I can't find them in any other config file. Is something amiss? Thanks, Carl Peterson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
Thanks, It works well. Carl On Sunday 07 August 2005 22:26, Alan DeKok wrote: > "Carl Peterson" <[EMAIL PROTECTED]> wrote: > > I understand that it is not in 1.0.4. The version I got from CVS > > was 1.0.4. How do I get 1.0.5 from CVS? > > 1) rlm_expiration is not in 1.0.5, either. > > 2) 1.0.5 has NOT been released yet. > > 3) the command I told you to use WILL get a server with a working > Expiration attribute. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
I understand that it is not in 1.0.4. The version I got from CVS was 1.0.4. How do I get 1.0.5 from CVS? Thanks, Carl Alan DeKok wrote .. > "Carl Peterson" <[EMAIL PROTECTED]> wrote: > > radiusd.conf[1383] Failed to link to module 'rlm_expiration': > > rlm_expiration.so: > cannot open shared object file: No such file or directory > > That's because, as I said, there's no expiration module in 1.0.4. > So trying to configure it is a waste of time. > > I said to use the Expiration attribute. Try using Expiration := "date" > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
I compiled the CVS version but got the same error: Module: Instantiated sqlcounter (noresetcounter) radiusd.conf[1383] Failed to link to module 'rlm_expiration': rlm_expiration.so: cannot open shared object file: No such file or directory It would seem that I got the same version from CVS. Is there a way to change this or am I doing something wrong? foxtrot raddb # /usr/local/sbin/radiusd -v radiusd: FreeRADIUS Version 1.0.4, for host , built on Aug 6 2005 at 16:55:22 Thanks, Carl Peterson > The fix is in CVS: > >$ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 >radiusd > > Use the "Expiration" attribute. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
Does it exist in an earlier version or nightly? if not, any idea when 1.0.5 will come out? Thanks, Carl Peterson On Friday 05 August 2005 17:13, Alan DeKok wrote: > The expiration module does not exist in 1.0.4. > > The Expiration feature doesn't work in 1.0.4. We will be releasing > 1.0.5 to correct this, and other issues. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration
I am trying to set an expiration date for daily cards where tha expiration date
is inserted into the database with a postauth query. I am not sure how to add
this to my radiusd.conf file (1.0.4) I am guessing that I need a key,
counter-name and check-name.
right now I have:
expiration {
reply-message = "Your account has expired, %{User-Name}\r\n"
}
Also, do I need to add "expiration" to instantiate?
Thanks for any input,
Carl Peterson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to restrict total usage time.
I use this setup:
In radiusd.conf I write a counter:
$INCLUDE ${confdir}/sql.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
When a user logs in, radius checks the counter:
rlm_sql (sql): sql_set_user escaped user --> 'tagric15'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='tagric15''
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 0
radius_xlat: '125168'
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user tagric15, check_item=, counter=125168
rlm_sqlcounter: Sent Reply-Item for user tagric15, Type=Session-Timeout,
value=99874831
modcall[authorize]: module "noresetcounter" returns ok for request 31
Of course the Max-All-Session attribute needs to be set for the user. My full
radiusd.conf file is available at jabali.net/~carl under the phpMyPrepaid
section. There are also notes in notes.txt
Carl Peterson
Jabali Networks
On Wednesday 06 April 2005 21:53, Graeme Lee wrote:
> Shahidul Islam wrote:
> >Hello,
> >
> > I'd like to implement following scenario with freeradius:
> >
> > User has some specific time (say 3600 seconds) one can use. After the
> > time is exceeded, radiusd return zero seconds as access-time for the
> > user when one logs in.
> >
> > NAS requests allowed access-time when user logs in and returns used
> > time to radiusd when user logs off.
> >
> > I'd like to store this information in sql-database (mysql).
> >
> >Babu
> >
> >-
> >List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> stored procedures and triggers are wonderful things. I have no
> familiarity with mysql's abilities in this regard though.
>
> G
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prepaid card module/software
You need to add the sql counter for it like:
$INCLUDE ${confdir}/sql.conf
sqlcounter noresetcounter {
counter-name = Max-All-Session-Time
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
}
I am adding my radiusd.conf file to: http://jabali.net/~carl/?link=2
as there are other entries that you need to add. You may have to compile
--with-experimental-modules so that you get the sql counters. Others on this
list might be able to enlighten us on that. I tried it with the rlm-sql
counters but they caused a segfault on authentication.
Carl Peterson
On Tuesday 28 December 2004 09:26, Bruno Machado wrote:
> Hi
>
> I tried to use this files but it didnt work. The
> parameter "Max-All-Session" isnt know by the radius.
> What dictionary I need to use? I didnt find this
> keyword at any dictionaries...
> Thanks for any help.
>
> Bruno
>
> --- Carl Peterson <[EMAIL PROTECTED]> escreveu:
> > How would I implement this?
> > What I need is to add something like
> > WISPr-Session-Terminate-Time with a Value
> > of 24 hours from first use after their first use.
