assign vlan per group or per user
Hi, My first post! I need to configure one radius server with ldap integration and dynamic vlan assign per user or group, didn't find any documentation about this procedures, someone knows any url about this? Thank You! []s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 change password not working in master
> On 16/11/12 11:43, Carlos Velasco wrote: > >> I don't see LM hashes allowed in the Radius attributes for password >> change. Don't seem Cisco using them. > > Sorry yes ignore me; I'm being dumb. > Ok. After further findings... it is a bug in Cisco IOS router version 15.1M. Downgrading to 15.0M works fine. I have seen that after "Password change successful", the module tries to authenticate the user again but with wrong password, I suppose. "Logon failure". Radius logs: === rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=13, length=755 User-Name = "NIMASTELECOM\\testpw" MS-CHAP-Challenge = 0x3145a0bc1fc2c0e4e69b8ff555861037 MS-CHAP2-CPW = 0x07024dbbd90bfd0760d77899ba7604a84c21b220a1fc49be375f9bad552ab92ee06bbb63180ea5a0e43f62c0abd2b8b1d6f0795780b2074dec69 MS-CHAP-NT-Enc-PW = 0x0602000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017 MS-CHAP-NT-Enc-PW = 0x060200025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582 MS-CHAP-NT-Enc-PW = 0x060200030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525d78f01bf43ca6997dd2e48d6897ced164b539a76fb6 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 14:19:36 CET" (17) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (17) group authorize { (17) - entering group authorize {...} (17) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (17) [mschap-vpn_nimas_tk] = ok (17) ? if (!control:Auth-Type) (17) ? Evaluating !(control:Auth-Type) -> FALSE (17) ? if (!control:Auth-Type) -> FALSE (17) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (17) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (17) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 14:19:36 2012 (17) [detail-vpn_nimas_tk-auth] = ok (17) Found Auth-Type = MSCHAP (17) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (17) group MS-CHAP { (17) - entering group MS-CHAP {...} (17) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received (17) mschap-vpn_nimas_tk : Password change payload valid (17) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth helper (17) mschap-vpn_nimas_tk : expand: username: %{mschap-vpn_nimas_tk:User-Name} -> username: testpw (17) mschap-vpn_nimas_tk : expand: nt-domain: %{mschap-vpn_nimas_tk:NT-Domain} -> nt-domain: NIMASTELECOM (17) mschap-vpn_nimas_tk : new_nt_password: 118, Write buf: new-nt-password-blob: 76116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb521140175ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d5820c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bdd1e8aa3c0856e6e9bc3a8c25d7efd28ba6525! d78f01bf 43ca6997dd2e48d6897ced164b539a76fb6 (17) mschap-vpn_nimas_tk : old_nt_ha
Re: MS-CHAPv2 change password not working in master
> On 11/16/2012 11:27 AM, Carlos Velasco wrote: > >> According to RFC2548, after 0x0701 should be the "Encrypted-Hash" >> 16 octects, but they are all 00. >> >> I am trying to find out why, seems a bug in Cisco part. But I think >> this works fine with Cisco ACS radius. :S > > The CPW packet lets you send the NT and/or LM hashes. > > The "ntlm_auth" code supports (and sends) both, but it's very likely > that support for LM hashes has been disabled on your domain; they're > horribly insecure and deprecated. > > My guess is the Cisco has old code. LM hashes were "easy" so older code > tends to support them. > Mmm well, the "Encrypted-Hash" should be an NT hash. === Encrypted-Hash The Encrypted-Hash field is 16 octets in length. It contains the old Windows NT password hash encrypted with the new Windows NT password hash. === I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them. I am trying to make some findings. Maybe installing ACS and testing to see any difference. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 change password not working in master
> On 11/16/2012 10:00 AM, Carlos Velasco wrote: > >> windows popup in Cisco VPN client, but the change password process fails: >> ntlm_auth said: Password-Change: No Password-Change-Error: Wrong >> Password . . >> Looking into code I suppose the problem is something with the old NT >> hash, but not an expert here. Any help would be apreciated. >> >> In these logs the user is "NIMASTELECOM\testpw". >> The current password is "y58R41ut8W" (expired). >> And the new password used was "H6eEWu7r65tw38ert1". > > There *might* be a bug in the CPW code, but I can't really see how; it > tested fine when I wrote it, and the crypto/hash/blob stuff doesn't > really leave room for "only if CONDITION X do something invalid". > > I'll take a look a little bit later but in the meantime can you confirm > that if you clear the "must change password", auth works fine with the > old/current password? Yes, auth works fine without "Must change". I think I have found the problem. MS-CHAP2-CPW = 0x07014194697300c611e68e661957a30d001541eb18eb29a0ebb20ff232620f708e68e27f251767ccd306 According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00. I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAPv2 change password not working in master
> Looking into code I suppose the problem is something with the old NT > hash, but not an expert here. Any help would be apreciated. Adding some debug to code, this seems really wrong: (1) mschap-vpn_nimas_tk : old_nt_hash: 3497295200 || Write buf: old-nt-hash-blob: len = sprintf(buf, "old-nt-hash-blob: "); fr_bin2hex(old_nt_hash, buf+len, 16); buf[len+32] = '\n'; buf[len+33] = '\0'; len = strlen(buf); ++ RDEBUG2("old_nt_hash: %u || Write buf: %s", old_nt_hash, buf); if (write_all(to_child, buf, len) != len) { RDEBUG2("failed to write old hash blob to child"); goto ntlm_auth_err; } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAPv2 change password not working in master
