assign vlan per group or per user

[Jean Carlos Coelho]

Hi,

My first post!

I need to configure  one radius server with ldap integration and dynamic vlan 
assign per user or group, didn't find any documentation about this procedures, 
someone knows any url about this?

Thank You!

[]s
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MS-CHAPv2 change password not working in master

[Carlos Velasco]

 WINBINDD_PRIV_PIPE_DIR
[2012/11/16 10:39:06.811002,  3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [ 9918]: request location of privileged pipe
[2012/11/16 10:39:06.811068, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9918:WINBINDD_PRIV_PIPE_DIR]:
delivered response to client
[2012/11/16 10:39:06.87,  6]
winbindd/winbindd.c:842(winbind_client_request_read)
  closing socket 25, client exited
[2012/11/16 10:39:06.811171,  6] winbindd/winbindd.c:794(new_connection)
  accepted socket 25
[2012/11/16 10:39:06.811227, 10] winbindd/winbindd.c:617(process_request)
  process_request: Handling async request 9918:PAM_AUTH_CRAP
[2012/11/16 10:39:06.811266,  3]
winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send)
  [ 9918]: pam auth crap domain: [NIMASTELECOM] user: testpw
[2012/11/16 10:39:07.071142, 10] winbindd/winbindd.c:679(wb_request_done)
  wb_request_done[9918:PAM_AUTH_CRAP]: NT_STATUS_PASSWORD_MUST_CHANGE
[2012/11/16 10:39:07.071243, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9918:PAM_AUTH_CRAP]: delivered
response to client
[2012/11/16 10:39:07.071320,  6]
winbindd/winbindd.c:842(winbind_client_request_read)
  closing socket 25, client exited
[2012/11/16 10:39:20.825567,  6] winbindd/winbindd.c:794(new_connection)
  accepted socket 25
[2012/11/16 10:39:20.825731, 10] winbindd/winbindd.c:644(process_request)
  process_request: request fn INTERFACE_VERSION
[2012/11/16 10:39:20.825780,  3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [ 9957]: request interface version
[2012/11/16 10:39:20.825851, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9957:INTERFACE_VERSION]: delivered
response to client
[2012/11/16 10:39:20.825916, 10] winbindd/winbindd.c:644(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/16 10:39:20.825960,  3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [ 9957]: request location of privileged pipe
[2012/11/16 10:39:20.826035, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9957:WINBINDD_PRIV_PIPE_DIR]:
delivered response to client
[2012/11/16 10:39:20.826106,  6]
winbindd/winbindd.c:842(winbind_client_request_read)
  closing socket 25, client exited
[2012/11/16 10:39:20.826169,  6] winbindd/winbindd.c:794(new_connection)
  accepted socket 25
[2012/11/16 10:39:20.826235, 10] winbindd/winbindd.c:644(process_request)
  process_request: request fn DOMAIN_NAME
[2012/11/16 10:39:20.826279,  3]
winbindd/winbindd_misc.c:394(winbindd_domain_name)
  [ 9957]: request domain name
[2012/11/16 10:39:20.826341, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9957:DOMAIN_NAME]: delivered response
to client
[2012/11/16 10:39:20.826497, 10] winbindd/winbindd.c:617(process_request)
  process_request: Handling async request 9957:PAM_CHNG_PSWD_AUTH_CRAP
[2012/11/16 10:39:20.826544,  3]
winbindd/winbindd_pam_chng_pswd_auth_crap.c:57(winbindd_pam_chng_pswd_auth_crap_send)
  [ 9957]: pam change pswd auth crap domain: NIMASTELECOM user: testpw
[2012/11/16 10:39:20.856407, 10] winbindd/winbindd.c:679(wb_request_done)
  wb_request_done[9957:PAM_CHNG_PSWD_AUTH_CRAP]: NT_STATUS_WRONG_PASSWORD
[2012/11/16 10:39:20.856498, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[9957:PAM_CHNG_PSWD_AUTH_CRAP]:
delivered response to client
[2012/11/16 10:39:20.856674,  6]
winbindd/winbindd.c:842(winbind_client_request_read)
  closing socket 25, client exited
===

Regards,
Carlos Velasco

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv2 change password not working in master

[Carlos Velasco]

 Looking into code I suppose the problem is something with the old NT
 hash, but not an expert here. Any help would be apreciated.

Adding some debug to code, this seems really wrong:

(1) mschap-vpn_nimas_tk : old_nt_hash: 3497295200 || Write buf:
old-nt-hash-blob: 


len = sprintf(buf, old-nt-hash-blob: );
fr_bin2hex(old_nt_hash, buf+len, 16);
buf[len+32] = '\n';
buf[len+33] = '\0';
len = strlen(buf);
++ RDEBUG2(old_nt_hash: %u || Write buf: %s, old_nt_hash, buf);
if (write_all(to_child, buf, len) != len) {
RDEBUG2(failed to write old hash blob to child);
goto ntlm_auth_err;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv2 change password not working in master

[Carlos Velasco]

 On 11/16/2012 10:00 AM, Carlos Velasco wrote:
 
 windows popup in Cisco VPN client, but the change password process fails:
 ntlm_auth said: Password-Change: No Password-Change-Error: Wrong
 Password . .
 Looking into code I suppose the problem is something with the old NT
 hash, but not an expert here. Any help would be apreciated.

 In these logs the user is NIMASTELECOM\testpw.
 The current password is y58R41ut8W (expired).
 And the new password used was H6eEWu7r65tw38ert1.
 
 There *might* be a bug in the CPW code, but I can't really see how; it 
 tested fine when I wrote it, and the crypto/hash/blob stuff doesn't 
 really leave room for only if CONDITION X do something invalid.
 
 I'll take a look a little bit later but in the meantime can you confirm 
 that if you clear the must change password, auth works fine with the 
 old/current password?

Yes, auth works fine without Must change.

I think I have found the problem.

MS-CHAP2-CPW =
0x07014194697300c611e68e661957a30d001541eb18eb29a0ebb20ff232620f708e68e27f251767ccd306

According to RFC2548, after 0x0701 should be the Encrypted-Hash 16
octects, but they are all 00.

I am trying to find out why, seems a bug in Cisco part. But I think this
works fine with Cisco ACS radius. :S
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv2 change password not working in master

[Carlos Velasco]

 On 11/16/2012 11:27 AM, Carlos Velasco wrote:
 
  According to RFC2548, after 0x0701 should be the Encrypted-Hash
 16 octects, but they are all 00.

 I am trying to find out why, seems a bug in Cisco part. But I think
 this works fine with Cisco ACS radius. :S
 
 The CPW packet lets you send the NT and/or LM hashes.
 
 The ntlm_auth code supports (and sends) both, but it's very likely 
 that support for LM hashes has been disabled on your domain; they're 
 horribly insecure and deprecated.
 
 My guess is the Cisco has old code. LM hashes were easy so older code 
 tends to support them.
 

Mmm well, the Encrypted-Hash should be an NT hash.

===
   Encrypted-Hash
  The Encrypted-Hash field is 16 octets in length.  It contains  the
  old  Windows  NT  password  hash encrypted with the new Windows NT
  password hash.
===

I don't see LM hashes allowed in the Radius attributes for password
change. Don't seem Cisco using them.

I am trying to make some findings. Maybe installing ACS and testing to
see any difference.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv2 change password not working in master

[Carlos Velasco]

 On 16/11/12 11:43, Carlos Velasco wrote:
 
 I don't see LM hashes allowed in the Radius attributes for password
 change. Don't seem Cisco using them.
 
 Sorry yes ignore me; I'm being dumb.
 

Ok. After further findings... it is a bug in Cisco IOS router version
15.1M. Downgrading to 15.0M works fine.

I have seen that after Password change successful, the module tries to
authenticate the user again but with wrong password, I suppose. Logon
failure.


Radius logs:
===
rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=13,
length=755
User-Name = NIMASTELECOM\\testpw
MS-CHAP-Challenge = 0x3145a0bc1fc2c0e4e69b8ff555861037
MS-CHAP2-CPW =
0x07024dbbd90bfd0760d77899ba7604a84c21b220a1fc49be375f9bad552ab92ee06bbb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec69
MS-CHAP-NT-Enc-PW =
0x0602000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017
MS-CHAP-NT-Enc-PW =
0x060200025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582
MS-CHAP-NT-Enc-PW =
0x060200030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525d78f01bf43ca6997dd2e48d6897ced164b539a76fb6
NAS-Port-Type = Virtual
Cisco-NAS-Port = 85.112.6.36
NAS-Port = 0
NAS-Port-Id = 85.112.6.36
Service-Type = Login-User
NAS-IP-Address = 10.112.14.2
Event-Timestamp = Nov 16 2012 14:19:36 CET
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/vpn_nimas_tk
(17)   group authorize {
(17)  - entering group authorize {...}
(17) mschap-vpn_nimas_tk : Found MS-CHAP attributes.  Setting 'Auth-Type
 = mschap-vpn_nimas_tk'
(17)   [mschap-vpn_nimas_tk] = ok
(17)   ? if (!control:Auth-Type)
(17) ? Evaluating !(control:Auth-Type) - FALSE
(17)   ? if (!control:Auth-Type) - FALSE
(17) detail-vpn_nimas_tk-auth : expand:
/var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -
/var/log/radius/radacct/vpn_nimas_tk-auth-20121116
(17) detail-vpn_nimas_tk-auth :
/var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to
/var/log/radius/radacct/vpn_nimas_tk-auth-20121116
(17) detail-vpn_nimas_tk-auth : expand: %t - Fri Nov 16
14:19:36 2012
(17)   [detail-vpn_nimas_tk-auth] = ok
(17) Found Auth-Type = MSCHAP
(17) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk
(17)   group MS-CHAP {
(17)  - entering group MS-CHAP {...}
(17) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received
(17) mschap-vpn_nimas_tk : Password change payload valid
(17) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth
helper
(17) mschap-vpn_nimas_tk :  expand: username:
%{mschap-vpn_nimas_tk:User-Name} - username: testpw
(17) mschap-vpn_nimas_tk :  expand: nt-domain:
%{mschap-vpn_nimas_tk:NT-Domain} - nt-domain: NIMASTELECOM
(17) mschap-vpn_nimas_tk : new_nt_password: 118, Write buf:
new-nt-password-blob:
76116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb521140175ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d5820c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525!
 d78f01bf
43ca6997dd2e48d6897ced164b539a76fb6

(17) mschap-vpn_nimas_tk : old_nt_hash: 77 || Write buf:
old-nt-hash-blob: 4dbbd90bfd0760d77899ba7604a84c21
(17) mschap-vpn_nimas_tk : Write buf: new-lm-password-blob

rlm_sql don't re-connect after mysql failure

[Jean Carlos Oliveira Guandalini]

Hi, I'm using freeradius-2.1.11 and i have problem with mysql
connection. If MySQL server goes down, the freeradius don't reconnect
until he be restarted.

logfile like this, but the mysql server is UP again:
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql: Connected new DB handle, #0
rlm_sql : failed after re-connect
*** this error repeats until I go restart freeradius

Thanks

Jean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

View attributes of an connection

[Jean Carlos Oliveira Guandalini]

I need to find the value of an attribute created by a module, it is
possible? radiusd -X or radiusd -xxx does not show these values.

Thanks

Jean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: View attributes of an connection

[Jean Carlos Oliveira Guandalini]

Thanks Arran, it's works for me.

The reason i need this it's because a module is not set an attribute,
see the log:

Mon Jul 25 18:04:03 2011 : Debug: rlm_backcounter/time-limit:
(rlm_backcounter.c#780) backcounter_authorize(): user prepago is over
limit - adding 'Monthly-Time-Exceeded' attribute
Mon Jul 25 18:04:03 2011 : Debug: rlm_sql (sql): Released sql socket id: 3
Mon Jul 25 18:04:03 2011 : Info: ++[time-limit] returns ok
Mon Jul 25 18:04:03 2011 : Info:expand: %{Monthly-Time-Exceeded} -

In the source of module have this:
vp = radius_paircreate(request, request-reply-vps,data-overvap_attr,
PW_TYPE_INTEGER);
vp-vp_integer = 1;

Any help?


Em 25-07-2011 17:44, Arran Cudbard-Bell escreveu:
 Make that:
 
 update request {
   Tmp-String-0 := %{variable I want to expand}
 }
 
 
 On 25 Jul 2011, at 22:34, Arran Cudbard-Bell wrote:
 

 On 25 Jul 2011, at 22:24, Jean Carlos Oliveira Guandalini wrote:

 I need to find the value of an attribute created by a module, it is
 possible? radiusd -X or radiusd -xxx does not show these values.

 Sure you just need to expand it somewhere.

 update request {
  Tmp-String-0 := %{variable I want to expand}
 }

 -Arran

 Arran Cudbard-Bell
 a.cudba...@freeradius.org

 RADIUS - Half the complexity of Diameter

 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html

 
 Arran Cudbard-Bell
 a.cudba...@freeradius.org
 
 RADIUS - Half the complexity of Diameter
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with module and users file

[Jean Carlos Oliveira Guandalini]

Hello, i'm using backcounter (rlm_backcounter) module. This module set a
attribute and this attribute is compared in USERS file. Freeradius
version 2.1.11.

users file:
DEFAULT Monthly-Time-Exceeded == 1
Framed-Pool = exceeded,
Fall-Through = Yes

The problem is what the freeradius never match with this entry in users
file.

In the source code of rlm_backcounter this lines are used to create a
attribute:
vp = radius_paircreate(request, request-reply-vps,
   data-overvap_attr, PW_TYPE_INTEGER);
vp-vp_integer = 1;

The module is running, see the logs:
Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit:
(rlm_backcounter.c#615) backcounter_authorize(): resetting user
'prepago' counter
Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit:
(rlm_backcounter.c#653) backcounter_authorize(): using resetval defined
in radreply: 0
Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit:
(rlm_backcounter.c#780) backcounter_authorize(): user prepago is over
limit - adding 'Monthly-Time-Exceeded' attribute
Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit:
(rlm_backcounter.c#788) backcounter_authorize(): data-overvap_attr = 3102
Wed Jul 20 11:06:26 2011 : Debug: rlm_sql (sql): Released sql socket id: 1
Wed Jul 20 11:06:26 2011 : Info: ++[time-limit] returns ok
Wed Jul 20 11:06:26 2011 : Info: [files] users: Matched entry DEFAULT at
line 144
Wed Jul 20 11:06:26 2011 : Info: ++[files] returns ok


Is there some setting that needs to be made ​​to accept this attribute?