> > Of course it needs to be
> > added as soon as they log in the first time, or
> > actually before, perhaps in
> > pre-auth so that their first session isn't
> > indefinite. Any ideas?
> >
> > Carl
> >
> > On Monday 27 December 2004 17:46, Thor Spruyt wrote:
> > > Carl Peterson wrote:
> > > > I am working on writing it as we speak. Current
> >
> > release is
> >
> > > > phpMyPrepaid-0.1.2. It actually works with a
> >
> > MySQL database and
> >
> > > > inserts the users into the radcheck table.
> >
> > Hourly cards work but I
> >
> > > > haven't figured out the post-auth stuff in
> >
> > Freeradius for daily cards
> >
> > > > yet. You can grab the current release off of my
> >
> > development server
> >
> > > > at: http://cpete.com/prepaidAdmin/ I am moving
> >
> > things over to
> >
> > > > http://jabali.net/~carl this week. All new
> >
> > releases, changelogs, etc
> >
> > > > will be hosted there.
> > >
> > > I read something about using Post-Auth for setting
> >
> > expiration date/time.
> >
> > > In my opinion, the Accounting-Start should be used
> >
> > for this purpose, since
> >
> > > an authentication doesn't neccessarily mean a
> >
> > session!
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> ___
> Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora.
> http://br.acesso.yahoo.com/ - Internet rápida e grátis
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prepaid card module/software
How would I implement this? What I need is to add something like WISPr-Session-Terminate-Time with a Value of 24 hours from first use after their first use. Of course it needs to be added as soon as they log in the first time, or actually before, perhaps in pre-auth so that their first session isn't indefinite. Any ideas? Carl On Monday 27 December 2004 17:46, Thor Spruyt wrote: > Carl Peterson wrote: > > I am working on writing it as we speak. Current release is > > phpMyPrepaid-0.1.2. It actually works with a MySQL database and > > inserts the users into the radcheck table. Hourly cards work but I > > haven't figured out the post-auth stuff in Freeradius for daily cards > > yet. You can grab the current release off of my development server > > at: http://cpete.com/prepaidAdmin/ I am moving things over to > > http://jabali.net/~carl this week. All new releases, changelogs, etc > > will be hosted there. > > I read something about using Post-Auth for setting expiration date/time. > In my opinion, the Accounting-Start should be used for this purpose, since > an authentication doesn't neccessarily mean a session! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prepaid card module/software
I am working on writing it as we speak. Current release is phpMyPrepaid-0.1.2. It actually works with a MySQL database and inserts the users into the radcheck table. Hourly cards work but I haven't figured out the post-auth stuff in Freeradius for daily cards yet. You can grab the current release off of my development server at: http://cpete.com/prepaidAdmin/ I am moving things over to http://jabali.net/~carl this week. All new releases, changelogs, etc will be hosted there. Carl Peterson On Monday 27 December 2004 03:27, rashad wrote: > Dear people. Is there any prepaid card processing software that works with > freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
one day accounts
I am currently using freeradius as the authentication method for a chilli hotspot. I use a Max-All-Session attribute to give prepaid users X amount of discontinuous time. One of the users of some software I wrote to create and monitor prepaid cards would like a daily card feature that will give a user 24 hours of continuous access from first use. Is there already an attribute for this or an easy way to enable this feature? Carl Peterson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirect users to a web page
NocatSplash http://nocat.net/moin/NoCatSplash > i don`t want to "force" my users to authorise, i just want them to see > the "news" page every time they login, then everything goes normally. > Cheers, > Florin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirect users to a web page
Not quite sure what you are looking for here but it sounds like you want something like NoCat Splash, NocatAuth or Chilli. Carl Peterson On Saturday 18 December 2004 07:16, Florin Samareanu wrote: > anyone has any ideea how i can redirect my users the first time they > browse a web page to something www.mydomain.com/news/ ? > example: a vpn user connects to my box (freeradius, mysql, poptop), > then he opens www.google.com and gets redirected to > www.mydomain.com/news/. > the second time he opens a web page, he goes to the web page that he > wished to access. > Thanks. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: krb5 errors when compiling on Fedora Core 3