[ 9918]: request interface version [2012/11/16 10:39:06.810906, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:06.810964, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:06.811002, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9918]: request location of privileged pipe [2012/11/16 10:39:06.811068, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:06.87, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:06.811171, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:06.811227, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9918:PAM_AUTH_CRAP [2012/11/16 10:39:06.811266, 3] winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send) [ 9918]: pam auth crap domain: [NIMASTELECOM] user: testpw [2012/11/16 10:39:07.071142, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9918:PAM_AUTH_CRAP]: NT_STATUS_PASSWORD_MUST_CHANGE [2012/11/16 10:39:07.071243, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:PAM_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:07.071320, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.825567, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.825731, 10] winbindd/winbindd.c:644(process_request) process_request: request fn INTERFACE_VERSION [2012/11/16 10:39:20.825780, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 9957]: request interface version [2012/11/16 10:39:20.825851, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:20.825916, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:20.825960, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9957]: request location of privileged pipe [2012/11/16 10:39:20.826035, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:20.826106, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.826169, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.826235, 10] winbindd/winbindd.c:644(process_request) process_request: request fn DOMAIN_NAME [2012/11/16 10:39:20.826279, 3] winbindd/winbindd_misc.c:394(winbindd_domain_name) [ 9957]: request domain name [2012/11/16 10:39:20.826341, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:DOMAIN_NAME]: delivered response to client [2012/11/16 10:39:20.826497, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9957:PAM_CHNG_PSWD_AUTH_CRAP [2012/11/16 10:39:20.826544, 3] winbindd/winbindd_pam_chng_pswd_auth_crap.c:57(winbindd_pam_chng_pswd_auth_crap_send) [ 9957]: pam change pswd auth crap domain: NIMASTELECOM user: testpw [2012/11/16 10:39:20.856407, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9957:PAM_CHNG_PSWD_AUTH_CRAP]: NT_STATUS_WRONG_PASSWORD [2012/11/16 10:39:20.856498, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:PAM_CHNG_PSWD_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:20.856674, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited === Regards, Carlos Velasco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql don't re-connect after mysql failure
Hi, I'm using freeradius-2.1.11 and i have problem with mysql connection. If MySQL server goes down, the freeradius don't reconnect until he be restarted. logfile like this, but the mysql server is UP again: rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql: Connected new DB handle, #0 rlm_sql : failed after re-connect *** this error repeats until I go restart freeradius Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: View attributes of an connection
Thanks Arran, it's works for me. The reason i need this it's because a module is not set an attribute, see the log: Mon Jul 25 18:04:03 2011 : Debug: rlm_backcounter/time-limit: (rlm_backcounter.c#780) backcounter_authorize(): user prepago is over limit - adding 'Monthly-Time-Exceeded' attribute Mon Jul 25 18:04:03 2011 : Debug: rlm_sql (sql): Released sql socket id: 3 Mon Jul 25 18:04:03 2011 : Info: ++[time-limit] returns ok Mon Jul 25 18:04:03 2011 : Info:expand: %{Monthly-Time-Exceeded} -> In the source of module have this: vp = radius_paircreate(request, &request->reply->vps,data->overvap_attr, PW_TYPE_INTEGER); vp->vp_integer = 1; Any help? Em 25-07-2011 17:44, Arran Cudbard-Bell escreveu: > Make that: > > update request { > Tmp-String-0 := "%{variable I want to expand}" > } > > > On 25 Jul 2011, at 22:34, Arran Cudbard-Bell wrote: > >> >> On 25 Jul 2011, at 22:24, Jean Carlos Oliveira Guandalini wrote: >> >>> I need to find the value of an attribute created by a module, it is >>> possible? radiusd -X or radiusd -xxx does not show these values. >> >> Sure you just need to expand it somewhere. >> >> update request { >> Tmp-String-0 := "%{variable I want to expand} >> } >> >> -Arran >> >> Arran Cudbard-Bell >> a.cudba...@freeradius.org >> >> RADIUS - Half the complexity of Diameter >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Arran Cudbard-Bell > a.cudba...@freeradius.org > > RADIUS - Half the complexity of Diameter > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
View attributes of an connection
I need to find the value of an attribute created by a module, it is possible? radiusd -X or radiusd -xxx does not show these values. Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with module and users file
Hello, i'm using backcounter (rlm_backcounter) module. This module set a attribute and this attribute is compared in USERS file. Freeradius version 2.1.11. users file: DEFAULT Monthly-Time-Exceeded == 1 Framed-Pool = "exceeded", Fall-Through = Yes The problem is what the freeradius never match with this entry in users file. In the source code of rlm_backcounter this lines are used to create a attribute: vp = radius_paircreate(request, &request->reply->vps, data->overvap_attr, PW_TYPE_INTEGER); vp->vp_integer = 1; The module is running, see the logs: Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit: (rlm_backcounter.c#615) backcounter_authorize(): resetting user 'prepago' counter Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit: (rlm_backcounter.c#653) backcounter_authorize(): using resetval defined in radreply: 0 Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit: (rlm_backcounter.c#780) backcounter_authorize(): user prepago is over limit - adding 'Monthly-Time-Exceeded' attribute Wed Jul 20 11:06:26 2011 : Debug: rlm_backcounter/time-limit: (rlm_backcounter.c#788) backcounter_authorize(): data->overvap_attr = 3102 Wed Jul 20 11:06:26 2011 : Debug: rlm_sql (sql): Released sql socket id: 1 Wed Jul 20 11:06:26 2011 : Info: ++[time-limit] returns ok Wed Jul 20 11:06:26 2011 : Info: [files] users: Matched entry DEFAULT at line 144 Wed Jul 20 11:06:26 2011 : Info: ++[files] returns ok Is there some setting that needs to be made to accept this attribute? *** I used this module with freeradius-1.1.8 without problems, but we need running in freeradius-2.x Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help debugging unstable server