*** I used this module with freeradius-1.1.8 without problems, but we
need running in freeradius-2.x


Thanks


Jean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help debugging unstable server

[Carlos Eduardo Tavares Terra]

Thanks... I was trying to do not use the FreeRadius version distributed in
CentOS. But if there is no other way

On Sun, Jul 3, 2011 at 1:32 PM, Fajar A. Nugraha l...@fajar.net wrote:

 On Sun, Jul 3, 2011 at 7:40 PM, Carlos Eduardo Tavares Terra
 eduardo.te...@gmail.com wrote:
 
  Today I have 2 freeradius servers running... Both of them in a CentOS
 5.6.
  The first is stable, without problems running freeradius 1.1.3.
  The second is running freeradius 2.1.7 and in the last 3 months became
 very
  unstable.
  After some time running the threads just shutdown...
  Reading the /var/log/radius/radius.log, the only message in the moment of
  the problem is:
  Sun Jul  3 06:53:41 2011 : Info: Exiting normally.
  When I check the running processes, the radiusd is running... the
 'service
  radiusd status' command displays the pid of the runnind daemon... but
  radiusd is not listening the network ports anymore.
  I tried to keep the radius in debug mode (radiusd -) for a week, but
 in
  this case the problem didn't happen.
  Is there some way to force the radiusd print why it is exiting 'normally'
 ??
  Thanks

 If you look at 2.1.x changelog (from
 http://freeradius.org/press/index.html for example), there were lots
 of fixes after 2.1.7 was released, including stability fixes. Without
 any additional data, my best advice right now is try rebuilding
 Centos's freeradius2 SRPM, but update the source to 2.1.10.

 Try 2.1.10 first instead of 2.1.11, as 2.1.11 requires some additional
 fix (available in git).

 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Carlos Eduardo Tavares Terra
Red Hat Certified Engineer
Consultor em Infraestrutura de TI
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help debugging unstable server

[Carlos Eduardo Tavares Terra]

Today I have 2 freeradius servers running... Both of them in a CentOS 5.6.
The first is stable, without problems running freeradius 1.1.3.

The second is running freeradius 2.1.7 and in the last 3 months became very
unstable.
After some time running the threads just shutdown...
Reading the /var/log/radius/radius.log, the only message in the moment of
the problem is:
Sun Jul  3 06:53:41 2011 : Info: Exiting normally.

When I check the running processes, the radiusd is running... the 'service
radiusd status' command displays the pid of the runnind daemon... but
radiusd is not listening the network ports anymore.

I tried to keep the radius in debug mode (radiusd -) for a week, but in
this case the problem didn't happen.

Is there some way to force the radiusd print why it is exiting 'normally' ??

Thanks

-- 
Carlos Eduardo Tavares Terra
Red Hat Certified Engineer
Consultor em Infraestrutura de TI
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error with Thread

[Jean Carlos Oliveira Guandalini]

Hello, i'm using version 1.1.8, my OS is Linux (Gentoo).

My server stop and log this:
Error: FATAL: Thread create failed: Resource temporarily unavailable

Before this log, have:
Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from
client client1:41250 - ID: 195 due to unfinished request 155365
Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from
client client2:59253 - ID: 235 due to unfinished request 155374

My config for start server is:

start_servers = 200
max_servers = 200
min_spare_servers = 10
max_spare_servers = 200
max_requests_per_server = 0

The server only returns if I restart the service

Thanks

Jean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error with Thread

[Jean Carlos Oliveira Guandalini]

Unfortunately I not update a version because one module what we use was
not run correctly in newer versions

If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and
consequently better performance?

Thanks

Jean


Em 29-06-2011 10:10, Fajar A. Nugraha escreveu:
 On Wed, Jun 29, 2011 at 6:32 PM, Jean Carlos Oliveira Guandalini
 jean.guandal...@corp.visaonet.com.br wrote:
 Hello, i'm using version 1.1.8, my OS is Linux (Gentoo).
 
 The usual response would be upgrade. 1.x is not supported anymore.
 

 My server stop and log this:
 Error: FATAL: Thread create failed: Resource temporarily unavailable

 Before this log, have:
 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from
 client client1:41250 - ID: 195 due to unfinished request 155365
 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from
 client client2:59253 - ID: 235 due to unfinished request 155374
 
 my guess is freeradius is busy handling requests that took a long
 time. Usually this happens when your backend (e.g. db) takes a long
 time to process the request, which is quite common if (for example)
 you record accouting packets in database, and never clean it up so it
 has millions of rows. Or your db is not properly designed (e.g. not
 indexed in the right columns). Or you're using custom queries which
 cause high load to the db.
 
 In any case, I'd start by fixing whatever backend you use first, make
 sure it can respond in a timely manner.
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error with Thread

[Jean Carlos Oliveira Guandalini]

Thank for your advices, I really think what have a problem with DB.
Because the problem only happens when have many authentication requests
simultaneously.

Thanks again.

Jean

Em 29-06-2011 10:46, Fajar A. Nugraha escreveu:
 On Wed, Jun 29, 2011 at 8:29 PM, Jean Carlos Oliveira Guandalini
 jean.guandal...@corp.visaonet.com.br wrote:
 Unfortunately I not update a version because one module what we use was
 not run correctly in newer versions

 
 That sucks :P
 
 If I were you I'd start investing in reeimplementing that module so
 it's compatible with newer 2.x. Possibly even rewriting it in perl so
 it can be run with rlm_perl.
 
 If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and
 consequently better performance?
 
 When someone ask me that question, usually it's a sign that they know
 very litlle about database. And my best advice would be get a dba.
 
 The reason is that:
 - Note that I said GUESS previously. You need to determine whethere it
 IS in fact the database that's slow. That would require some knowledge
 about the database being used, including how to find out what is
 causing the most load. This is a skill that a dba will have.
 - Innodb and MyISAM have their own strength/weakness, but I've never
 had a case where JUST changing the storage engine would automagically
 solve all problem. Storage engine selection and tuning is usually part
 of the solution, but it's not the ONLY one. In fact, I'd say when it
 comes to performance, index matters more than storage engine type.
 Again, this is a skill that a dba will have.
 - The default queries used by freeradius is fairly simple and
 straightforward. Thus, the effort/skill required to make it faster
 is pretty much the normal things that a dba would do for a common
 database. These might include (but not limited to) optimizing index,
 table definitions, queries, partitioning, clustering, and so on.
 Again, this is a skill that a dba will have.
 
 So my best advice right now is find out if the db is the cause of the
 slow response (running top on the db server would be a good start).
 If it is, get help from a dba or ask in the db's respective
 forum/list.
 
 If it's not, well, I'd start with running radiusd -X, simulate with
 a test auth/acct packet, and see where it's taking the most time.
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ..::Huntgroup Issues::..

[Carlos Eduardo Tavares Terra]

Maybe the problem is here:

rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139,
length=58
User-Name = steve2
User-Password = testing
*NAS-IP-Address = 192.168.2.251*
NAS-Port = 10



2010/9/1 Alfonso Alejandro Reyes Jiménez con...@gmail.com

  Thanks for the advice to everyone.

 As per your recomendation we changed the users file with the following
 line:

 steve2Cleartext-Password := testing, Huntgroup-Name == arcsight

 but we got the same result access-reject.

 And we got the following output:

 rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139,
 length=58
 User-Name = steve2
 User-Password = testing
 NAS-IP-Address = 192.168.2.251
 NAS-Port = 10
 +- entering group authorize {...}
 ++[preprocess] returns ok
 ++[chap] returns noop
 ++[mschap] returns noop
 [suffix] No '@' in User-Name = steve2, looking up realm NULL
 [suffix] No such realm NULL
 ++[suffix] returns noop

 [eap] No EAP-Message, not doing EAP
 ++[eap] returns noop
 ++[unix] returns notfound
 ++[files] returns noop
 ++[expiration] returns noop
 ++[logintime] returns noop
 [pap] WARNING! No known good password found for the user.  Authentication
 may fail because of this.
 ++[pap] returns noop
 *No authenticate method (Auth-Type) configuration found for the request:
 Rejecting the user*
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject] expand: %{User-Name} - steve2
  attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds

 Going to the next request
 Waking up in 0.9 seconds.
 Sending delayed reject for request 0
 Sending Access-Reject of id 139 to 127.0.0.1 port 6729
 Waking up in 4.9 seconds.
 Cleaning up request 0 ID 139 with timestamp +5

 I have a question, we remove the autentication value and the debug shows
 that it is looking for it, why is that?

 May be someone that has the huntgroups running can send the examples of the
 users and huntgroups files, that may help a lot.

 Thanks in advance.

 Regards

 Alfonso.

 El 24/08/2010 04:46 a.m., Alan DeKok escribió:

 Alfonso Alejandro Reyes Jiménez wrote:

  Hi, I'm trying to use the huntgroup feature on the freeradius software
 with out luck. I think I'm missing something that's why I'm sending this
 email maybe you can help me.

You should read the debug output of the server.  The answer is in there.


  users file at the end:

 alfonso  Auth-Type := Local, User-Password == testing, Huntgroup-Name
 == squid

sigh  Don't set Auth-Type.  Use Cleartext-Password := ..., and not
 User-Password == ...


  Here's the output of the debug, it seems that it doesn't find the config
 file.

No.  It finds the DEFAULT entry earlier in the file.

   Why?  This is documented.  Read the comments at the top of the users
 file.  Read the man users page.  Read the FAQ for an example of how to
 configure a test user.

   Alan DeKok.


 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Carlos Eduardo Tavares Terra
Red Hat Certified Engineer
Consultor em Administração de Redes Linux
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sqlcounter and ldap backend

[Carlos Antonio Gómez Brizulela]

Hello

I have installed freeradius + LDAP backend. I need to limit the
connection time per user. I found sqlcounter as a solution but I have
two problems:

1 - I need to take the values: Max-Daily-Session and
Max-Monthly-Session from LDAP and not from mysql DB.

2 - I need to terminate the connection when it meets the maximum
connection time.

Best regards,

Carlos A.

Sorry my English, I speak Spanish.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL Huntgroup only work with user check, not group check

[Carlos Eduardo Tavares Terra]

On Thu, Sep 3, 2009 at 6:30 AM, George Koulyabinju...@vinf.ru wrote:

 ++--+++--+
 | id | username | attribute          | op | value    |
 ++--+++--+
 |  5 | jack     | Huntgroup-Name     | == | wireless |
 |  4 | jack     | Cleartext-Password | := | foo      |
 ++--+++--+
 You wrote rules for authorization/athentication of jack: Jack grants access 
 from hardware of 'wireless' huntgroup with 'foo' password.

I wrote the rules for huntgroup here because the rules in groupcheck
didn't work. If I take this out, just keeping the groupcheck, 'jack'
will connect from any hardware. The groupcheck is ignoring the
huntgroups.


 mysql select * from radgroupcheck;
 ++---+++--+
 | id | groupname | attribute      | op | value    |
 ++---+++--+
 |  8 | wireless  | Huntgroup-Name | == | wireless |
 ++---+++--+

 But there is You wrote that You want to authorize the 'wireless' memebership 
 for jack.


-- 
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL Huntgroup only work with user check, not group check

[Carlos Eduardo Tavares Terra]

On Wed, Sep 2, 2009 at 5:13 AM, Ivan Kalikt...@kalik.net wrote:
 I am having trouble while trying to work with huntgroups. Maybe I
 misunderstand the way how huntgroups works.

 When I use 'Huntgroup-Name' into radcheck, everything works fine. But
 when I put the 'Huntgroup-Name' into radgroupcheck, the radius is just
 ignoring it.

 Nothing wrong with huntgroups. That's how sql groups work. If they don't
 match they are ignored - user doesn't get rejected.

 Ivan Kalik
 Kalik Informatika ISP

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Is there anyway to reject if groupcheck fails?

Thanks

-- 
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SQL Huntgroup only work with user check, not group check

[Carlos Eduardo Tavares Terra]

Hello,

I am having trouble while trying to work with huntgroups. Maybe I
misunderstand the way how huntgroups works.

I read another post about this issue, but I don't really understand
why force the huntgroup name in confs.

I have inserted two NAS' into radhuntgroup, as follow:
mysql select * from radhuntgroup;
++---+--+---+
| id | groupname | nasipaddress | nasportid |
++---+--+---+
|  5 | wireless  | 192.168.2.5  | NULL  |
|  4 | adsl  | 192.168.2.6  | NULL  |
++---+--+---+

And associate the user 'jack' in group wireless:
mysql select * from radusergroup;
+--+---+--++
| username | groupname | priority | id |
+--+---+--++
| jack | wireless  |1 |  1 |
+--+---+--++

And created the rules to the user 'jack':
mysql select * from radcheck;
++--+++--+
| id | username | attribute  | op | value|
++--+++--+
|  5 | jack | Huntgroup-Name | == | wireless |
|  4 | jack | Cleartext-Password | := | foo  |
++--+++--+

When I use 'Huntgroup-Name' into radcheck, everything works fine. But
when I put the 'Huntgroup-Name' into radgroupcheck, the radius is just
ignoring it.

mysql select * from radgroupcheck;
++---+++--+
| id | groupname | attribute  | op | value|
++---+++--+
|  8 | wireless  | Huntgroup-Name | == | wireless |
++---+++--+

It only works in this way? Am I doing something wrong?

Thanks

-- 
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

New FR server: CentOS 5 or Ubuntu 8

[Toledo, Luis Carlos]

Hi all,

Please accept my apologies for this complicate question.

I need make a new FR server from sources with mysql support, and I have only
two OS options: CentOS 5 or Ubuntu 8.

I used only FreeBSD, but now I have only these two options.

Any suggestions?

Thx


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?

[Toledo, Luis Carlos]

 Yes, By focusing mainly on attributes such as
 MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id) as 
 well as by deploying an IP assignment technique(using IPPOOL 
 or otherwise).
 
 If you have specific queries, would be happy to attempt to answer.
 

Do you know the GGSN session time limit attribute ?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?

[Toledo, Luis Carlos]

Is it use the session-timeout RADIUS attribute? Are there some other VSA to
determinate the session time or traffic amount?

 
 No..but session-timeout RADIUS attribute
 
 On Sun, Dec 14, 2008 at 11:11 PM, Toledo, Luis Carlos 
 lscrls...@gmail.com wrote:
  Yes, By focusing mainly on attributes such as
  MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id) 
 as well as 
  by deploying an IP assignment technique(using IPPOOL or otherwise).
 
  If you have specific queries, would be happy to attempt to answer.
 
 
  Do you know the GGSN session time limit attribute ?
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?

[Toledo, Luis Carlos]

 
The acct attributes are post auth... This I know.

I want to determinate to GGSN on the auth moment the session time and
traffic amount, and after this time limited and traffic limit the session
end.

I beleave there are a VSA to determante this to ggsn (session time and
traffic amount on the session).

 
 Here are some Accounting Attributes;
 
 Acct-Session-Time
 Acct-Input-Octets
 Acct-Output-Octets
 Acct-Input-Packets
 Acct-Output-Packets
 
 In regard to data services capturing traffic amount(byte 
 count) is more pragmatic than relying on session time.
 