I had a similar problem with krb5 on FC2 so I compiled without krb5 which worked fine. CP On Wednesday 15 December 2004 09:28, E. Dean Sahutske wrote: > Is there no one whose seen this or had this happen to them? Is Fedora > not an appropriate platform for Freeradius? > > dean > > [EMAIL PROTECTED] wrote: > > Has anyone seen this when trying to compile on Fedora Core 3? > > > > Thanks, > > dean > > > > rlm_krb5.c:40:21: com_err.h: No such file or directory > > rlm_krb5.c: In function `verify_krb5_tgt': > > rlm_krb5.c:105: warning: passing arg 2 of `krb5_kt_read_service_key' > > discards qu > > alifiers from pointer target type > > rlm_krb5.c: In function `krb5_auth': > > rlm_krb5.c:219: warning: initialization discards qualifiers from > > pointer target > > type > > rlm_krb5.c:305: warning: implicit declaration of function > > `krb5_get_in_tkt_with_ > > password' > > rlm_krb5.c:305: warning: nested extern declaration of > > `krb5_get_in_tkt_with_pass > > word' > > gmake[6]: *** [rlm_krb5.o] Error 1 > > gmake[6]: Leaving directory > > `/usr/src/freeradius-1.0.1/src/modules/rlm_krb5' > > gmake[5]: *** [common] Error 1 > > gmake[5]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules' > > gmake[4]: *** [all] Error 2 > > gmake[4]: Leaving directory `/usr/src/freeradius-1.0.1/src/modules' > > gmake[3]: *** [common] Error 1 > > gmake[3]: Leaving directory `/usr/src/freeradius-1.0.1/src' > > gmake[2]: *** [all] Error 2 > > gmake[2]: Leaving directory `/usr/src/freeradius-1.0.1/src' > > gmake[1]: *** [common] Error 1 > > gmake[1]: Leaving directory `/usr/src/freeradius-1.0.1' > > make: *** [all] Error 2 > > > > > > - List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installaion problem
./configure --with-experimental-modules --without-rlm_krb5 make make install The experimental modules bit was because I needed the sql counters. All you should need is the without bit. CP On Wednesday 08 December 2004 12:31, Spades wrote: > How did you compile it? > > I did ./configure && make && make install > > - Original Message - > From: "Carl Peterson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, December 09, 2004 1:52 AM > Subject: Re: installaion problem > > >I had a similar error with 1.01 on FC 2. I didn't need krb5 so I just > > configured it without krb5 and it compiled fine. > > > > CP > > > > On Wednesday 08 December 2004 00:01, Paul Hampson wrote: > >> On Wed, Dec 08, 2004 at 12:53:48PM +0800, Spades wrote: > >> > While installing Freeradius 1.0.1, i managed to run ./configure, > >> > however.. I'm unable to run 'make' in my Fedora Core 2. gives me error > >> > Any idea what went wrong? > >> > -- > >> > > >> > Making static dynamic in rlm_krb5... > >> > gmake[6]: Entering directory > >> > `/home/software/freeradius-1.0.1/src/modules/rlm_krb5' > >> > gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 > >> > -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual > >> > -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes > >> > -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef > >> > -I../../include -c rlm_krb5.c -o rlm_krb5.o > >> > rlm_krb5.c:40:21: com_err.h: No such file or directory > >> > >> Fedora Core 2 appears to have put com_err.h somewhere surprising, > >> or you don't have the kerberos5 development packages installed. Both > >> of these should have solutions findable in the mailing list archives. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installaion problem
On Wednesday 08 December 2004 13:08, L.C. (Laurentiu C. Badea) wrote: > I'm afraid to point the obvious, but I believe there is no need to compile > freeradius on Fedora 2, seeing as it comes with it. Am I missing something > ? SQL counters? CP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius installation problem
I am doing the same thing using chilli, freeradius, and mysql. I use Max-All-Sessions and wrote a counter for it. Of course my cards are good for x seconds. Using Session-Timeout would mean that a session could be x seconds long but as soon as you log back in you can have another x seconds. CP On Wednesday 08 December 2004 09:59, Neil Craig wrote: > Hi all > > I'm looking to implement a prepaid card type service - I plan on using > Session-Timeout to disconnect the users. How does freeradius keep > track of the time elapsed while connected? I am holding all the info > in SQL - I guess when a user connects it counts down until 0 then > sends the signal to the NAS to disconnect - if the user reconnects it > is back to the original value. > How can I have a counter that doesn't expire - say the user 'topped > up' by 30 days worth on the 9th of the month - it wouldn't expire > until 30 days from then (so couldn't use monthly counters?) > > Regards > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: installaion problem
I had a similar error with 1.01 on FC 2. I didn't need krb5 so I just configured it without krb5 and it compiled fine. CP On Wednesday 08 December 2004 00:01, Paul Hampson wrote: > On Wed, Dec 08, 2004 at 12:53:48PM +0800, Spades wrote: > > While installing Freeradius 1.0.1, i managed to run ./configure, > > however.. I'm unable to run 'make' in my Fedora Core 2. gives me error > > Any idea what went wrong? > > -- > > > > Making static dynamic in rlm_krb5... > > gmake[6]: Entering directory > > `/home/software/freeradius-1.0.1/src/modules/rlm_krb5' > > gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 > > -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align > > -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes > > -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef > > -I../../include -c rlm_krb5.c -o rlm_krb5.o > > rlm_krb5.c:40:21: com_err.h: No such file or directory > > Fedora Core 2 appears to have put com_err.h somewhere surprising, > or you don't have the kerberos5 development packages installed. Both > of these should have solutions findable in the mailing list archives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