Thanks... I was trying to do not use the FreeRadius version distributed in CentOS. But if there is no other way On Sun, Jul 3, 2011 at 1:32 PM, Fajar A. Nugraha wrote: > On Sun, Jul 3, 2011 at 7:40 PM, Carlos Eduardo Tavares Terra > wrote: > > > > Today I have 2 freeradius servers running... Both of them in a CentOS > 5.6. > > The first is stable, without problems running freeradius 1.1.3. > > The second is running freeradius 2.1.7 and in the last 3 months became > very > > unstable. > > After some time running the threads just shutdown... > > Reading the /var/log/radius/radius.log, the only message in the moment of > > the problem is: > > Sun Jul 3 06:53:41 2011 : Info: Exiting normally. > > When I check the running processes, the radiusd is running... the > 'service > > radiusd status' command displays the pid of the runnind daemon... but > > radiusd is not listening the network ports anymore. > > I tried to keep the radius in debug mode (radiusd -) for a week, but > in > > this case the problem didn't happen. > > Is there some way to force the radiusd print why it is exiting 'normally' > ?? > > Thanks > > If you look at 2.1.x changelog (from > http://freeradius.org/press/index.html for example), there were lots > of fixes after 2.1.7 was released, including stability fixes. Without > any additional data, my best advice right now is try rebuilding > Centos's freeradius2 SRPM, but update the source to 2.1.10. > > Try 2.1.10 first instead of 2.1.11, as 2.1.11 requires some additional > fix (available in git). > > -- > Fajar > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra Red Hat Certified Engineer Consultor em Infraestrutura de TI GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help debugging unstable server
Today I have 2 freeradius servers running... Both of them in a CentOS 5.6. The first is stable, without problems running freeradius 1.1.3. The second is running freeradius 2.1.7 and in the last 3 months became very unstable. After some time running the threads just shutdown... Reading the /var/log/radius/radius.log, the only message in the moment of the problem is: Sun Jul 3 06:53:41 2011 : Info: Exiting normally. When I check the running processes, the radiusd is running... the 'service radiusd status' command displays the pid of the runnind daemon... but radiusd is not listening the network ports anymore. I tried to keep the radius in debug mode (radiusd -) for a week, but in this case the problem didn't happen. Is there some way to force the radiusd print why it is exiting 'normally' ?? Thanks -- Carlos Eduardo Tavares Terra Red Hat Certified Engineer Consultor em Infraestrutura de TI GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
Thank for your advices, I really think what have a problem with DB. Because the problem only happens when have many authentication requests simultaneously. Thanks again. Jean Em 29-06-2011 10:46, Fajar A. Nugraha escreveu: > On Wed, Jun 29, 2011 at 8:29 PM, Jean Carlos Oliveira Guandalini > wrote: >> Unfortunately I not update a version because one module what we use was >> not run correctly in newer versions >> > > That sucks :P > > If I were you I'd start investing in reeimplementing that module so > it's compatible with newer 2.x. Possibly even rewriting it in perl so > it can be run with rlm_perl. > >> If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and >> consequently better performance? > > When someone ask me that question, usually it's a sign that they know > very litlle about database. And my best advice would be "get a dba". > > The reason is that: > - Note that I said GUESS previously. You need to determine whethere it > IS in fact the database that's slow. That would require some knowledge > about the database being used, including how to find out what is > causing the most load. This is a skill that a dba will have. > - Innodb and MyISAM have their own strength/weakness, but I've never > had a case where JUST changing the storage engine would automagically > solve all problem. Storage engine selection and tuning is usually part > of the solution, but it's not the ONLY one. In fact, I'd say when it > comes to performance, index matters more than storage engine type. > Again, this is a skill that a dba will have. > - The default queries used by freeradius is fairly simple and > straightforward. Thus, the effort/skill required to make it "faster" > is pretty much the normal things that a dba would do for a common > database. These might include (but not limited to) optimizing index, > table definitions, queries, partitioning, clustering, and so on. > Again, this is a skill that a dba will have. > > So my best advice right now is find out if the db is the cause of the > slow response (running "top" on the db server would be a good start). > If it is, get help from a dba or ask in the db's respective > forum/list. > > If it's not, well, I'd start with running "radiusd -X", simulate with > a test auth/acct packet, and see where it's taking the most time. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error with Thread
Unfortunately I not update a version because one module what we use was not run correctly in newer versions If I use Mysql(InnoDB) instead MyISAM, maybe help with table lock and consequently better performance? Thanks Jean Em 29-06-2011 10:10, Fajar A. Nugraha escreveu: > On Wed, Jun 29, 2011 at 6:32 PM, Jean Carlos Oliveira Guandalini > wrote: >> Hello, i'm using version 1.1.8, my OS is Linux (Gentoo). > > The usual response would be "upgrade". 1.x is not supported anymore. > >> >> My server stop and log this: >> Error: FATAL: Thread create failed: Resource temporarily unavailable >> >> Before this log, have: >> Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from >> client client1:41250 - ID: 195 due to unfinished request 155365 >> Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from >> client client2:59253 - ID: 235 due to unfinished request 155374 > > my guess is freeradius is busy handling requests that took a long > time. Usually this happens when your backend (e.g. db) takes a long > time to process the request, which is quite common if (for example) > you record accouting packets in database, and never clean it up so it > has millions of rows. Or your db is not properly designed (e.g. not > indexed in the right columns). Or you're using custom queries which > cause high load to the db. > > In any case, I'd start by fixing whatever backend you use first, make > sure it can respond in a timely manner. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error with Thread
Hello, i'm using version 1.1.8, my OS is Linux (Gentoo). My server stop and log this: Error: FATAL: Thread create failed: Resource temporarily unavailable Before this log, have: Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client1:41250 - ID: 195 due to unfinished request 155365 Wed Jun 29 00:16:13 2011 : Error: Dropping conflicting packet from client client2:59253 - ID: 235 due to unfinished request 155374 My config for start server is: start_servers = 200 max_servers = 200 min_spare_servers = 10 max_spare_servers = 200 max_requests_per_server = 0 The server only returns if I restart the service Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ..::Huntgroup Issues::..