 
 
 On Sun, Dec 14, 2008 at 11:26 PM, Toledo, Luis Carlos 
 lscrls...@gmail.com wrote:
 
  Is it use the session-timeout RADIUS attribute? Are there 
 some other 
  VSA to determinate the session time or traffic amount?
 
 
  No..but session-timeout RADIUS attribute
 
  On Sun, Dec 14, 2008 at 11:11 PM, Toledo, Luis Carlos 
  lscrls...@gmail.com wrote:
   Yes, By focusing mainly on attributes such as
   MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id)
  as well as
   by deploying an IP assignment technique(using IPPOOL or 
 otherwise).
  
   If you have specific queries, would be happy to attempt 
 to answer.
  
  
   Do you know the GGSN session time limit attribute ?
  
 
  -
  List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius2 + MySQL: NAS x Usergroup

[Carlos Eduardo Tavares Terra]

Many thanks... It is working now! :)

On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok [EMAIL PROTECTED] wrote:
 Carlos Eduardo Tavares Terra wrote:
 Sorry, but maybe I didn't understand how virtual servers really work.

  raddb/sites-available/README

  Each virtual server is a RADIUS server, just like in 1.x.  The only
 difference is that you don't need to run multiple processes to get
 multiple server configurations.
 I have separated into different virtual servers because each type of
 service have different modules implemented by me. In freeradius1 I was
 using the groupreply 'Exec-Program-Wait' and different radius servers
 for each service. In each server I have modified the sql querys

  i.e. in 1.x, you modified the SQL queries in the sql module
 configuration, for each server.  i.e. you were running TWO different
 instances of the SQL module.

  I think the problem is that you're trying to use only ONE instance of
 the SQL module in 2.x.  Instead, do this in the modules section:

  sql sql1 {
... content from 1.x server1, INCLUDING queries
}

  sql sql2 {
... content from 1.x server2, INCLUDING queries
}

  Then, use sql1 in the virtual server for server1, and sql2 in the
 virtual server for sql2.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-- 
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Out of memory problem

[Jean Carlos Oliveira Guandalini]

Hello,
I am using the version 1.1.7 with authentication / accounting in mysql
(rlm_sql).
The problem is that the use of memory increasing until it is exhausted:

dmesg messages:
Out of Memory: Killed process 28272 (radiusd).
Out of Memory: Killed process 1149 (radiusd).
Out of Memory: Killed process 1155 (radiusd).

The problem can only be solved restarting or reloading the radiusd.
After restarting, the use of memory back to normal.

It is a bug in version? Kernel problem ??? (kernel version is 2.6.15)

Thanks

Sorry for my english
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius2 + MySQL: NAS x Usergroup

[Carlos Eduardo Tavares Terra]

Sorry, but maybe I didn't understand how virtual servers really work.

I have one big users base. The users can be in one or more groups.

User:John - Group:dialup
User:John - Group:broadband

User:Jack - Group:dialup
User:Jack - Group: hotspot

John and Jack are in my radcheck and radusergroup tables.

Username: John  Username: Jack
Attribute: Password Attribute: Password
Op: :=  Op: :=
Value: crypt('test')Value: crypt('test2')


My nas clients are in database too.

nasname: 192.168.2.2nasname: 192.168.2.3
shortname: dialup-nas   shortname: broadband-nas
type: cisco type: cisco
secret: secret-password secret: secret-password
server: dialup  server: broadband


My problem is here:

expand: %{User-Name} - John
rlm_sql (sql): sql_set_user escaped user -- 'John'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck   WHERE username = 'John'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op
FROM radreply   WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply   WHERE username = 'John'   ORDER BY id
expand: SELECT groupname   FROM radusergroup
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -
SELECT groupname   FROM radusergroup   WHERE username
= 'John'   ORDER BY priority
expand: SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
 ORDER BY id - SELECT id, groupname, attribute,
Value, op   FROM radgroupcheck   WHERE groupname =
'dialup'   ORDER BY id
rlm_sql (sql): User found in group dialup
expand: SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
 ORDER BY id - SELECT id, groupname, attribute,
value, op   FROM radgroupreply   WHERE groupname =
'dialup'   ORDER BY id
rlm_sql (sql): Released sql socket id: 2


John is connecting through broadband-nas, but freeradius is getting
dialup groupname and all its checks and replys.
Dialup and broadband has the same priority in radusergroup table.

I wish to 'force' something like 'dialup-nas'-'dialup group',
'broadband-nas'-'broadband group'.

Maybe I'm going through the wrong way.

I have separated into different virtual servers because each type of
service have different modules implemented by me. In freeradius1 I was
using the groupreply 'Exec-Program-Wait' and different radius servers
for each service. In each server I have modified the sql querys to get
only replys and checks for respectives groups (services).

How is the 'right' way to implement this scenario with freeradius 2?

Thank you for the help.

2008/9/6  [EMAIL PROTECTED]:
 No. You define virtual home servers in proxy.conf.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 6/9/2008, Carlos Eduardo Tavares Terra [EMAIL PROTECTED]
 piše:

Can I associate in groupcheck a groupname with a virtual server?

I have separated each type of services into different virtual servers,
because each one of then has different modules.

Thanks

On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote:
 Radgroupcheck table.

 Ivan Kalik
 Kalik Informatika ISP

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Carlos Eduardo Tavares Terra
 Sent: 05 September 2008 02:42
 To: freeradius-users@lists.freeradius.org
 Subject: FreeRadius2 + MySQL: NAS x Usergroup


 Dear freeradius users,

I have a special scenario. Today I have many freeradius servers, each
 one responsible for differente services.

   Now I want to group this freeradius servers into one master server, but I
 have users in many differente usergroups (one for each service).
   How can I associate an usergroup to a nas?
   Example:
   NAS (192.168.2.1) - Usergroup (Dialup)
   NAS (192.168.2.2) - Usergroup (Broadband)
   NAS (192.168.2.3) - Usergroup (Hotspot)

   I saw how to do this using huntgroups, but I want to use a mysql database
 with all clients.

  There are another ways to implement this different services into one
 radius server, maybe the right way? If not, how can I associate the
 usergroups and nas using mysql?

 Thank you
 --
 Carlos Eduardo Tavares Terra
 GNU/Linux #413291 [http://counter.li.org]
 Slackware Linux
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 No virus found in this incoming message.
 Checked by AVG - http://www.avg.com
 Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04
 18:54

Re: FreeRadius2 + MySQL: NAS x Usergroup

[Carlos Eduardo Tavares Terra]

Can I associate in groupcheck a groupname with a virtual server?

I have separated each type of services into different virtual servers,
because each one of then has different modules.

Thanks

On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik [EMAIL PROTECTED] wrote:
 Radgroupcheck table.

 Ivan Kalik
 Kalik Informatika ISP

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Carlos Eduardo Tavares Terra
 Sent: 05 September 2008 02:42
 To: freeradius-users@lists.freeradius.org
 Subject: FreeRadius2 + MySQL: NAS x Usergroup


 Dear freeradius users,

I have a special scenario. Today I have many freeradius servers, each
 one responsible for differente services.

   Now I want to group this freeradius servers into one master server, but I
 have users in many differente usergroups (one for each service).
   How can I associate an usergroup to a nas?
   Example:
   NAS (192.168.2.1) - Usergroup (Dialup)
   NAS (192.168.2.2) - Usergroup (Broadband)
   NAS (192.168.2.3) - Usergroup (Hotspot)

   I saw how to do this using huntgroups, but I want to use a mysql database
 with all clients.

  There are another ways to implement this different services into one
 radius server, maybe the right way? If not, how can I associate the
 usergroups and nas using mysql?

 Thank you
 --
 Carlos Eduardo Tavares Terra
 GNU/Linux #413291 [http://counter.li.org]
 Slackware Linux
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 No virus found in this incoming message.
 Checked by AVG - http://www.avg.com
 Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04
 18:54



 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-- 
Carlos Eduardo Tavares Terra
Analista de Sistemas
Petróleo Brasileiro S/A
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius2 + MySQL: NAS x Usergroup

[Carlos Eduardo Tavares Terra]

Dear freeradius users,

I have a special scenario. Today I have many freeradius servers,
each one responsible for differente services.

   Now I want to group this freeradius servers into one master server,
but I have users in many differente usergroups (one for each service).
   How can I associate an usergroup to a nas?
   Example:
   NAS (192.168.2.1) - Usergroup (Dialup)
   NAS (192.168.2.2) - Usergroup (Broadband)
   NAS (192.168.2.3) - Usergroup (Hotspot)

   I saw how to do this using huntgroups, but I want to use a mysql
database with all clients.

  There are another ways to implement this different services into one
radius server, maybe the right way? If not, how can I associate the
usergroups and nas using mysql?

Thank you
-- 
Carlos Eduardo Tavares Terra
GNU/Linux #413291 [http://counter.li.org]
Slackware Linux
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneos-Use in login for same mac-address

[Jean Carlos Oliveira Guandalini]

Hello,

we have a problem of mac-address clone, and we use the Simultaneous-Use: 
= 1 option to not allow double login, but when this is a case of the 
clone mac-address the freeradius allows the connection.


Log of sql.trace:
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 
'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');
UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime 
= '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause 
= '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = 
'81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10';
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 
'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');



Queries in sql.conf:
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE 
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, 
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, 
FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND 
AcctStopTime = 0



despite the mac-address to match are two different users, and the second 
to connect without first disconnecting was before.

Is there any possibliidade to block it?


Thanks

Sorry for my english (By Google Tradutor)

--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
VisãoNet Tecnologia e Telecomunicações
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneos-Use in login for same mac-address

[Jean Carlos Oliveira Guandalini]

Ivan Kalik escreveu:

No. There is no simultaneous login here:

session1:

start: 11:08:45
stop: 11:08:46

session2:

start: 11:08:49
  


but the session1 not ended, it closed at freeradius when the second 
session trying to connect. In my NAS(Mikrotik) there are two 
connections, with different ip address.


Thanks


Ivan Kalik
Kalik Informatika ISP


Dana 6/6/2008, Jean Carlos Oliveira Guandalini
[EMAIL PROTECTED] piše:

  

Hello,

we have a problem of mac-address clone, and we use the Simultaneous-Use: 
= 1 option to not allow double login, but when this is a case of the 
clone mac-address the freeradius allows the connection.


Log of sql.trace:
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 
'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');
UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime 
= '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause 
= '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = 
'81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10';
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 
'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');



Queries in sql.conf:
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE 
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, 
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, 
FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND 
AcctStopTime = 0



despite the mac-address to match are two different users, and the second 
to connect without first disconnecting was before.

Is there any possibliidade to block it?


Thanks

Sorry for my english (By Google Tradutor)

--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
VisăoNet Tecnologia e Telecomunicaçőes
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  



--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
Visa~oNet Tecnologia e Telecomunicaço~es
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneos-Use in login for same mac-address

[Jean Carlos Oliveira Guandalini]

Ivan Kalik escreveu:

Your NAS is rubbish. It sent stop packet for the first session.
Freeradius didn't close this session - Mikrotik did.
  

Thank you, I will verify this mikrotik.

Ivan Kalik
Kalik Informatika ISP


Dana 6/6/2008, Jean Carlos Oliveira Guandalini
[EMAIL PROTECTED] piše:

  

Ivan Kalik escreveu:


No. There is no simultaneous login here:

session1:

start: 11:08:45
stop: 11:08:46

session2:

start: 11:08:49
  
  
but the session1 not ended, it closed at freeradius when the second 
session trying to connect. In my NAS(Mikrotik) there are two 
connections, with different ip address.


Thanks



Ivan Kalik
Kalik Informatika ISP


Dana 6/6/2008, Jean Carlos Oliveira Guandalini
[EMAIL PROTECTED] piše:

  
  

Hello,

we have a problem of mac-address clone, and we use the Simultaneous-Use: 
= 1 option to not allow double login, but when this is a case of the 
clone mac-address the freeradius allows the connection.


Log of sql.trace:
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 
'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');
UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime 
= '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause 
= '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = 
'81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10';
INSERT into radpostauth (id, user, pass, reply, date) values ('', 
'userlogin', '290476', 'Access-Accept', NOW());
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, 
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, 
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, 
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, 
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, 
AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 
'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', 
'0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', 
'', 'Framed-User', 'PPP', '111.111.111.111', '0', '0');



Queries in sql.conf:
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE 
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, 
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, 
FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND 
AcctStopTime = 0



despite the mac-address to match are two different users, and the second 
to connect without first disconnecting was before.

Is there any possibliidade to block it?


Thanks

Sorry for my english (By Google Tradutor)

--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
VisăoNet Tecnologia e Telecomunicaçőes
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  
  

--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
Visa~oNet Tecnologia e Telecomunicaço~es
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  



--
Jean Carlos Oliveira Guandalini
Dep. de Redes e Infra-estrutura
Visa~oNet Tecnologia e Telecomunicaço~es
0800-643-5025

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: FreeRadius with SQL and Asterisk - FreeRadius inserts acct data toSQL database , but the data seems useless

[Toledo, Luis Carlos]

Why do not use proper asterisk to put accounts (CDR) in to mysql ? It´s very
simple.

 
 Hi!
 First of all, I apologize if I sent this to non-appropriate 
 mailing list, but nevertheless I hope  that you can help me.
 I installed FreeRadius because I wanted to see how it works 
 in conjunction with Asterisk, only for accounting purposes. 
 In my case, I managed to configure Asterisk to send RADIUS 
 packets to FreeRadius server, as we can see from file
 /var/log/radius/radacct/127.0.0.1/detail-20080107:
 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Looking for feedback

[Toledo, Luis Carlos]

 Firstly, please do not top post.
 
 Secondly, your reply doesn't actually explain anything new 
 nor ask any additional questions. Maybe you should be clearer :-)
 
 Cheers

Sorry, for my top port.
My reply was very short and not more cleared because I belive it´s not a
directly freeradius subject.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Looking for feedback

[Toledo, Luis Carlos]

routerOS with routerboard (Mikrotik) or x86 plataform. Centralized or mixed
environment.

 
 On Fri 21 Dec 2007, Geoffroy ARNOUD wrote:
  Hi all,
 
  First I apologize, because the question I am about to ask is not 
  directly linked to FreeRADIUS.
 
  Any feedback woul be appreciated.
 