Maybe the problem is here: rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139, length=58 User-Name = "steve2" User-Password = "testing" *NAS-IP-Address = 192.168.2.251* NAS-Port = 10 2010/9/1 Alfonso Alejandro Reyes Jiménez > Thanks for the advice to everyone. > > As per your recomendation we changed the users file with the following > line: > > steve2Cleartext-Password := "testing", Huntgroup-Name == "arcsight" > > but we got the same result access-reject. > > And we got the following output: > > rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139, > length=58 > User-Name = "steve2" > User-Password = "testing" > NAS-IP-Address = 192.168.2.251 > NAS-Port = 10 > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] No '@' in User-Name = "steve2", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > *No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user* > Failed to authenticate the user. > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> steve2 > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 139 to 127.0.0.1 port 6729 > Waking up in 4.9 seconds. > Cleaning up request 0 ID 139 with timestamp +5 > > I have a question, we remove the autentication value and the debug shows > that it is looking for it, why is that? > > May be someone that has the huntgroups running can send the examples of the > users and huntgroups files, that may help a lot. > > Thanks in advance. > > Regards > > Alfonso. > > El 24/08/2010 04:46 a.m., Alan DeKok escribió: > > Alfonso Alejandro Reyes Jiménez wrote: > > Hi, I'm trying to use the huntgroup feature on the freeradius software > with out luck. I think I'm missing something that's why I'm sending this > email maybe you can help me. > >You should read the debug output of the server. The answer is in there. > > > users file at the end: > > alfonso Auth-Type := Local, User-Password == "testing", Huntgroup-Name > == "squid" > > Don't set Auth-Type. Use "Cleartext-Password := ...", and not > "User-Password == ..." > > > Here's the output of the debug, it seems that it doesn't find the config > file. > >No. It finds the DEFAULT entry earlier in the file. > > Why? This is documented. Read the comments at the top of the "users" > file. Read the "man users" page. Read the FAQ for an example of how to > configure a test user. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra Red Hat Certified Engineer Consultor em Administração de Redes Linux GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter and ldap backend
Hello I have installed freeradius + LDAP backend. I need to limit the connection time per user. I found sqlcounter as a solution but I have two problems: 1 - I need to take the values: Max-Daily-Session and Max-Monthly-Session from LDAP and not from mysql DB. 2 - I need to terminate the connection when it meets the maximum connection time. Best regards, Carlos A. Sorry my English, I speak Spanish. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Huntgroup only work with user check, not group check
On Thu, Sep 3, 2009 at 6:30 AM, George Koulyabin wrote: > >> ++--+++--+ >> | id | username | attribute | op | value | >> ++--+++--+ >> | 5 | jack | Huntgroup-Name | == | wireless | >> | 4 | jack | Cleartext-Password | := | foo | >> ++--+++--+ > You wrote rules for authorization/athentication of jack: Jack grants access > from hardware of 'wireless' huntgroup with 'foo' password. I wrote the rules for huntgroup here because the rules in groupcheck didn't work. If I take this out, just keeping the groupcheck, 'jack' will connect from any hardware. The groupcheck is ignoring the huntgroups. > >> mysql> select * from radgroupcheck; >> ++---+++--+ >> | id | groupname | attribute | op | value | >> ++---+++--+ >> | 8 | wireless | Huntgroup-Name | == | wireless | >> ++---++----+--+ > > But there is You wrote that You want to authorize the 'wireless' memebership > for jack. -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Huntgroup only work with user check, not group check
On Wed, Sep 2, 2009 at 5:13 AM, Ivan Kalik wrote: >> I am having trouble while trying to work with huntgroups. Maybe I >> misunderstand the way how huntgroups works. >> >> When I use 'Huntgroup-Name' into radcheck, everything works fine. But >> when I put the 'Huntgroup-Name' into radgroupcheck, the radius is just >> ignoring it. > > Nothing wrong with huntgroups. That's how sql groups work. If they don't > match they are ignored - user doesn't get rejected. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Is there anyway to reject if groupcheck fails? Thanks -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Huntgroup only work with user check, not group check
Hello, I am having trouble while trying to work with huntgroups. Maybe I misunderstand the way how huntgroups works. I read another post about this issue, but I don't really understand why force the huntgroup name in confs. I have inserted two NAS' into radhuntgroup, as follow: mysql> select * from radhuntgroup; ++---+--+---+ | id | groupname | nasipaddress | nasportid | ++---+--+---+ | 5 | wireless | 192.168.2.5 | NULL | | 4 | adsl | 192.168.2.6 | NULL | ++---+--+---+ And associate the user 'jack' in group wireless: mysql> select * from radusergroup; +--+---+--++ | username | groupname | priority | id | +--+---+--++ | jack | wireless |1 | 1 | +--+---+--++ And created the rules to the user 'jack': mysql> select * from radcheck; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 5 | jack | Huntgroup-Name | == | wireless | | 4 | jack | Cleartext-Password | := | foo | ++--+++--+ When I use 'Huntgroup-Name' into radcheck, everything works fine. But when I put the 'Huntgroup-Name' into radgroupcheck, the radius is just ignoring it. mysql> select * from radgroupcheck; ++---+++--+ | id | groupname | attribute | op | value| ++---+++--+ | 8 | wireless | Huntgroup-Name | == | wireless | ++---+++--+ It only works in this way? Am I doing something wrong? Thanks -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New FR server: CentOS 5 or Ubuntu 8
Hi all, Please accept my apologies for this complicate question. I need make a new FR server from sources with mysql support, and I have only two OS options: CentOS 5 or Ubuntu 8. I used only FreeBSD, but now I have only these two options. Any suggestions? Thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?
The acct attributes are post auth... This I know. I want to determinate to GGSN on the auth moment the "session time" and "traffic amount", and after this time limited and traffic limit the session end. I beleave there are a VSA to determante this to ggsn (session time and traffic amount on the session). > > Here are some Accounting Attributes; > > Acct-Session-Time > Acct-Input-Octets > Acct-Output-Octets > Acct-Input-Packets > Acct-Output-Packets > > In regard to data services capturing "traffic amount(byte > count)" is more pragmatic than relying on session time. > > > > On Sun, Dec 14, 2008 at 11:26 PM, Toledo, Luis Carlos > wrote: > > > > Is it use the session-timeout RADIUS attribute? Are there > some other > > VSA to determinate the session time or traffic amount? > > > >> > >> No..but session-timeout RADIUS attribute > >> > >> On Sun, Dec 14, 2008 at 11:11 PM, Toledo, Luis Carlos > >> wrote: > >> >> Yes, By focusing mainly on attributes such as > >> >> MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id) > >> as well as > >> >> by deploying an IP assignment technique(using IPPOOL or > otherwise). > >> >> > >> >> If you have specific queries, would be happy to attempt > to answer. > >> >> > >> > > >> > Do you know the GGSN "session time limit" attribute ? > >> > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?