 Daniel
 
 A centralised NAS for multiple hotspots implies that you are 
 not going to NAT each hotspot, but rather that you will route 
 a subnet to each. If that is the case I think a combination 
 of a centralised coova, plus a DHCP relay agent on each 
 access point should work. If it doesn't work out of the box 
 (I havent tested coova in that config) then I am sure it 
 would be possible with pretty minor patches. Why don't you 
 re-ask the question on the coova list (which I am also on). I 
 am sure David will be able to help :-)
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Authentication: filter problem

[Carlos Parada]

Hi all,

I'm using an LDAP-based authentication.
I'd have a simple (typical filter) like this

filter = uid=%{User-Name}

Now, in addition, I'd need to authenticate based on a
Service-Info attribute. So I need something like

filter = ((uid=%{User-Name})(radiusServiceInfo=%{Service-Info}))

The problem is that when Service-Info doesn't come in the Radius 
packet (because is not mandatory for me), it doesn't work, and I
see on LDAP the following

filter=((uid=test1)(?=undefined))

If Service-Info not present, I would expect something like

filter=((uid=test1)(radiusSeviceInfo=))

Worse, in fact, what I need is a filter slightly different like

filter = ((uid=%{User-Name})(!(radiusServiceInfo=%{Service-Info})))

In that case (using the !), the query sent is the following

filter=((uid=test1)(?=error))


I've already search about that on the freeradius mailing-lists
and I didn't saw any report about this problem.

Is that any kind of bug? Or am I doing something wrong?
I appreciate some help.


Best Regards,
Carlos Parada


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_sqlcounter and user realms

[Carlos A. Carnero Delgado]

Hello,

I'm trying to set rlm_sqlcounter up so that I can check for a monthly
use quota. Everything works, except the checks. The NAS present the
user names with a realm, which I'm processing (thus, [EMAIL PROTECTED]
becomes user.) Using SQL for accounting and such is working marvelous.

Now, when I configured/activated rlm_sqlcounter as per the
instructions at http://wiki.freeradius.org/Rlm_sqlcounter it will not
work because the SQL checks are using the pre-processed user name:

  SELECT SUM(AcctSessionTime)
FROM radacct
WHERE UserName='%{%k}'

will use '[EMAIL PROTECTED]' instead of just 'user'.

My question is, how can I modify this query definition (and the others
from sqlcounter.conf) so that they really check against the stripped
user name.

Thanks a lot,
Carlos.
-- 
nick grah windows just crashed again, unstable crap.
yukito Windows isn't unstable, it's just spontaneous.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Retrieving the clients (NASes) from SQL (FreeRADIUS 1.1.0)

[Carlos A. Carnero Delgado]

Hi,

 Yes. But you will still need to restart the server for changes to take
 effect.

Yes, I noticed it. It turns out that I had the INCLUDE sql.conf
somewhere else. It's working now!

Thanks a lot,
Carlos.
-- 
nick grah windows just crashed again, unstable crap.
yukito Windows isn't unstable, it's just spontaneous.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Retrieving the clients (NASes) from SQL (FreeRADIUS 1.1.0)

[Carlos A. Carnero Delgado]

Hello,

does FreeRADIUS 1.1.0 supports reading the NAS list from SQL?

I'm using this rather old version because it's the one supplied by my
Ubuntu version, and, if possible, I wouldn't like to use another. Of
course, if I must, I will.

Thanks a lot,
Carlos.
-- 
nick grah windows just crashed again, unstable crap.
yukito Windows isn't unstable, it's just spontaneous.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

force the user to use a unique NAS

[Toledo, Luis Carlos]

I have two load-balanced NAS with diferents networks, the users can use the
first or second NAS to gain network access from dynamic ips via rlm_ipool
(two diferents ip pools) radius module.

But now, I need to use unique fix ip from some users.

How can I force the user to use a unique NAS ? If don´t make this, the fixed
ip can be out of network. Make sense?

Thx
Toledo



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Non valid NAS-Port and NAS-Port-Id (SOLVED)

[Toledo, Luis Carlos]

Thank you very much! Great job Peter !

This problem was solved using de rlm_sqlipool with sql postgres instance.

All other radius database transctions was made with another sql mysql
instance.

Thank for all
Toledo

 
 On Wed 08 Aug 2007, Toledo, Luis Carlos wrote:
Hey all,
   
I have a serius problem with non valid Nas-port received
  
   from NASes,
  
because a need to provide a dynamic IP (rlm_ippool).
   
Have anyone any suggestion?
  
   http://wiki.freeradius.org/Rlm_sqlippool
 
  I am use mysql for all radius operations and data storage, is it 
  sqlippoll 100% mysql compatible ?
 
 I use/develop it on Postgresql myself, but other users report 
 success on MySQL. Make sure you are using 1.1.7 or cvs head 
 though. Older versions will not work properly with MySQL...
 
 Cheers

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Stripping domain from username

[Toledo, Luis Carlos]

 
   See man unlang for details.

Is it this feature disponible in the stable 1.1.7 version ?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Non valid NAS-Port and NAS-Port-Id

[Toledo, Luis Carlos]

Hey all,

I have a serius problem with non valid Nas-port received from NASes, because
a need to provide a dynamic IP (rlm_ippool).

Have anyone any suggestion?

Thx
Toledo, Luis Carlos

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Non valid NAS-Port and NAS-Port-Id

[Toledo, Luis Carlos]

  Hey all,
 
  I have a serius problem with non valid Nas-port received 
 from NASes, 
  because a need to provide a dynamic IP (rlm_ippool).
 
  Have anyone any suggestion?
 
 http://wiki.freeradius.org/Rlm_sqlippool
 

I am use mysql for all radius operations and data storage, is it sqlippoll
100% mysql compatible ?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using Calling-Station-Id or AcctSessionId as NAS-Port

[Toledo, Luis Carlos]

I need to use Calling-Station-Id (or AcctSessionId) as NAS-Port and provide
dynamic Ips using rlm_ippool.

Using attr_rewrite it´s possible to make this change (Calling-Station-Id =
NAS-Port), but the freeradius/modules C code define port as int. My
calling-station-id have 15 numerics chars of size.

Have anyone any idea ?

Thanks
Toledo


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Good morning:

Enterasys is the AP and the wireless card. Otherways, we have also tried with 
an integrated Intel Centrino card with the same result.
About the supplicant, we tried with Windows Client and with one provided by 
Enterasys. In both of them we cannot connect correctly.

Unfortunately, this point was into a project that should be finished yesterday 
(I'd like to have found this mailing list several days before) and we should to 
configure the system with preshared keys in order to left system running. 
Authentication with domain was finally not implemented. Today, we have not 
access to that system and cannot do anything more. The project's world!  :(

Otherways, we really appreciate all your help and advices.


Thank you.

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 


-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED]
Enviado el: jueves, 12 de julio de 2007 16:24
Para: FreeRadius users mailing list
Asunto: RE: Authentication failed

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Lets get few things straight:

Enterasys is your AP, not your wireless card?

What supplicant are you using on your PC to connect: Windows XP
supplicant, supplicant provided by the manufacturer of PC's wireless
card or something else? Supplicant is the program you are using to make
the wireless connection.

What EAP type are you trying to use? You started with PEAP but in the
last output your supplicant was trying to do TTLS of some sort.

Ivan Kalik
Kalik Informatika ISP


Dana 12/7/2007, Carlos Jimenez Barranco [EMAIL PROTECTED]
piše:


***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hi:

We have found that on PC, wireless card needs to introduce manually a username 
and password, it doesn't takes the domain credentials automatically.
We have tried, just for probing, with a non valid user, in this case root and 
the password for the freeradius server. This is why it appears anonymous. 
But we have not made more changes.
After this trying, we restarted the service and we found that with domain user 
credentials didn't connect correctly the PC.
Could it be due a malfunctioning or an issue of the Enterasys wireless card 
and/or AP?

Thanks.

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED]
Enviado el: jueves, 12 de julio de 2007 14:41
Para: FreeRadius users mailing list
CC: Cristina Martin Molin
Asunto: Re: Authentication failed

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hi,


you are CHANING more than ONE thing at a time. look at this:

   rlm_eap: Request found, released from the list
   rlm_eap: EAP NAK
  rlm_eap: EAP-NAK asked for EAP-Type/ttls
  rlm_eap: No such EAP type ttls
   rlm_eap: Failed in EAP select
   modcall[authenticate]: module eap returns invalid for request 7
 modcall: group authenticate returns invalid for request 7
 auth: Failed to validate the user.
 Login incorrect: [anonymous/no User-Password attribute] (from client 
 17224.230.15 port 1 cli 00118865b6e5)

why is it now attempting TTLS authentication? why have you taken such
auth method out of the loop?  ntlm_auth isnt being called AT ALL now.

one change at a time!

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe

Authentication failed

[Carlos Jimenez Barranco]

: UserIdentity Unknown 
Wed Jul 11 14:44:13 2007 : Error: rlm_eap: Identity Unknown, authentication 
failed
Wed Jul 11 14:44:40 2007 : Error: rlm_eap: UserIdentity Unknown 
Wed Jul 11 14:44:40 2007 : Error: rlm_eap: Identity Unknown, authentication 
failed




Is it necessarily to attach the system message log?
Tell me if you need more info.

Thanks in advance.



Carlos Jimenez


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Good morning:

Thank you for your quick answer Stefan. Just one more question: Who is the 
supplicant? The AP or the PC client?
On the PC Client (WinXP) we have always entered a login and password.


With kind regards,

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 


-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 9:52
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hello,

 rad_recv: Access-Request packet from host 172.24.230.15:3324, id=10,
 length=113 NAS-IP-Address = 172.24.230.15
     NAS-Port-Type = Wireless-802.11
     NAS-Port = 1
     Framed-MTU = 1400
     User-Name = 
     Calling-Station-Id = 00118865b6e5
     Called-Station-Id = 0011885ae5b0
     NAS-Identifier = RoamAbout AP
     EAP-Message = 0x0201000501
     Message-Authenticator = 0xf6e4825749e3bc4b04a99bc11c37fbba
[...]
 modcall: entering group authenticate for request 4
 rlm_eap: UserIdentity Unknown
 rlm_eap: Identity Unknown, authentication failed
   rlm_eap: Failed in handler
   modcall[authenticate]: module eap returns invalid for request 4
 modcall: group authenticate returns invalid for request 4
 auth: Failed to validate the user.

Your NAS is sending an empty User-Name. That's fatal, because then the 
FreeRADIUS server has no clue which user it should authenticate. Check the 
settings on your supplicant - enter a user name.

 Is it necessarily to attach the system message log?
 Tell me if you need more info.

Most of the times, radiusd -X is sufficient.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

About the supplicant, we are using just Windows XP. We have tried with several 
wireless card (enterasys one, integrated Intel Centrino 2200b/g...). I have may 
not understood the supplicant meaning, tell me then, please.
I thought it could be a problem related to the way the freeradius deals 
credentials (i. e. MSCHAP, with_ntdomain_hack value...).

Thank you,

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 10:15
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

 Thank you for your quick answer Stefan. Just one more question: Who is the
 supplicant? The AP or the PC client? On the PC Client (WinXP) we have
 always entered a login and password.

The supplicant is the PC client. That's odd. If you really have entered a 
username on the supplicant, the NAS *MUST* put that into the RADIUS packet. 
So there's two possibilities:

- the supplicant software on the PC has a bug and doesn't actually send it 
even though you have entered it (which supplicant are you using?)
- the NAS (AP) is flawed. Unfortunately I have no experience with Enterasys.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hi:

Thank you, Stefan. We are going to revise the client configuration.

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 10:51
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

 About the supplicant, we are using just Windows XP. We have tried with
 several wireless card (enterasys one, integrated Intel Centrino
 2200b/g...). I have may not understood the supplicant meaning, tell me
 then, please. I thought it could be a problem related to the way the
 freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...).

FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your 
NAS is sending an *empty* username. As far as I can tell, your problem does 
not lie on the server side, but on the client side.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

As you told us, the supplicant was sending an empty username. We had to 
introduce manually the username and password because wireless card was not 
taking correctly domain login values and using an empty value.
The most recent log is:

Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/no User-Password 
attribute] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: 
Login incorrect: [barcmm2/no User-Password attribute] (from client 
172.24.230.15 port 1 cli 00118865b6e5)


Thank you,

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 10:51
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

 About the supplicant, we are using just Windows XP. We have tried with
 several wireless card (enterasys one, integrated Intel Centrino
 2200b/g...). I have may not understood the supplicant meaning, tell me
 then, please. I thought it could be a problem related to the way the
 freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...).

FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your 
NAS is sending an *empty* username. As far as I can tell, your problem does 
not lie on the server side, but on the client side.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication failed

[Carlos Jimenez Barranco]

 120 with timestamp 4695fe85
Cleaning up request 7 ID 121 with timestamp 4695fe85
Cleaning up request 8 ID 122 with timestamp 4695fe85
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 123 with timestamp 4695fe86
Nothing to do.  Sleeping until we see a request.


Thank you, Ivan

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED]
Enviado el: jueves, 12 de julio de 2007 12:41
Para: FreeRadius users mailing list
Asunto: RE: Authentication failed

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


What EAP method are you using? PEAP? Can you post the radiusd -X output.

Ivan Kalik
Kalik Informatika ISP


Dana 12/7/2007, Carlos Jimenez Barranco [EMAIL PROTECTED]
piše:


***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

As you told us, the supplicant was sending an empty username. We had to 
introduce manually the username and password because wireless card was not 
taking correctly domain login values and using an empty value.
The most recent log is:

Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/no User-Password 
attribute] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: 
Login incorrect: [barcmm2/no User-Password attribute] (from client 
172..24.230.15 port 1 cli 00118865b6e5)


Thank you,

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 10:51
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

 About the supplicant, we are using just Windows XP. We have tried with
 several wireless card (enterasys one, integrated Intel Centrino
 2200b/g...). I have may not understood the supplicant meaning, tell me
 then, please. I thought it could be a problem related to the way the
 freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...).

FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your 
NAS is sending an *empty* username. As far as I can tell, your problem does 
not lie on the server side, but on the client side.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello again:

We have found that when we configure supplicant as OPEN authentication method, 
it Works right, but not when we configure it as WPA (authenticating versus 
Active Directory with freeradius). In this second case, it seems that 
connection establishes but immediately, it disconnects.


Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED]
Enviado el: jueves, 12 de julio de 2007 12:41
Para: FreeRadius users mailing list
Asunto: RE: Authentication failed

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


What EAP method are you using? PEAP? Can you post the radiusd -X output.

Ivan Kalik
Kalik Informatika ISP


Dana 12/7/2007, Carlos Jimenez Barranco [EMAIL PROTECTED]
piše:


***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

As you told us, the supplicant was sending an empty username. We had to 
introduce manually the username and password because wireless card was not 
taking correctly domain login values and using an empty value.
The most recent log is:

Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/no User-Password 
attribute] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: 
Login incorrect: [barcmm2/no User-Password attribute] (from client 
172..24.230.15 port 1 cli 00118865b6e5)


Thank you,

Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 10:51
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

 About the supplicant, we are using just Windows XP. We have tried with
 several wireless card (enterasys one, integrated Intel Centrino
 2200b/g...). I have may not understood the supplicant meaning, tell me
 then, please. I thought it could be a problem related to the way the
 freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...).

FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your 
NAS is sending an *empty* username. As far as I can tell, your problem does 
not lie on the server side, but on the client side.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

We have entered this data in radiusd.conf:

# Be VERY careful when editing the following line!
#
#ntlm_auth = /path/to/ntlm_auth --request-nt-key 
--username=%{Stripped-User-Name:-%{User-Name:-None}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
 --domain=%{mschap:NT-Domain}
 --username=%{mschap:User-Name}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00}


Maybe, the intro after every line is not correct, so we have changed it for:

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} 
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}


And the problem continues. 


Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 13:17
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

Hi,

okay, now that the User-Name thing is fixed, another problem with your config 
shows up. The ntlm_auth line is way too short! Therefore, the key can't be 
retrieved.
Is there maybe a line wrap in radiusd.conf, line ntlm_auth = ... or 
something? The shipped ntlm_auth line works by default! Yours is only

'/usr/bin/ntlm_auth --request-nt-key '

i.e. it's missing all the important parts!

Stefan

 modcall: entering group Auth-Type for request 8
   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
   rlm_mschap: Told to do MS-CHAPv2 for host/PC-BARCMM2.it.local with
 NT-Password radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key '
 Exec-Program: /usr/bin/ntlm_auth --request-nt-key
 username must be specified!

 Usage: [OPTION...]
   --helper-protocol=helper protocol to use operate as a stdio-based
 helper --username=STRINGusername
   --domain=STRING  domain name
   --workstation=STRING workstation
   --challenge=STRING   challenge (HEX encoded)
   --lm-response=STRING LM Response to the challenge
(HEX encoded)
   --nt-response=STRING NT or NTLMv2 Response to the
challenge (HEX encoded)
   --password=STRINGUser's plaintext password
   --request-lm-key Retreive LM session key
   --request-nt-key Retreive User (NT) session
 key --diagnosticsPerform diagnostics on the
 authentictaion chain --require-membership-of=STRING   Require
 that a user be a member of this group (either name or SID) for
 authentication to succeed

 Help options
   -?, --help   Show this help message
   --usage  Display brief usage message

 Common samba options:
   -d, --debuglevel=DEBUGLEVEL  Set debug level
   -s, --configfile=CONFIGFILE  Use alternative
 configuration file
   -l, --log-basename=LOGFILEBASE   Basename for log/debug files
   -V, --versionPrint version
 Exec-Program output:
 Exec-Program: returned: 1
   rlm_mschap: External script failed.


-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello:

We have restarted the radius service.
This is the output of the debug:


Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/radius
 main: libdir = /usr/lib
 main: radacctdir = /var/log/radius/radacct
 main: hostname_lookups = yes
 main: max_request_time = 60
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = /var/log/radius/radius.log
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = no
 main: pidfile = /var/run/radiusd/radiusd.pid
 main: user = radiusd
 main: group = radiusd
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = yes
 mschap: passwd = (null)
 mschap: authtype = MS-CHAP
 mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = (null)
 unix: shadow = /etc/shadow
 unix: group = (null)
 unix: radwtmp = /var/log/radius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = peap
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = (null)
 tls: pem_file_type = yes
 tls: private_key_file = /etc/raddb/certs/cert-srv.pem
 tls: certificate_file = /etc/raddb/certs/cert-srv.pem
 tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
 tls: private_key_password = whatever
 tls: dh_file = /etc/raddb/certs/dh
 tls: random_file = /dev/urandom
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = mschapv2
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = /etc/raddb/huntgroups
 preprocess: hints = /etc/raddb/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = suffix
 realm: delimiter = @
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = /etc/raddb/users
 files: acctusersfile = /etc/raddb/acct_users
 files: preproxy_usersfile = /etc/raddb/preproxy_users
 files: compat = no
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 

RE: Authentication failed

[Carlos Jimenez Barranco]

***
Mensaje examinado por el antivirus perimetral de Impala Network Solutions
***-***


Hello, Stefan:

Thank you for your help.
You are in reason: I need a good book of Unix command-line tools. :)
For the moment, I left all in just one line.


Carlos Jimenez Barranco
- Área de Postventa
    Telf. +34 933034139
 

www.impala-net.com

Sistemas de Comunicaciones Corporativas

 



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter
Enviado el: jueves, 12 de julio de 2007 14:00
Para: FreeRadius users mailing list
Asunto: Re: Authentication failed

 We have entered this data in radiusd.conf:

 # Be VERY careful when editing the following line!
   #
   #ntlm_auth = /path/to/ntlm_auth --request-nt-key
 --username=%{Stripped-User-Name:-%{User-Name:-None}}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00}

 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
  --domain=%{mschap:NT-Domain}
  --username=%{mschap:User-Name}
  --challenge=%{mschap:Challenge:-00}
  --nt-response=%{mschap:NT-Response:-00}


 Maybe, the intro after every line is not correct, so we have changed it
 for:

 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
 --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00}


 And the problem continues.

Well, this is UNIX 101: if you want a command to continue over multiple 
lines, you have to put a \ (Backslash) at the end of the lines. The spaces 
themselves are perfectly fine. Something like

 ntlm_auth = /usr/bin/ntlm_auth --request-nt-key \
  --domain=%{mschap:NT-Domain} \
  --username=%{mschap:User-Name} \
  --challenge=%{mschap:Challenge:-00} \
  --nt-response=%{mschap:NT-Response:-00}

should work a lot better. Go buy a book about UNIX command-line tools ;-)

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


___

Este mensaje se dirije exclusivamente a su destinatario y puede contener
información privilegiada o confidencial de Impala Network Solutions S.L.
Si no es vd. el destinatario indicado, queda notificado de que la utilización,
divulgación y/o copia sin autorización está prohibida en virtud de la 
legislación vigente.
Si ha recibido este mensaje por error, le rogamos nos lo comunique
inmediatamente por esta misma via y proceda a su destrucción.


This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it.
___

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new query verification in sql.conf

[Jean Carlos Oliveira Guandalini]

Thanks for all help,

this last tip is very good. I need exactly this

Jean

Alexander Serkin wrote:
 we did this that way:

 1. modified usergroup table to (it's oracle):
   Name   Null?Type
   --  
   ID  NOT NULL NUMBER(38)
   USERNAMEVARCHAR2(128)
   CLIDVARCHAR2(15)
   GROUPNAME   VARCHAR2(30)
   PRIORITYNOT NULL NUMBER(38)

 2. modified auth sql queries:

  authorize_group_check_query = SELECT 
 ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
  
   FROM ${groupcheck_table},${usergroup_table} WHERE 
 (${usergroup_table}.Username = '%{SQL-User-Name}' or 
 ${usergroup_table}.CLID = '%{Calling-Station-Id}') AND 
 ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY 
 ${usergroup_table}.PRIORITY,${groupcheck_table}.id
  authorize_group_reply_query = SELECT 
 ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
  
   FROM ${groupreply_table},${usergroup_table} WHERE 
 (${usergroup_table}.Username = '%{SQL-User-Name}' OR 
 ${usergroup_table}.CLID = '%{Calling-Station-Id}') AND 
 ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY 
 ${groupreply_table}.id
  group_membership_query = SELECT GroupName FROM 
 ${usergroup_table} WHERE UserName='%{SQL-User-Name}' OR 
 CLID='%{Calling-Station-Id}' order by priority

 3. created group profile:
 insert into RADGROUPCHECK values('','blackholed','Auth-Type',':=','Reject');
 insert into RADGROUPCHECK values('','blackholed','Fall-Through','=','No');
 insert into RADGROUPREPLY 
 values('','blackholed','Reply-Message','=','Access denied due to 
 agreement violation');

 4. to blacklist client just add the MAC to blackholed group:
 insert into USERGROUP values('','','blaclisted MAC','blackholed','10');

 Jean Carlos Oliveira Guandalini wrote:
   
 I use freeradius for authentication of pppoe wifi.

 I need to make new sql query in a table with a list of mac-address, if
 the CallingStationId will be equal to the some mac-adress of the table
 then will not have to be connected.
 A system of mac-adress blacklist.
 I tried to make adding one query in sql.conf but it does not function.

 I find that it would have to add a new function in rlm_sql.c, but am not
 habil C programmer.

 Somebody can help me?

 Sorry for my english

 Thanks

 Jean
 - 
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 


   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new query verification in sql.conf

[Jean Carlos Oliveira Guandalini]

I use freeradius for authentication of pppoe wifi.

I need to make new sql query in a table with a list of mac-address, if
the CallingStationId will be equal to the some mac-adress of the table
then will not have to be connected.
A system of mac-adress blacklist.
I tried to make adding one query in sql.conf but it does not function.

I find that it would have to add a new function in rlm_sql.c, but am not
habil C programmer.

Somebody can help me?

Sorry for my english

Thanks

Jean
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new query verification in sql.conf

[Jean Carlos Oliveira Guandalini]

I did not explain correctly.
I have a table in database with mac-adress registered, when the user
connect, radius makes a verification in this table(on database)
comparing mac-address of the user with mac-address registered in the
database, if the mac-adress of user contain in the table(on database),
user not be able to connect.

Sorry for my english. I use translator! lol

Thanks


Jean
 

 Subject:

 From:
 [EMAIL PROTECTED]
 Date:
 Wed, 14 Mar 2007 15:09:49 +0100
 To:
 FreeRadius users mailing list freeradius-users@lists.freeradius.org

 To:
 FreeRadius users mailing list freeradius-users@lists.freeradius.org


 use huntgroups:

 ohnoyouwont  Calling-Station-ID == whatever
 SQL-Group == suspended

 where suspended is a group with Auth-Type reject.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 14/3/2007, Jean Carlos Oliveira Guandalini
 [EMAIL PROTECTED] piše:

   
 I use freeradius for authentication of pppoe wifi.

 I need to make new sql query in a table with a list of mac-address, if
 the CallingStationId will be equal to the some mac-adress of the table
 then will not have to be connected.
 A system of mac-adress blacklist.
 I tried to make adding one query in sql.conf but it does not function.

 I find that it would have to add a new function in rlm_sql.c, but am not
 habil C programmer.

 Somebody can help me?

 Sorry for my english

 Thanks

 Jean
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html


 


   

 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius with mysql and shadow encryption

[carlos Alberto RR]

Hello,

I have installed a freeradius with mysql and dialupadmin , but I need to
migrate theusers of  system and  the passwords that are in /etc/shadow
are encrypted with DES and crypt  of dialupadmin use MD5, How Do I can
do  to  migrate this users? any idea? or How do I make for that crypt of
dialupadmin work with DES?

Thanks

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Report Generator

[Carlos Rosero]

I World like to have a copy too.

Carlos Rosero S.
Programmer / IT
www.uaa.edu
787-834-9595 x2203
[EMAIL PROTECTED]
 

CONFIDENTIALITY NOTICE:

The information contained in this e-mail message, including any attachments,
is for the sole use of the intended recipient(s). It is covered by the
Electronic Communications Privacy Act, 18 U.S.C§2510-2521 and is legally
privileged.  Unauthorized review, use, disclosure or distribution is
strictly prohibited. If you are not the intended recipient and have received
this communication in error, please contact the sender by reply e-mail and
destroy all copies of the original message.

 THANK YOU

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 23, 2006 4:44 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Report Generator

Yes, Sean.

May I have a copy? Thanks a bunch.

Edward



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Sean
Sent: Wednesday, August 23, 2006 12:58 PM
To: freeradius-users@lists.freeradius.org
Subject: Report Generator

Hi,

Ive written a report generator in PHP and HTML that will allow your
clients to generate usage reports from the FreeRadius log files. When
the user logs in he/she is asked for their IP address and the Month that
they want to display. If anyone wants a copy let me know. If there is
enough interest I'll make it available for public download.

Regards,

Sean Bracken

http://swarmhotspots.com
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius Authentication

[Carlos Rosero]

Why don't you try to use users file as your configuration method!

Carlos Rosero S.
Programmer / IT
www.uaa.edu
787-834-9595 x2203
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Thibault Le Meur
Sent: Wednesday, July 19, 2006 3:28 AM
To: 'FreeRadius users mailing list'
Subject: RE : Radius Authentication

 i'm facing a little problem.
 in some times my mysql DB server is down  the radius can't insert 
 records into it of-course, so the users can't login as the radius 
 doesn't authenticate them unless he can record them.
 Is there any solution to make the radius authenticate the 
 users without 
 insert records in the DB.

I suppose your mysql DB server isn't used to authenticate your users,
otherwise having your radius server work even if your DB is down would make
no sense (unless you have another module able to authenticate users?).

If your DB server is used only for logging purpose (accounting,
post-authenticate, ...). You may find interresting information in the
doc/configurable_failover file in order to make the DB module failure be
non-critial.

Regards,
Thibault


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius with mac address authentication

[Carlos Rosero]

Hi, Germán:  please bring me your example,
and any other useful information.







Carlos Rosero S.

Programmer / IT

www.uaa.edu

787-834-9595 x2203

[EMAIL PROTECTED]



CONFIDENTIALITY NOTICE:

The information contained
in this e-mail message, including any attachments, is for the sole use of the
intended recipient(s). It is covered by the Electronic Communications
Privacy Act, 18 U.S.C§2510-2521 and is legally privileged. Unauthorized
review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient and have
received this communication in error, please contact the sender by reply e-mail
and destroy all copies of the original message.

THANK YOU











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DESETech - German P. Santillan
Sent: Wednesday, July 12, 2006
8:24 AM
To: 'FreeRadius users mailing
list'
Subject: RE: freeradius with mac
address authentication





I have an example with
users file (plain text)

it serves to you?







Germán P. Santillán

Administrador de Redes

Responsable Dpto. Técnico

DESETech Argentina S.A.

San Martín 133 - CP: B8000FIC

Bahía Blanca - Argentina

Tel/Fax: +54 (291) 456-5642

[EMAIL PROTECTED]

http://www.desetech.com.ar















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Carlos Rosero
Sent: Tuesday, July 11, 2006 7:33
PM
To: freeradius-users@lists.freeradius.org
Subject: freeradius with mac
address authentication





Hi, I am new in this, I am looking for a tutorial that let
me know how to configure freeradius with mac address authentication.



Thanks,



Carlos Rosero S.

www.uaa.edu

787-834-9595 x2203

[EMAIL PROTECTED]









-- 
This message has been scanned for viruses and
dangerous content by
MailScanner, and is
believed to be clean.
-- 
This message has been scanned for viruses and
dangerous content by
MailScanner, and is
believed to be clean.
-- 
This message has been scanned for viruses and
dangerous content by
MailScanner, and is
believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius with mac address authentication

[Carlos Rosero]

Hi, I am new in this, I am looking for a tutorial that let
me know how to configure freeradius with mac address authentication.



Thanks,



Carlos Rosero S.

www.uaa.edu

787-834-9595 x2203

[EMAIL PROTECTED]







-- 
This message has been scanned for viruses and
dangerous content by
MailScanner, and is
believed to be clean.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

working huntgroups

[Carlos Mauricio Reyes Sanmiguel]

Hi,

I need to separate the users in the
machines that they have access to, i read about the huntgroups file, but
is not working, it seems that the radius is not checking the huntgroup
file to give the access.

I have a freeradius on a Redhat machine,
running with the MySQL database for the users and groups information. I
have the information on the radcheck, the radgroupcheck, and the
radgroup repply tables, all the connections and the authentication works
ok, the problem is that the users have access to all of the machines, even
the ones that they shouldn´t.

This is what i have in my radgroup reply
table..

GroupName
Attribute
op Value
test 
   Cisco-AVPair 
   = shell:cmd*

test 
   Cisco-AVPair 
   = shell:priv-lvl=15
test 
   Service-Type
   = Shell-User

test 
   Huntgroup-Name=
name 

the hunt group is like this.

#name huntgroup
nameNAS-IP-Address
== 10.0.2.244
nameNAS-IP-Address
== 10.0.2.246
nameNAS-IP-Address
== 10.0.2.248
 
   Group = test


It suppose that the user with that huntgroup
name in their attribute should only be able to connect to those IP addresess..
or that´s what i expect.. ;)

Thank you.. in advance..


Carlos
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accessing diferent devices

[Carlos Mauricio Reyes Sanmiguel]

Hi, I just installed the fre radius
in a linux box. I got it working ok, but there is a couple of thig that
i don´t know how to do or if they can be done. The first one is i need
to create special kind of groups of people that can access some devices
but no others, like i have the admin group that has to access all of the
20 devices (switches, routers..) but i also have the operator group that
only has to access 2 of them, and on the same radius i need to enable some
VPN users that only need to registrate to the radius for the VPN account
that connects to the PX firewall and not to any of the devices...

Can that be done?, how can i specify
witch equipments the users have access to?

Thanks.

Carlos Reyes
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: Create and Send attributes

[Carlos Peñafiel]

Carlos Peñafiel wrote:
 Hello!!!

 I want to send from my radius server several attributes to the client,
 but I've been looking at the documenation. I can do that if my
 attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also
 the documentation says that a new attribute has to have an ID greater
 than 3000.

 So, are not the attributes between 100 (256) and 3000 sent to the
 client radius? (I guess, they could be used for local management) If it
 is not, how can I create an attribute with id grater that 3000 and send
 to the radius client?

If you are creating your own attributes, get an IANA enterprise number
(either apply for one or re-use one if AND ONLY IF you're certainly it
will only be used internally) and use a vendor-specific attribute space.
See the dictionary.$vendor files for examples.

Alternatively, have a dig in the dictionary files and/or RFCs for an
existing attribute that closely matches the purpose. What are you trying
to do?

Obviously you'll have to have control over the radius client to make it
actually use the new attribute. Most will only use attributes they
already know about.




Hello and thank you to answer so soon.

I am trying to do something like amount of quality of service that a user 
have.


I have the control over the radius client because I am using a HostAP, but 
looking at the documentation and on Google, I cant find a way to solve this. 
can you help me a little but more?


Thank you in advance.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re: Use of Service type attribute

[Carlos Peñafiel]

=?iso-8859-1?B?Q2FybG9zIFBl8WFmaWVs?= [EMAIL PROTECTED] wrote:
 I am trying to do something like amount of quality of service that a 
user

 have.

  What does that mean?


Im sorry for my English. I want to have a variable (attribute) saying that 
for each user who has authorization using the network, I want to offer a QoS 
going outside (to the internet) for him/her.


 I have the control over the radius client because I am using a HostAP, 
but
 looking at the documentation and on Google, I cant find a way to solve 
this.

 can you help me a little but more?

  Edit the source code to the client to look for, and interpret, the
new attribute.  Re-use an attribute of a similar name, or invent a new
one.  If the attribure is used only in your local deployment, it
doesn't really matter what number you pick.  It just has to be a
number that goes into a RADIUS packet.

  Alan DeKok.


Ok. Thank you for your time.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re:Send information to the Radius Client

[Carlos Peñafiel]

Hello again


why don't you use ldap for that?for the info.


Because I really have to add only one more attribute. My client is a hostAp 
(working like a router), so the new attribute should be amount of 
broadband (I am trying to use QoS), and for only one attribute, I think 
(maybe I am wrong) that a LDAP is too much for my purpose.




  Will the client understand those attributes, and do something with
them?  If the client doesn't already say send phone number in
attribute X, you'll have to modify it's source code to add that
feature.



Not yet. I was thinking about at the same time when the client receives the 
confirmation (the authentication), the RADIUS could send 
my-other-new-attribute (amount of QoS), because I guess I only need this 
attribute.



  I am not sure if I have to create a module (I do not know if it is
 necessary). But I do not know what files I must change. Can you help
 me? can you give an idea?

  The server contains documentation on how to configure it, and how to
send any attribute with any value to a client.  Do you have a more
specific question?



Where can I get that information? I have been looking for it on the Internet 
and I did not find this information. Also, I was looking the man pages and I 
was thinking in the attributes in the dicctionary, but it said that the 
radius server never sends it to the client, so I declined that way.


I will get any information or any idea which you all want to contribute.

Thank you again.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Send information to the Radius Client

[Carlos Peñafiel]

Hello,

I want to be able to send information (such a name, address, phone
number ...) from the Radius Server to the Radius Client( I want to do that 
to a Host AP) after the Radius client has been authenticated. I am not sure 
if I have to create a module (I do not know if it is necessary). But I do 
not know what files I must change. Can you help me? can you give an idea?


I am using freeradius-1.1.1 and the client is Hostap-0.4.8.

Thank you a lot in advance.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with PEAP and LDAP

[Carlos Martínez-Troncoso Cera]

Hello.

We are trying to use FreeRadius with PEAP and LDAP.

Our access point is a 3Com 8750, is talking with a FreeRadius 1.0.4, 
Freeradius talks with LDAP

(Sun One Messaging Server 5.1) and our PEAP clients are Windows XP and 2000.
First we configured FreeRadius with LDAP, it works well, then we tried 
to use this with EAP, it works when
we use local users, but when we try to authenticate and authorize PEAP 
users in LDAP, it doesn´t work.


The error is:

modcall: entering group authenticate for request 5
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/mschapv2
 rlm_eap: processing type mschapv2
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 5
 rlm_mschap: Told to do MS-CHAPv2 for cmartinez with NT-Password
 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
 modcall[authenticate]: module mschap returns reject for request 5
modcall: group Auth-Type returns reject for request 5

I was looking how Sun ONE stores the passwords, it uses SSHA (Salted 
Secure Hashing Algoritm),
I think this is the problem, because I suposse it looks for NT-LM 
Hashing passwords, what can I do and where can I find info about it?


Thank you in advance.

Carlos

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with PEAP and LDAP

[Carlos Martínez-Troncoso Cera]

Thanks for your answer Alan.
An option could be to use an MS Active Directory instead Iplanet LDAP?
Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367


Alan DeKok wrote:

  =?ISO-8859-1?Q?Carlos_Mart=EDnez-Troncoso_Cera?= [EMAIL PROTECTED] wrote:
  
  
I was looking how Sun ONE stores the passwords, it uses SSHA (Salted 
Secure Hashing Algoritm),
I think this is the problem, because I suposse it looks for NT-LM 
Hashing passwords, what can I do and where can I find info about it?

  
  
  If the passwords are stored as SSHA, then you can't use them to do
PEAP.  It's impossible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with PEAP and LDAP

[Carlos Martínez-Troncoso Cera]

Thanks Thor, I will see that
option or to work with an Active Directory.
Best reggards,

Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367


Thor Spruyt wrote:

  Carlos Martnez-Troncoso Cera wrote:
  
  
Hello.

We are trying to use FreeRadius with PEAP and LDAP.

  
  
You might consider TTLS with PAP instead of PEAP with MS-CHAP-V2

--
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter + PostgreSQL problem

[Carlos Martínez-Troncoso Cera]

How are you testing? in the
radacct table see if AcctSessionTime has some value, this is the data
used for the counter, if this value is 0, the query is 0, you can test
with NTRadPing sending in AcctSessionTime some value.
Miguel you dont have to change the query, I had your same problem with
MySQL, AcctSessionTime was 0, when this value was differente
everything was OK.
Good luck

Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia


Miguel Cabrera wrote:

  Hi list!

I have a problem with the rlm_sqlcounter. It send the Session-Time-Out
correctly but when if check the time limit against the data base it
always return 0.  I've  added some debugging output and recompile.

This is the output:
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code
Tue Jul  5 14:46:51 2005 : Debug: sqlcounter_expand:  'SELECT
SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' AND
AcctStartTime  abstime(1120539600)'
Tue Jul  5 14:46:51 2005 : Debug: radius_xlat:  'SELECT
SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND
AcctStartTime  abstime(1120539600)'
Tue Jul  5 14:46:51 2005 : Debug: sqlcounter_expand: 
'%{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='ceruno' AND AcctStartTime  abstime(1120539600)}'
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: querystr:
%{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno'
AND AcctStartTime  abstime(1120539600)}
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: responsestr:
%{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='ceruno' AND AcctStartTime  abstime(1120539600)}
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor obtenido de la
consulta: 0
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor a checkar: 90
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: (Check item -
counter) is greater than zero
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Authorized user
ceruno, check_item=90, counter=0
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Sent Reply-Item for
user ceruno, Type=Session-Timeout, value=90
Tue Jul  5 14:46:51 2005 : Debug:   modsingle[authorize]: returned
from dailycounter (rlm_sqlcounter) for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modcall[authorize]: module
"dailycounter" returns ok for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modsingle[authorize]: calling
monthlycounter (rlm_sqlcounter) for request 9
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code
Tue Jul  5 14:46:51 2005 : Debug: rlm_sqlcounter: Could not find Check
item value pair
Tue Jul  5 14:46:51 2005 : Debug:   modsingle[authorize]: returned
from monthlycounter (rlm_sqlcounter) for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modcall[authorize]: module
"monthlycounter" returns noop for request 9
Tue Jul  5 14:46:51 2005 : Debug: modcall: group authorize returns ok
for request 9
Tue Jul  5 14:46:51 2005 : Debug:   rad_check_password:  Found Auth-Type System
Tue Jul  5 14:46:51 2005 : Debug: auth: type "System"
Tue Jul  5 14:46:51 2005 : Debug:   Processing the authenticate
section of radiusd.conf
Tue Jul  5 14:46:51 2005 : Debug: modcall: entering group authenticate
for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modsingle[authenticate]: calling
unix (rlm_unix) for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modsingle[authenticate]: returned
from unix (rlm_unix) for request 9
Tue Jul  5 14:46:51 2005 : Debug:   modcall[authenticate]: module
"unix" returns ok for request 9
Tue Jul  5 14:46:51 2005 : Debug: modcall: group authenticate returns
ok for request 9


Looking at the code in rlm_sqlcounter.c in the sqlcounter_authorize
function (the lines starting with * is what I've added).

/* third, wrap query with sql module  expand */
	sprintf(querystr, "%%{%%S:%s}", responsestr);
sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance);

	/* Finally, xlat resulting SQL query */
	radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, NULL);

*	DEBUG2("rlm_sqlcounter: querystr: %s",querystr);
*	DEBUG2("rlm_sqlcounter: responsestr: %s",responsestr);
	counter = atoi(querystr);
	
*	DEBUG2("rlm_sqlcounter: Valor obtenido de la consulta: %d",counter);
*	DEBUG2("rlm_sqlcounter: Valor a checkar: %d",check_vp-lvalue);
	
If you compare the output above you will note that when 'counter =
atoi(querystr)' happens the value of querystr is : ' %{%S:SELECT
SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND
AcctStartTime  abstime(1120539600)}' . So I think is maybe a bug.

I also have  a question:  Where the SQL query really happens? I
couldn't figure it out :(

I'am runnig in a FC3 with PostgreSQL 7.4.8 and the last stable release
of freeRadius. (Version 1.0.4)

I'll appreciate any help you can give me.

Miguel.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.or

FreeRadius + Mysql + MAC address authentication + linksys WRT54GS

[Carlos Sobrinho]

Hi there, I'm sorry if this questions was already answered but I searched all 
day today and didn't come up with anything usefull for this situation.

This is what I need.

There will be:

* 20 hotspots with a Linksys AP and a modified firmware (OpenWRT) and maybe 
chilispot.
* Freeradius server
* apache2 webserver
* free-HS (SSID)

The objective is to have some free hotspots on a certain area and the user, as 
soon as he chooses free-HS network, will be redirected to a register page. 
Maybe using a proxy trick or a php redirect.

This page will ask simple questions like age, how did he found this but never 
username and password.

The authentication will be made by MAC address but I could only find some 
examples regarding AP's MAC address in the users file.

My problem is to have this auth made by the mysql database.

If he disconnects and connects again his mac address will be in the data-base, 
and radius will find it and authorize and the internet will be normal, No 
proxy, no redirect. 

Maybe a 15m timeout of no activity...

So basically what we need is a way for radius to check for this MAC address in 
the mysql db.

I have a working freeradius+mysql server and I can do a radtest with a 
user's/password and the shared pass and all was ok.

rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=163, length=20

My problems:

* We don't have any certificate store to sign our certificate,
* We don't want people to install certificates

Another questions. What type of protocols should we use?
EAP, PEAP, CHAP, MSCHAP, EAP/TLS, WEP ?

The most simple for the window's users to access.



Thank you in advance for the help
With best regards

Carlos Sobrinho

-- 
#
# These PRESERVES should be FORCE-FED to PENTAGON OFFICIALS!!   #
#


pgpByAkgcNZVO.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Version 1.0.4 Upgrading

[Carlos Martínez-Troncoso Cera]

I just upgrade in Red Hat Enterprise 3.0 from 1.0.2 to 1.0.4 without 
problems, my conf files didn´t change. I suggest you to make a copy from 
/etc/raddb to avoid problems.

Reggards,

Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367



Abdul Lateef wrote:


Hello,

Currently i am using i have 1.0.2 version running on
my linux box.

I made plan to upgrade it with the letest  Version
1.0.4.

I have a small question about the 1.0.2 configuration
files. How i should upgrade it. Is configuration files
will be also upgraded or it will be not effected?

Thnak You

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sqlcounter problem

[Carlos Martínez-Troncoso Cera]

Thanks Roberto for your answer but
I did the changes in sqlcounter.conf and with my cisco, sqlcounter
doesnt work, with NTRadping it works very well. I looked into the
source code in freeradius 1.0.4 but this module is the same for 1.0.2
version (I have working 1.0.2)
What can I do?
Do you know how can I debug this module?