Is it use the session-timeout RADIUS attribute? Are there some other VSA to determinate the session time or traffic amount? > > No..but session-timeout RADIUS attribute > > On Sun, Dec 14, 2008 at 11:11 PM, Toledo, Luis Carlos > wrote: > >> Yes, By focusing mainly on attributes such as > >> MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id) > as well as > >> by deploying an IP assignment technique(using IPPOOL or otherwise). > >> > >> If you have specific queries, would be happy to attempt to answer. > >> > > > > Do you know the GGSN "session time limit" attribute ? > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Is it possible to use FreeRADIUS as AAA in a Cellular Network?
> Yes, By focusing mainly on attributes such as > MSISDN(Calling-Station-Id) and GGSN/NAS(Called-Station-Id) as > well as by deploying an IP assignment technique(using IPPOOL > or otherwise). > > If you have specific queries, would be happy to attempt to answer. > Do you know the GGSN "session time limit" attribute ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Many thanks... It is working now! :) On Tue, Sep 9, 2008 at 5:11 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > Carlos Eduardo Tavares Terra wrote: >> Sorry, but maybe I didn't understand how virtual servers really work. > > raddb/sites-available/README > > Each virtual server is a RADIUS server, just like in 1.x. The only > difference is that you don't need to run multiple processes to get > multiple server configurations. >> I have separated into different virtual servers because each type of >> service have different modules implemented by me. In freeradius1 I was >> using the groupreply 'Exec-Program-Wait' and different radius servers >> for each service. In each server I have modified the sql querys > > i.e. in 1.x, you modified the SQL queries in the sql module > configuration, for each server. i.e. you were running TWO different > instances of the SQL module. > > I think the problem is that you're trying to use only ONE instance of > the SQL module in 2.x. Instead, do this in the "modules" section: > > sql sql1 { >... content from 1.x server1, INCLUDING queries >} > > sql sql2 { >... content from 1.x server2, INCLUDING queries >} > > Then, use "sql1" in the virtual server for server1, and "sql2" in the > virtual server for sql2. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Out of memory problem
Hello, I am using the version 1.1.7 with authentication / accounting in mysql (rlm_sql). The problem is that the use of memory increasing until it is exhausted: dmesg messages: Out of Memory: Killed process 28272 (radiusd). Out of Memory: Killed process 1149 (radiusd). Out of Memory: Killed process 1155 (radiusd). The problem can only be solved restarting or reloading the radiusd. After restarting, the use of memory back to normal. It is a bug in version? Kernel problem ??? (kernel version is 2.6.15) Thanks Sorry for my english - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius2 + MySQL: NAS x Usergroup
Sorry, but maybe I didn't understand how virtual servers really work. I have one big users base. The users can be in one or more groups. User:John - Group:dialup User:John - Group:broadband User:Jack - Group:dialup User:Jack - Group: hotspot John and Jack are in my radcheck and radusergroup tables. Username: John Username: Jack Attribute: Password Attribute: Password Op: := Op: := Value: crypt('test')Value: crypt('test2') My nas clients are in database too. nasname: 192.168.2.2nasname: 192.168.2.3 shortname: dialup-nas shortname: broadband-nas type: cisco type: cisco secret: secret-password secret: secret-password server: dialup server: broadband My problem is here: expand: %{User-Name} -> John rlm_sql (sql): sql_set_user escaped user --> 'John' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'John' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): User found in group dialup expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id rlm_sql (sql): Released sql socket id: 2 John is connecting through broadband-nas, but freeradius is getting dialup groupname and all its checks and replys. Dialup and broadband has the same priority in radusergroup table. I wish to 'force' something like 'dialup-nas'->'dialup group', 'broadband-nas'->'broadband group'. Maybe I'm going through the wrong way. I have separated into different virtual servers because each type of service have different modules implemented by me. In freeradius1 I was using the groupreply 'Exec-Program-Wait' and different radius servers for each service. In each server I have modified the sql querys to get only replys and checks for respectives groups (services). How is the 'right' way to implement this scenario with freeradius 2? Thank you for the help. 2008/9/6 <[EMAIL PROTECTED]>: > No. You define virtual home servers in proxy.conf. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 6/9/2008, "Carlos Eduardo Tavares Terra" <[EMAIL PROTECTED]> > piše: > >>Can I associate in groupcheck a groupname with a virtual server? >> >>I have separated each type of services into different virtual servers, >>because each one of then has different modules. >> >>Thanks >> >>On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: >>> Radgroupcheck table. >>> >>> Ivan Kalik >>> Kalik Informatika ISP >>> >>> -Original Message- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] On >>> Behalf Of Carlos Eduardo Tavares Terra >>> Sent: 05 September 2008 02:42 >>> To: freeradius-users@lists.freeradius.org >>> Subject: FreeRadius2 + MySQL: NAS x Usergroup >>> >>> >>> Dear freeradius users, >>> >>>I have a special scenario. Today I have many freeradius servers, each >>> one responsible for differente services. >>> >>> Now I want to group this freeradius servers into one master server, but I >>> have users in many differente usergroups (one for each service). >>> How can I associate an usergroup to a nas? >>> Example: >>> NAS (192.168.2.1) -> Usergroup (Dialup) >>> NAS (192.168.2.2) -
Re: FreeRadius2 + MySQL: NAS x Usergroup
Can I associate in groupcheck a groupname with a virtual server? I have separated each type of services into different virtual servers, because each one of then has different modules. Thanks On Fri, Sep 5, 2008 at 2:49 PM, Ivan Kalik <[EMAIL PROTECTED]> wrote: > Radgroupcheck table. > > Ivan Kalik > Kalik Informatika ISP > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Carlos Eduardo Tavares Terra > Sent: 05 September 2008 02:42 > To: freeradius-users@lists.freeradius.org > Subject: FreeRadius2 + MySQL: NAS x Usergroup > > > Dear freeradius users, > >I have a special scenario. Today I have many freeradius servers, each > one responsible for differente services. > > Now I want to group this freeradius servers into one master server, but I > have users in many differente usergroups (one for each service). > How can I associate an usergroup to a nas? > Example: > NAS (192.168.2.1) -> Usergroup (Dialup) > NAS (192.168.2.2) -> Usergroup (Broadband) > NAS (192.168.2.3) -> Usergroup (Hotspot) > > I saw how to do this using huntgroups, but I want to use a mysql database > with all clients. > > There are another ways to implement this different services into one > radius server, maybe the right way? If not, how can I associate the > usergroups and nas using mysql? > > Thank you > -- > Carlos Eduardo Tavares Terra > GNU/Linux #413291 [http://counter.li.org] > Slackware Linux > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 2008-09-04 > 18:54 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Carlos Eduardo Tavares Terra Analista de Sistemas Petróleo Brasileiro S/A GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius2 + MySQL: NAS x Usergroup