This is the message with radiusd -X -A (with Cisco):

rlm_ldap: user cmartinez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 5
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
 modcall[authorize]: module "monthlycounter" returns noop for request 5
modcall: group authorize returns ok for request 5
 rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
 Processing the authenticate section of radiusd.conf

-

with NTRadping:

rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000
- UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime  '1117602000''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime  '1117602000''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime -
GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct
WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime  '1117602000'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime  '1117602000''
rlm_sql (sql): - sql_xlat
radius_xlat: 'cmartinez'
rlm_sql (sql): sql_set_user escaped user -- 'cmartinez'
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime  '1117602000''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
radius_xlat: '107853'
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user cmartinez, check_item=10,
counter=107853


Thanks for your help!

Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367


Roberto Gonzalez Azevedo wrote:
sqlcounter
noresetcounter {
  
## Look here
  
 driver = "rlm_sqlcounter"
  
 counter-name = Max-All-Session-Time
  
 check-name = Max-All-Session
  
## Look here
  
 check-item = Max-All-Session
  
 sqlmod-inst = sql
  
 key = User-Name
  
 reset = never
  
 query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
  
 }
  
  
sqlcounter dailycounter {
  
 driver = "rlm_sqlcounter"
  
 counter-name = Daily-Session-Time
  
 check-name = Max-Daily-Session
  
## Look here
  
 check-item = Max-Daily-Session
  
 sqlmod-inst = sql
  
 key = User-Name
  
 reset = daily
  
 query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'"
  
 }
  
  
sqlcounter monthlycounter {
  
## Look here
  
 driver = "rlm_sqlcounter"
  
 counter-name = Monthly-Session-Time
  
 check-name = Max-Monthly-Session
  
## Look here
  
 check-item = Max-Monthly-Session
  
 sqlmod-inst = sql
  
 key = User-Name
  
 reset = monthly
  
 query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'"
  
 }
  
  
thanks ...
  
-
  
Roberto Gonzalez Azevedo
  
  
Carlos Martnez-Troncoso Cera wrote:
  
  ok Roberto:

sqlcounter noresetcounter {

 counter-name = Max-All-Session-Time

 check-name = Max-All-Session

 sqlmod-inst = sql

 key = User-Name

 reset = never

 query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"

 }


sqlcounter dailycounter {

 driver = "rlm_sqlcounter"

 counter-name = Daily-Session-Time

 check-name = Max-Daily-Session

 sqlmod-inst = sql

 key = User-Name

 reset = daily

 query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'&qu

Re: rlm_sqlcounter problem

[Carlos Martínez-Troncoso Cera]

I modified the users file and now it works, user is now like:

DEFAULT Simultaneous-Use := 1
   Fall-Through = 1

cmartinez Max-Monthly-Session := 108000, Auth-Type := ldap
   Service-Type = Framed-User,
   Framed -Protocol = PPP

--

Thanks a lot to Roberto and Alan for their time and help.

Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367



Carlos Martínez-Troncoso Cera wrote:

Thanks Roberto for your answer but I did the changes in 
sqlcounter.conf and with my cisco, sqlcounter doesn´t work, with 
NTRadping it works very well. I looked into the source code in 
freeradius 1.0.4 but this module is the same for 1.0.2 version (I have 
working 1.0.2)

What can I do?
Do you know how can I debug this module?

This is the message with radiusd -X -A (with Cisco):

rlm_ldap: user cmartinez authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 5
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module monthlycounter returns noop for request 5
modcall: group authorize returns ok for request 5
  rad_check_password:  Found Auth-Type ldap
auth: type LDAP
  Processing the authenticate section of radiusd.conf

-

with NTRadping:

rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 
- UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + 
AcctSessionTime  '1117602000''
radius_xlat:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
AcctSessionTime  '1117602000''
sqlcounter_expand:  '%{sql:SELECT SUM(AcctSessionTime - 
GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM 
radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
AcctSessionTime  '1117602000'}'
radius_xlat: Running registered xlat function of module sql for string 
'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
AcctSessionTime  '1117602000''

rlm_sql (sql): - sql_xlat
radius_xlat:  'cmartinez'
rlm_sql (sql): sql_set_user escaped user -- 'cmartinez'
radius_xlat:  'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + 
AcctSessionTime  '1117602000''

rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
radius_xlat:  '107853'
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user cmartinez, check_item=10, counter=107853
 


Thanks for your help!

Carlos Martínez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367



Roberto Gonzalez Azevedo wrote:


sqlcounter noresetcounter {
## Look here
driver = rlm_sqlcounter
   counter-name = Max-All-Session-Time
   check-name = Max-All-Session
## Look here
check-item = Max-All-Session
   sqlmod-inst = sql
   key = User-Name
   reset = never
   query = SELECT SUM(AcctSessionTime) FROM radacct 
WHERE UserName='%{%k}'

   }

sqlcounter dailycounter {
   driver = rlm_sqlcounter
   counter-name = Daily-Session-Time
   check-name = Max-Daily-Session
## Look here
check-item = Max-Daily-Session
   sqlmod-inst = sql
   key = User-Name
   reset = daily
   query = SELECT SUM(AcctSessionTime - GREATEST((%b - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
 '%b'

   }

sqlcounter monthlycounter {
## Look here
driver = rlm_sqlcounter
   counter-name = Monthly-Session-Time
   check-name = Max-Monthly-Session
## Look here
check-item = Max-Monthly-Session
   sqlmod-inst = sql
   key = User-Name
   reset = monthly
   query = SELECT SUM(AcctSessionTime - GREATEST((%b - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE 
UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime 
 '%b'

   }

thanks ...
-
Roberto Gonzalez Azevedo

Carlos Martínez-Troncoso Cera wrote:


ok Roberto:
sqlcounter noresetcounter {
   counter-name = Max-All-Session-Time

rlm_sqlcounter problem

[Carlos Martínez-Troncoso Cera]

Hello.

I have freradius-1.0.2 with autorizathion and authentication in LDAP
and accounting in MySQL. I configured to use rlm_sqlcounter to control
time connections, testing with NTRadping work well but testing with my
Cisco NAS it doesnt work

With my cisco NAS this is the message:

rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
 modcall[authorize]: module "noresetcounter" returns noop for request 3
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
 modcall[authorize]: module "monthlycounter" returns noop for request 3


With NTRadPing the message is:

rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user cmartinez, check_item=108000,
counter=106750
rlm_sqlcounter: Sent Reply-Item for user cmartinez,
Type=Session-Timeout, value=1250
 modcall[authorize]: module "monthlycounter" returns ok for request 8


My relevant conf files:

clients.conf

#PC with NTRadping
client 172.16.31.43/32 {
 secret = x
 shortname = Carlos
 type = other
}
#Cisco NAS
client 200.106.138.14/32 {
 secret  = xx
 shortname = cisco
 type  = cisco
}

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/local/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
 max_attributes = 200
 reject_delay = 1
 status_server = no
}

proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf

thread pool {
 start_servers = 5
 max_servers = 32
 min_spare_servers = 3
 max_spare_servers = 10
 max_requests_per_server = 0
}

modules {

 pap {
  encryption_scheme = crypt
 }

 chap {
  authtype = CHAP
 }

 pam {
  pam_auth = radiusd
 }

 $INCLUDE ${confdir}/sql.conf
 $INCLUDE ${confdir}/sqlcounter.conf  

 mschap {
  authtype = MS-CHAP
 }

 ldap {
  server = "200.xx.xx.xx"
  port = "390"
  identity = "cn=Directory Manager"
  password = xx
  basedn = "o=yy,o=yy"
  password_attribute = "userPassword"
  filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
  start_tls = no
  access_attr = "dialupAccess"
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  ldap_connections_number = 5
  timeout = 4
  timelimit = 3
  net_timeout = 1
 }

 checkval {
  item-name = Max-Monthly-Session
  check-name = Max-Monthly-Session
  data-type = string
 }
 
 preprocess {
  huntgroups = ${confdir}/huntgroups
  hints = ${confdir}/hints
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
 }

 files {
  usersfile = ${confdir}/users
  acctusersfile = ${confdir}/acct_users
  compat = no
 }

 detail {
  detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
  detailperm = 0600
 }

 detail auth_log {
  detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
  detailperm = 0600
 }

 detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
  detailperm = 0600

 acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
 }

 radutmp {
  filename = ${logdir}/radutmp
  username = %{User-Name}
  case_sensitive = yes
  check_with_nas = yes  
  perm = 0600
  callerid = "yes"
 }

 radutmp sradutmp {
  filename = ${logdir}/sradutmp
  perm = 0644
  callerid = "no"
 }

 attr_filter {
  attrsfile = ${confdir}/attrs
 }

 always fail {
  rcode = fail
 }
 always reject {
  rcode = reject
 }
 always ok {
  rcode = ok
  simulcount = 0
  mpp = no
 }

 expr {
 }

 digest {
 }

 exec {
  wait = yes
  input_pairs = request
 }

 exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = request
  output_pairs = reply
 }

 ippool main_pool {
  range-start = 192.168.1.1
  range-stop = 192.168.3.254
  netmask = 255.255.255.0
  cache-size = 800
  session-db = ${raddbdir}/db.ippool
  ip-index = ${raddbdir}/db.ipindex
  override = no
  maximum-timeout = 0
 }
}

instantiate {
 exec
 expr
 monthlycounter
}

authorize {
 preprocess
 auth_log
  chap
 mschap
 files
 ldap
 noresetcounter
 monthlycounter
}

authenticate {
 Auth-Type PAP {
  pap
 }
 Auth-Type

Re: rlm_sqlcounter problem

[Carlos Martínez-Troncoso Cera]

Ok Roberto, here is my
sqlcounter.conf

sqlcounter noresetcounter {
 counter-name = Max-All-Session-Time
 check-name = Max-All-Session
 sqlmod-inst = sql
 key = User-Name
 reset = never
 query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'"
 }

sqlcounter dailycounter {
 driver = "rlm_sqlcounter"
 counter-name = Daily-Session-Time
 check-name = Max-Daily-Session
 sqlmod-inst = sql
 key = User-Name
 reset = daily
 query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'"
 }

sqlcounter monthlycounter {
 counter-name = Monthly-Session-Time
 check-name = Max-Monthly-Session
 sqlmod-inst = sql
 key = User-Name
 reset = monthly
 query = "SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'"
 }



Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367


Roberto Gonzalez Azevedo wrote:
Show
us your sqlcounter.conf ...
  
  
You should define 'check-item' in sqlcounter.conf ...
  
  
-----
  
Roberto Gonzalez Azevedo
  
Carlos Martnez-Troncoso Cera wrote:
  
  Hello.


I have freradius-1.0.2 with autorizathion and authentication in LDAP
and accounting in MySQL. I configured to use rlm_sqlcounter to control
time connections, testing with NTRadping work well but testing with my
Cisco NAS it doesnt work


With my cisco NAS this is the message:


rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

 modcall[authorize]: module "noresetcounter" returns noop for request
3

rlm_sqlcounter: Entering module authorize code

rlm_sqlcounter: Could not find Check item value pair

 modcall[authorize]: module "monthlycounter" returns noop for request
3



With NTRadPing the message is:


rlm_sqlcounter: (Check item - counter) is greater than zero

rlm_sqlcounter: Authorized user cmartinez, check_item=108000,
counter=106750

rlm_sqlcounter: Sent Reply-Item for user cmartinez,
Type=Session-Timeout, value=1250

 modcall[authorize]: module "monthlycounter" returns ok for request 8



My relevant conf files:



clients.conf


#PC with NTRadping

client 172.16.31.43/32 {

 secret = x

 shortname = Carlos

 type = other

}

#Cisco NAS

client 200.106.138.14/32 {

 secret = xx

 shortname = cisco

 type = cisco

}



radiusd.conf


prefix = /usr

exec_prefix = /usr

sysconfdir = /etc

localstatedir = /var

sbindir = /usr/sbin

logdir = ${localstatedir}/log/radius

raddbdir = ${sysconfdir}/raddb

radacctdir = ${logdir}/radacct

confdir = ${raddbdir}

run_dir = ${localstatedir}/run/radiusd

log_file = ${logdir}/radius.log

libdir = /usr/local/lib

pidfile = ${run_dir}/radiusd.pid

user = radiusd

group = radiusd

max_request_time = 30

delete_blocked_requests = no

cleanup_delay = 5

max_requests = 1024

bind_address = *

port = 1812

hostname_lookups = no

allow_core_dumps = no

regular_expressions = yes

extended_expressions = yes

log_stripped_names = yes

log_auth = yes

log_auth_badpass = no

log_auth_goodpass = no

usercollide = no

lower_user = no

lower_pass = no

nospace_user = no

nospace_pass = no

checkrad = ${sbindir}/checkrad


security {

 max_attributes = 200

 reject_delay = 1

 status_server = no

}


proxy_requests = no

$INCLUDE ${confdir}/clients.conf

snmp = no

$INCLUDE ${confdir}/snmp.conf


thread pool {

 start_servers = 5

 max_servers = 32

 min_spare_servers = 3

 max_spare_servers = 10

 max_requests_per_server = 0

}


modules {


 pap {

 encryption_scheme = crypt

 }


 chap {

 authtype = CHAP

 }


 pam {

 pam_auth = radiusd

 }


 $INCLUDE ${confdir}/sql.conf

 $INCLUDE ${confdir}/sqlcounter.conf 
 mschap {

 authtype = MS-CHAP

 }


 ldap {

 server = "200.xx.xx.xx"

 port = "390"

 identity = "cn=Directory Manager"

 password = xx

 basedn = "o=yy,o=yy"

 password_attribute = "userPassword"

 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

 start_tls = no

 access_attr = "dialupAccess"

 dictionary_mapping = ${raddbdir}/ldap.attrmap

 ldap_connections_number = 5

Re: rlm_sqlcounter problem

[Carlos Martínez-Troncoso Cera]

ok Roberto:
sqlcounter noresetcounter {
   counter-name = Max-All-Session-Time
   check-name = Max-All-Session
   sqlmod-inst = sql
   key = User-Name
   reset = never
   query = SELECT SUM(AcctSessionTime) FROM radacct WHERE 
UserName='%{%k}'

   }

sqlcounter dailycounter {
   driver = rlm_sqlcounter
   counter-name = Daily-Session-Time
   check-name = Max-Daily-Session
   sqlmod-inst = sql
   key = User-Name
   reset = daily
   query = SELECT SUM(AcctSessionTime - GREATEST((%b - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' 
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'

   }

sqlcounter monthlycounter {
   counter-name = Monthly-Session-Time
   check-name = Max-Monthly-Session
   sqlmod-inst = sql
   key = User-Name
   reset = monthly
   query = SELECT SUM(AcctSessionTime - GREATEST((%b - 
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' 
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime  '%b'

   }



Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367



Roberto Gonzalez Azevedo wrote:


Show us your sqlcounter.conf ...

You should define 'check-item' in sqlcounter.conf ...

-
Roberto Gonzalez Azevedo
Carlos Martnez-Troncoso Cera wrote:


Hello.

I have freradius-1.0.2 with autorizathion and authentication in LDAP 
and accounting in MySQL. I configured to use rlm_sqlcounter to 
control time connections, testing with NTRadping work well but 
testing with my Cisco NAS it doesnt work


With my cisco NAS this is the message:

rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module noresetcounter returns noop for request 3
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module monthlycounter returns noop for request 3


With NTRadPing the message is:

rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user cmartinez, check_item=108000, 
counter=106750
rlm_sqlcounter: Sent Reply-Item for user cmartinez, 
Type=Session-Timeout, value=1250

  modcall[authorize]: module monthlycounter returns ok for request 8


My relevant conf files:

clients.conf

#PC with NTRadping
client 172.16.31.43/32 {
   secret  = x
   shortname   = Carlos
   type= other
}
#Cisco NAS
client 200.106.138.14/32 {
secret= xx
shortname= cisco
type= cisco
}

radiusd.conf

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/local/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 1812
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad

security {
max_attributes = 200
reject_delay = 1
status_server = no
}

proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp= no
$INCLUDE  ${confdir}/snmp.conf

thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}

modules {

pap {
encryption_scheme = crypt
}

chap {
authtype = CHAP
}

pam {
pam_auth = radiusd
}

$INCLUDE  ${confdir}/sql.conf
$INCLUDE  ${confdir}/sqlcounter.conf  
mschap {

authtype = MS-CHAP
}

ldap {
server = 200.xx.xx.xx
port = 390
identity = cn=Directory Manager
password = xx
basedn = o=yy,o=yy
password_attribute = userPassword
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}

checkval {
item-name = Max-Monthly-Session
check-name = Max-Monthly-Session
data-type = string
}
   preprocess {
huntgroups = ${confdir}/huntgroups
hints

Re: Freeradius make install error

[Carlos Martínez-Troncoso Cera]

I had the same error installing
freeradius 1.0.3 in Linux and Solaris, I saw that this version has bugs
for install, and tried with 1.0.2 version and now everything is
working, see the fixes for 1.0.3 and if none is for you, you can try
with 1.0.2.
Reggards,

Carlos Martnez-Troncoso Cera
Coordinador de Servicios Internet/Intranet
Universidad del Norte
Barranquilla, Colombia
Tel: 57 5 3509367


synackrst wrote:

  
  
  
  
  Hello, 
  
  Any solution
for this:
  
  #make install
  ...
  
  /usr/local/src/freeradius-1.0.3/install-sh
-c -m 755 -s
.libs/radiusd /usr/local/sbin/radiusd
  /usr/local/src/freeradius-1.0.3/install-sh
-c -m 755 -s
radwho /usr/local/bin
  strip:
/usr/local/bin/#inst.420#: File format not recognized
  make[4]: ***
[install] Error 1
  make[4]: Leaving
directory
`/usr/local/src/freeradius-1.0.3/src/main'
  make[3]: *** [common]
Error 2
  make[3]: Leaving
directory
`/usr/local/src/freeradius-1.0.3/src'
  make[2]: *** [install]
Error 2
  make[2]: Leaving
directory `/usr/local/src/freeradius-1.0.3/src'
  make[1]: *** [common]
Error 2
  make[1]: Leaving
directory `/usr/local/src/freeradius-1.0.3'
  make: ***
[install] Error 2
  #
  
  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Questions about working with LDAP

[Carlos Martínez-Troncoso Cera]

Hello people.

I am a newbie trying to active freeradius 1.0.2 with users in Sun One 
Directory Server 5.1 (autentication and authorization)

and accounting in MySQL.

Well I read the docs and my freeradius is talking with LDAP and MySQL 
and AAA is operating. This works well now.


I have 2 questions (there is a lot and old info and I am confussed):

1-How can I control simultaneous logon using LDAP attributes?
2-How can I restrict the time limit in a month (I have my users in LDAP 
not in MySQL, rlm_sqlcounter doesn´t work for me)?


Thanks a lot for your time.

Reggards.

Carlos.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

autentificacion TLS

[Juan Carlos Arévalo]

muy buenos dias !!
la intencion de este correo es la de solicitar informacion sobre el
radius a ver si me puedes ayudar !!
te comento tengo montado un serviodr radius en suse 9.2 el cual esta
corriendo bien o eso parece cuando lo coloco a validar los usuarios
por MAC Address por medio de un AP1100 de cisco esto lo hace de
maravilla.

La otra cuestion es que tengo un servidor LDAP donde esta la base de
datos de toda
la empresa cuando realizo pruebas con el NTRadping el servidor
contesta perfecto.

Pero cuando lo intento hacer por el AP1100 no lo hace como es devido
le tengo configurado
para que funcione con EAP/PEAP y me pide un certificado el cual ya se
lo configure pero
me da un error muy extraño que no entiendo les colocare el error a ver
quien me puede ayudar

Wed May 25 13:26:38 2005 : Debug:   rlm_eap_tls:  TLS 1.0 Alert
[length 0002], fatal unknown_ca
Wed May 25 13:26:38 2005 : Error: TLS Alert read:fatal:unknown CA 
Wed May 25 13:26:38 2005 : Error: TLS_accept:failed in SSLv3 read
client certificate A
16174:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48
16174:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
Wed May 25 13:26:38 2005 : Error: rlm_eap_tls: SSL_read failed in a
system call (-1), TLS session fails.
Wed May 25 13:26:38 2005 : Debug: In SSL Handshake Phase 
Wed May 25 13:26:38 2005 : Debug: In SSL Accept mode  



de verdad que si me pueden ayudar seria muy bueno !!


-- 
Juan Carlos Arevalo
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Invalid Signature

[Carlos Eduardo Terra]

Dear users,
   I am having some troubles with FreeRadius 1.0.2 here.
   I have a Total Control HiperARC as my NAS working today with a 
Server running Cistron for authetication and accounting.
   Today I tried to run FreeRadius with SQL support. The authetication 
works fine, but the accounting is having trouble.
  
   I receive the following error during debug:
   Receive Accounting-Request packet from xxx.xxx.xxx.xxx with invalid 
signature! (Shared secret is incorrect.)

   After some time testing, I set up my Cistron again and take my old 
US Robotics NETServer V34 to do some tests.
   The NETServer had the same problem. The user authenticate but 
accounting is off with the same message.

   What can be wrong?
   I was googling all the night and I have found some people with the 
same problem, but with out a solution.

   Can somebody help me?
Thanks
--
Carlos Eduardo Terra

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLS with tunneled PAP Users files

[Carlos Gabriel Drach]

Hi, i need help to configure freeradius + asterisk (PBX)
is anybody in this list that can help me?
Thank you

Carlos.-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

does anybody use freeradius with asterisk (pbx)?

[Carlos Gabriel Drach]

hello,
i am trying to setup asterisk with freeradius, but i am totally lost.
at the time i write this mail, i started to read freeradius doc.
If anybody can help me, i will be very thank.
Carlos.-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with Auth-Type

[Carlos]

Excuse me, just a mistakethis morning in writting the files. I've read a lot
the documentations and the files themselves.
There are a descriptions for the files; users, clients.conf and proxy.conf :

/raddb/users
demolocal Auth-Type := Local, Password == demolocal
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500
carlos Auth-Type := Local, Password == radius
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500

/raddb/clients.conf
client 127.0.0.1 {
secret = demolocal
shortname = localhost
nastype = other
}
client 192.168.1.0/24 {
secret = demolan
shortname = Radius1
}

/raddb/proxy.conf
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
secret = demolocal
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
secret = demolan
}
realm DEFAULT
type = radius
authhost = LOCAL
accthost = LOCAL
secret = demolan
}
From this, please can you tell me where is wrong and make me the answer
no Auth-Type for the reques, (carlos/radius) incorrect
user rejected
but authorization was OK but not the authentication

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

access-reject

[carlos akitani]

Hi, i am using freeradius-1.0.1 with redhat8. but always have access-reject (i'm using NTRadping on winwdowswp for the test). The user-name, password and secret i use for the test are those i've declared on the users and clients.conf files. the radius server always says "group authorize return ok" for therequest but says after "auth"No authenticate method (Auth-Type) configuration found for the request:Rejecting the user.Login incorrect". Please how to solve that problem? Carlos
MSN Hotmail : antivirus et antispam intégrés 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco VoIP

[Juan Carlos Ocasio]

Greg,



 I
have been searching for the same information and have not found muchIf I
could get pointed in the right direction or get it
working, I dont have a problem with documenting



Good Luck,



JC



-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gregory D. Burns
Sent: Wednesday, August 18, 2004
10:01 AM
To: [EMAIL PROTECTED]
Subject: Cisco VoIP



Group, 



I have used
freeradius for to collect CDRs from Cisco before. But I want to learn
how much can really be done, and also wanted to allow my customers to do some
config changes (like adding new gateways) from an web interface. At this point
Im doing a lot of reading and testing, but I notice a lot of what
Im reading does not apply to using it for Cisco voip CDRS. 



So my question is
does anyone know of a good web page, news group, IRC, or what every; that talks
about using freeradius on VOIP gateways?






-Greg

Missing module freeradius-rlm_perl

[Carlos Tinajero]

I need module freeradius-rlm_perl.

Any ideas where to get it? I have a RH ES 3 machine.

(Embedded image moved to file: pic24773.gif)attachment: pic24773.gif

Re: Can I config freeradius to separate IP address?

[Carlos Gaule Pantoja]

Hello Chanin!
One alternative is VLAN, but this requiere VLAN-capable AP, like cisco 
1100...

Another is to capure the MAC address in the loggin phase, and recompute 
the firewall rules... but, I am not sure if you have in freeradius the 
MAC address of the user in the login phase... (I'm thing... lunch some 
script via rlm_exec)

Talk to dhcp server is leease of time, because don't support scripting 
asignament of configurations...

CArlos.-

Chanin Luangingkasut wrote:
Hello All,
Now I using eap_tls to authenticate user, and I want to
separate subnet for staff in building and visitor.
If clients authentication succeeded it get ip in subnet
192.168.1.xxx, but clients don't have client CA, it cannot
authentication on radius server, and forward to dhcp server2
get ip in subnet 192.168.2.xxx.I don't know for this feature!!
Can I do this? Please let me know.
Following in picture this URL:
http://www.buraphalinux.org/~chanin/activities/Wireless/Plan1.jpg
Thank you.
 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeRadius on Red Hat ES 3

[Carlos Tinajero]

I a getting an error when I try to install freeRadius on a Red Hat ES 3
machine.  This is the error:

error: Failed dependencies:
ld.so.1 is needed by freeradius-0.9.3-2

Any ideas if freeRadius is supported on this version of RH?  If so, where
can I get this module?

(Embedded image moved to file: pic21797.gif)attachment: pic21797.gif

Re: Cisco-AVPair attribute

[Carlos Gaule Pantoja]

ngl wrote:
Hello.
I have freeradius-0.9.3 with PostgreSQL.
How can i process multiple Cisco-AVPair attributes?
regards,
Nik
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

Try +=
CArlos.-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC address log in 802.1x

[Carlos Gaule Pantoja]

Hi!
I'm implementing 802.1x EAP-TLS and EAP-PEAP with postgresql. All works 
fine, but I need to generate three groups of users: red, yellow and 
green... the green group is for guests (no have any certificate) who 
only have permission to web browsing in intranet servers, the yellow 
group can browse in internet and intranet, but, with bandwidth limit and 
time restriction, and the red group members have full internet and 
intranet access.

I'm searching for alternatives for this kind of implementation, and VLAN 
is the most acurate for this, but this is not supported by my AP :( 
(cheap AP, Dlink 2000AP+).

One alternative is to capture the MAC address when the user is logged in 
and then recompute the firewall rules for the kind of usergroup, yea... 
ok, this has a lot of weekness, but is the best effort with this model 
of APs.

Any ideas?, throw to garbage the actual APs, is not an alternative... :D
CArlos.-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Need Help SQL realm

[carlos collart]

Hi

I'm using freeradius 0.9.3/suse 8.2/mysql 3.23.55-Max
It's working fine...but in my logs I have this error and I don't know how to
fixed
10.6.6.10 it a paqueteer...
Any help plz  :(

Wed Jun  9 16:27:03 2004 : Error: rlm_sql (sql): Couldn't update SQL
accounting for Acct On/Off packet - You have an error in your SQL syntax
near 'WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress=
'10.6.6.10' AND Acc' at line 1



Atte
CC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Restring User to a NAS/Colubris network

[carlos collart]

Hi,
I love Freeradius-MySQL-Dialupadmin ... It fixed my problem in a very
inexpensive way
have a SuSE 8.2 BOX running Freeradius0.9.3,MySQL 3.23.55-Max, Apache2 and I
want: 

-validate a Username only with the NAS-IP-Address
For example the username hotel can only access to the hotspot1(NAS-IP)
with/without any password.
(Need the Username/NAS-IP for accounting purpose)

-misselaneus question with the Colubris Networks CN3000 Wireless Access
Controller 
I don't understant the AVPair--MySQL... 
I have to put the atributte value Colubris-AVPair in the radreply (or
radgroupreply) table 

INSERT INTO `radgroupreply` 
(`id`, `GroupName`, `Attribute`, `op`, `Value`, `prio`) VALUES 
(112, 'colubris', 'Colubris-AVPair', ':=',
'default-user-smtp-redirect=smtp.hn', 0),
(113, 'colubris', 'Colubris-AVPair', ':=',
'access-list=all,ACCEPT,tcp,216.236.210.205,80', 0);

Or this way 
INSERT INTO `radgroupreply` 
(`id`, `GroupName`, `Attribute`, `op`, `Value`, `prio`) VALUES 
(112, 'colubris', 'default-user-smtp-redirect', ':=', 'smtp.hn', 0),
(113, 'colubris', 'access-list', ':=', 'all,ACCEPT,tcp,216.236.210.205,80',
0);


Atte.
CC


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How do I make a user account expire after x minutes

[carlos collart]

Yea I want that to... Is it any Howto arround  


 Atte.
 CC
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Krall
Sent: Martes, 13 de Enero de 2004 02:10 p.m.
To: [EMAIL PROTECTED]
Subject: How do I make a user account expire after x minutes

Is there a list some place of all attributes that can be assigned in the
users file?

I am trying to set up a wireless hotspot. I want to configure 100 user
accounts that expire after 30-120 minutes. All of the examples never expire.

Thanks,
SKrall
[EMAIL PROTECTED]

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html