Dear freeradius users, I have a special scenario. Today I have many freeradius servers, each one responsible for differente services. Now I want to group this freeradius servers into one master server, but I have users in many differente usergroups (one for each service). How can I associate an usergroup to a nas? Example: NAS (192.168.2.1) -> Usergroup (Dialup) NAS (192.168.2.2) -> Usergroup (Broadband) NAS (192.168.2.3) -> Usergroup (Hotspot) I saw how to do this using huntgroups, but I want to use a mysql database with all clients. There are another ways to implement this different services into one radius server, maybe the right way? If not, how can I associate the usergroups and nas using mysql? Thank you -- Carlos Eduardo Tavares Terra GNU/Linux #413291 [http://counter.li.org] Slackware Linux - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneos-Use in login for same mac-address
Ivan Kalik escreveu: Your NAS is rubbish. It sent stop packet for the first session. Freeradius didn't "close" this session - Mikrotik did. Thank you, I will verify this mikrotik. Ivan Kalik Kalik Informatika ISP Dana 6/6/2008, "Jean Carlos Oliveira Guandalini" <[EMAIL PROTECTED]> piše: Ivan Kalik escreveu: No. There is no simultaneous login here: session1: start: 11:08:45 stop: 11:08:46 session2: start: 11:08:49 but the session1 not ended, it closed at freeradius when the second session trying to connect. In my "NAS(Mikrotik)" there are two connections, with different ip address. Thanks Ivan Kalik Kalik Informatika ISP Dana 6/6/2008, "Jean Carlos Oliveira Guandalini" <[EMAIL PROTECTED]> piše: Hello, we have a problem of mac-address clone, and we use the Simultaneous-Use: = 1 option to not allow double login, but when this is a case of the clone mac-address the freeradius allows the connection. Log of sql.trace: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10'; INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); Queries in sql.conf: simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" despite the mac-address to match are two different users, and the second to connect without first disconnecting was before. Is there any possibliidade to block it? Thanks Sorry for my english (By Google Tradutor) -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura VisăoNet Tecnologia e Telecomunicaçőes 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura Visa~oNet Tecnologia e Telecomunicaço~es 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura Visa~oNet Tecnologia e Telecomunicaço~es 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneos-Use in login for same mac-address
Ivan Kalik escreveu: No. There is no simultaneous login here: session1: start: 11:08:45 stop: 11:08:46 session2: start: 11:08:49 but the session1 not ended, it closed at freeradius when the second session trying to connect. In my "NAS(Mikrotik)" there are two connections, with different ip address. Thanks Ivan Kalik Kalik Informatika ISP Dana 6/6/2008, "Jean Carlos Oliveira Guandalini" <[EMAIL PROTECTED]> piše: Hello, we have a problem of mac-address clone, and we use the Simultaneous-Use: = 1 option to not allow double login, but when this is a case of the clone mac-address the freeradius allows the connection. Log of sql.trace: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10'; INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); Queries in sql.conf: simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" despite the mac-address to match are two different users, and the second to connect without first disconnecting was before. Is there any possibliidade to block it? Thanks Sorry for my english (By Google Tradutor) -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura VisăoNet Tecnologia e Telecomunicaçőes 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura Visa~oNet Tecnologia e Telecomunicaço~es 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneos-Use in login for same mac-address
Hello, we have a problem of mac-address clone, and we use the Simultaneous-Use: = 1 option to not allow double login, but when this is a case of the clone mac-address the freeradius allows the connection. Log of sql.trace: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00935', 'bcc93b20ea389f59', 'userlogin', '', '10.0.6.10', '2447', 'Ethernet', '2008-06-06 11:08:45', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); UPDATE radacct SET AcctStopTime = '2008-06-06 11:08:46', AcctSessionTime = '0', AcctInputOctets = '0', AcctOutputOctets = '0', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '81b00935' AND UserName = 'userlogin' AND NASIPAddress = '10.0.6.10'; INSERT into radpostauth (id, user, pass, reply, date) values ('', 'userlogin', '290476', 'Access-Accept', NOW()); INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('81b00936', '3f7c1d06dbd205d4', 'userlogin', '', '10.0.6.10', '2448', 'Ethernet', '2008-06-06 11:08:49', '0', '0', 'RADIUS', '', '', '0', '0', 'INTERNET', '00:4F:62:0A:1F:BF', '', 'Framed-User', 'PPP', '111.111.111.111', '0', '0'); Queries in sql.conf: simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" despite the mac-address to match are two different users, and the second to connect without first disconnecting was before. Is there any possibliidade to block it? Thanks Sorry for my english (By Google Tradutor) -- Jean Carlos Oliveira Guandalini Dep. de Redes e Infra-estrutura VisãoNet Tecnologia e Telecomunicações 0800-643-5025 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: FreeRadius with SQL and Asterisk - FreeRadius inserts acct data toSQL database , but the data seems useless
Why do not use proper asterisk to put accounts (CDR) in to mysql ? It´s very simple. > > Hi! > First of all, I apologize if I sent this to non-appropriate > mailing list, but nevertheless I hope that you can help me. > I installed FreeRadius because I wanted to see how it works > in conjunction with Asterisk, only for accounting purposes. > In my case, I managed to configure Asterisk to send RADIUS > packets to FreeRadius server, as we can see from file > /var/log/radius/radacct/127.0.0.1/detail-20080107: > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Looking for feedback
> Firstly, please do not "top post". > > Secondly, your reply doesn't actually explain anything new > nor ask any additional questions. Maybe you should be clearer :-) > > Cheers Sorry, for my top port. My reply was very short and not more cleared because I belive it´s not a directly freeradius subject. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Looking for feedback
routerOS with routerboard (Mikrotik) or x86 plataform. Centralized or mixed environment. > > On Fri 21 Dec 2007, Geoffroy ARNOUD wrote: > > Hi all, > > > > First I apologize, because the question I am about to ask is not > > directly linked to FreeRADIUS. > > > > Any feedback woul be appreciated. > > Daniel > > A centralised NAS for multiple hotspots implies that you are > not going to NAT each hotspot, but rather that you will route > a subnet to each. If that is the case I think a combination > of a centralised coova, plus a DHCP relay agent on each > access point should work. If it doesn't work out of the box > (I havent tested coova in that config) then I am sure it > would be possible with pretty minor patches. Why don't you > re-ask the question on the coova list (which I am also on). I > am sure David will be able to help :-) > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Authentication: filter problem
Hi all, I'm using an LDAP-based authentication. I'd have a simple (typical filter) like this filter = uid=%{User-Name} Now, in addition, I'd need to authenticate based on a Service-Info attribute. So I need something like filter = "(&(uid=%{User-Name})(radiusServiceInfo=%{Service-Info})) The problem is that when Service-Info doesn't come in the Radius packet (because is not mandatory for me), it doesn't work, and I see on LDAP the following filter="(&(uid=test1)(?=undefined))" If Service-Info not present, I would expect something like filter="(&(uid=test1)(radiusSeviceInfo=))" Worse, in fact, what I need is a filter slightly different like filter = "(&(uid=%{User-Name})(!(radiusServiceInfo=%{Service-Info}))) In that case (using the !), the query sent is the following filter="(&(uid=test1)(?=error))" I've already search about that on the freeradius mailing-lists and I didn't saw any report about this problem. Is that any kind of bug? Or am I doing something wrong? I appreciate some help. Best Regards, Carlos Parada - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter and user realms
Hello, I'm trying to set rlm_sqlcounter up so that I can check for a monthly use quota. Everything works, except the checks. The NAS present the user names with a realm, which I'm processing (thus, [EMAIL PROTECTED] becomes user.) Using SQL for accounting and such is working marvelous. Now, when I configured/activated rlm_sqlcounter as per the instructions at http://wiki.freeradius.org/Rlm_sqlcounter it will not work because the SQL checks are using the pre-processed user name: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' will use '[EMAIL PROTECTED]' instead of just 'user'. My question is, how can I modify this query definition (and the others from sqlcounter.conf) so that they really check against the stripped user name. Thanks a lot, Carlos. -- grah windows just crashed again, unstable crap. Windows isn't unstable, it's just spontaneous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Retrieving the clients (NASes) from SQL (FreeRADIUS 1.1.0)
Hi, > Yes. But you will still need to restart the server for changes to take > effect. Yes, I noticed it. It turns out that I had the INCLUDE sql.conf somewhere else. It's working now! Thanks a lot, Carlos. -- grah windows just crashed again, unstable crap. Windows isn't unstable, it's just spontaneous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Retrieving the clients (NASes) from SQL (FreeRADIUS 1.1.0)
Hello, does FreeRADIUS 1.1.0 supports reading the NAS list from SQL? I'm using this rather old version because it's the one supplied by my Ubuntu version, and, if possible, I wouldn't like to use another. Of course, if I must, I will. Thanks a lot, Carlos. -- grah windows just crashed again, unstable crap. Windows isn't unstable, it's just spontaneous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
force the user to use a unique NAS
I have two load-balanced NAS with diferents networks, the users can use the first or second NAS to gain network access from dynamic ips via rlm_ipool (two diferents ip pools) radius module. But now, I need to use unique fix ip from some users. How can I force the user to use a unique NAS ? If don´t make this, the fixed ip can be out of network. Make sense? Thx Toledo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Non valid NAS-Port and NAS-Port-Id (SOLVED)
Thank you very much! Great job Peter ! This problem was solved using de rlm_sqlipool with sql postgres instance. All other radius database transctions was made with another sql mysql instance. Thank for all Toledo > > On Wed 08 Aug 2007, Toledo, Luis Carlos wrote: > > > > Hey all, > > > > > > > > I have a serius problem with non valid Nas-port received > > > > > > from NASes, > > > > > > > because a need to provide a dynamic IP (rlm_ippool). > > > > > > > > Have anyone any suggestion? > > > > > > http://wiki.freeradius.org/Rlm_sqlippool > > > > I am use mysql for all radius operations and data storage, is it > > sqlippoll 100% mysql compatible ? > > I use/develop it on Postgresql myself, but other users report > success on MySQL. Make sure you are using 1.1.7 or cvs head > though. Older versions will not work properly with MySQL... > > Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Non valid NAS-Port and NAS-Port-Id
> > Hey all, > > > > I have a serius problem with non valid Nas-port received > from NASes, > > because a need to provide a dynamic IP (rlm_ippool). > > > > Have anyone any suggestion? > > http://wiki.freeradius.org/Rlm_sqlippool > I am use mysql for all radius operations and data storage, is it sqlippoll 100% mysql compatible ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Non valid NAS-Port and NAS-Port-Id
Hey all, I have a serius problem with non valid Nas-port received from NASes, because a need to provide a dynamic IP (rlm_ippool). Have anyone any suggestion? Thx Toledo, Luis Carlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Stripping domain from username
> > See "man unlang" for details. Is it this feature disponible in the stable 1.1.7 version ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Calling-Station-Id or AcctSessionId as NAS-Port
I need to use Calling-Station-Id (or AcctSessionId) as NAS-Port and provide dynamic Ips using rlm_ippool. Using attr_rewrite it´s possible to make this change (Calling-Station-Id => NAS-Port), but the freeradius/modules C code define port as int. My calling-station-id have 15 numerics chars of size. Have anyone any idea ? Thanks Toledo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Good morning: Enterasys is the AP and the wireless card. Otherways, we have also tried with an integrated Intel Centrino card with the same result. About the supplicant, we tried with Windows Client and with one provided by Enterasys. In both of them we cannot connect correctly. Unfortunately, this point was into a project that should be finished yesterday (I'd like to have found this mailing list several days before) and we should to configure the system with preshared keys in order to left system running. Authentication with domain was finally not implemented. Today, we have not access to that system and cannot do anything more. The project's world! :( Otherways, we really appreciate all your help and advices. Thank you. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 16:24 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Lets get few things straight: Enterasys is your AP, not your wireless card? What supplicant are you using on your PC to connect: Windows XP supplicant, supplicant provided by the manufacturer of PC's wireless card or something else? Supplicant is the program you are using to make the wireless connection. What EAP type are you trying to use? You started with PEAP but in the last output your supplicant was trying to do TTLS of some sort. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi: > >We have found that on PC, wireless card needs to introduce manually a username >and password, it doesn't takes the domain credentials automatically. >We have tried, just for probing, with a non valid user, in this case root and >the password for the freeradius server. This is why it appears "anonymous". >But we have not made more changes. >After this trying, we restarted the service and we found that with domain user >credentials didn't connect correctly the PC. >Could it be due a malfunctioning or an issue of the Enterasys wireless card >and/or AP? > >Thanks. > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] >Enviado el: jueves, 12 de julio de 2007 14:41 >Para: FreeRadius users mailing list >CC: Cristina Martin Molin >Asunto: Re: Authentication failed > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hi, > > >you are CHANING more than ONE thing at a time. look at this: > >> rlm_eap: Request found, released from the list >> rlm_eap: EAP NAK >> rlm_eap: EAP-NAK asked for EAP-Type/ttls >> rlm_eap: No such EAP type ttls >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 7 >> modcall: group authenticate returns invalid for request 7 >> auth: Failed to validate the user. >> Login incorrect: [anonymous/] (from client >> 17224.230.15 port 1 cli 00118865b6e5) > >why is it now attempting TTLS authentication? why have you taken such >auth method out of the loop? ntlm_auth isnt being called AT ALL now. > >one change at a time! > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intende
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi: We have found that on PC, wireless card needs to introduce manually a username and password, it doesn't takes the domain credentials automatically. We have tried, just for probing, with a non valid user, in this case root and the password for the freeradius server. This is why it appears "anonymous". But we have not made more changes. After this trying, we restarted the service and we found that with domain user credentials didn't connect correctly the PC. Could it be due a malfunctioning or an issue of the Enterasys wireless card and/or AP? Thanks. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 14:41 Para: FreeRadius users mailing list CC: Cristina Martin Molin Asunto: Re: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi, you are CHANING more than ONE thing at a time. look at this: > rlm_eap: Request found, released from the list > rlm_eap: EAP NAK > rlm_eap: EAP-NAK asked for EAP-Type/ttls > rlm_eap: No such EAP type ttls > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: group authenticate returns invalid for request 7 > auth: Failed to validate the user. > Login incorrect: [anonymous/] (from client > 172.24.230.15 port 1 cli 00118865b6e5) why is it now attempting TTLS authentication? why have you taken such auth method out of the loop? ntlm_auth isnt being called AT ALL now. one change at a time! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: Thank you for your help. You are in reason: I need a good book of Unix command-line tools. :) For the moment, I left all in just one line. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 14:00 Para: FreeRadius users mailing list Asunto: Re: Authentication failed > We have entered this data in radiusd.conf: > > # Be VERY careful when editing the following line! > # > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-Domain} > --username=%{mschap:User-Name} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > > Maybe, the "intro" after every line is not correct, so we have changed it > for: > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > > > And the problem continues. Well, this is "UNIX 101": if you want a command to continue over multiple lines, you have to put a \ (Backslash) at the end of the lines. The spaces themselves are perfectly fine. Something like ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key \ --domain=%{mschap:NT-Domain} \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00}" should work a lot better. Go buy a book about UNIX command-line tools ;-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello: We have restarted the radius service. This is the output of the debug: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = yes main: max_request_time = 60 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: We have entered this data in radiusd.conf: # Be VERY careful when editing the following line! # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Maybe, the "intro" after every line is not correct, so we have changed it for: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" And the problem continues. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 13:17 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, okay, now that the User-Name thing is fixed, another problem with your config shows up. The ntlm_auth line is way too short! Therefore, the key can't be retrieved. Is there maybe a line wrap in radiusd.conf, line "ntlm_auth = ..." or something? The shipped ntlm_auth line works by default! Yours is only '/usr/bin/ntlm_auth --request-nt-key ' i.e. it's missing all the important parts! Stefan > modcall: entering group Auth-Type for request 8 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for host/PC-BARCMM2.it.local with > NT-Password radius_xlat: '/usr/bin/ntlm_auth --request-nt-key ' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key > username must be specified! > > Usage: [OPTION...] > --helper-protocol=helper protocol to use operate as a stdio-based > helper --username=STRINGusername > --domain=STRING domain name > --workstation=STRING workstation > --challenge=STRING challenge (HEX encoded) > --lm-response=STRING LM Response to the challenge >(HEX encoded) > --nt-response=STRING NT or NTLMv2 Response to the >challenge (HEX encoded) > --password=STRINGUser's plaintext password > --request-lm-key Retreive LM session key > --request-nt-key Retreive User (NT) session > key --diagnosticsPerform diagnostics on the > authentictaion chain --require-membership-of=STRING Require > that a user be a member of this group (either name or SID) for > authentication to succeed > > Help options > -?, --help Show this help message > --usage Display brief usage message > > Common samba options: > -d, --debuglevel=DEBUGLEVEL Set debug level > -s, --configfile=CONFIGFILE Use alternative > configuration file > -l, --log-basename=LOGFILEBASE Basename for log/debug files > -V, --versionPrint version > Exec-Program output: > Exec-Program: returned: 1 > rlm_mschap: External script failed. -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello again: We have found that when we configure supplicant as OPEN authentication method, it Works right, but not when we configure it as WPA (authenticating versus Active Directory with freeradius). In this second case, it seems that connection establishes but immediately, it disconnects. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 12:41 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** What EAP method are you using? PEAP? Can you post the radiusd -X output. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hello, Stefan: > >As you told us, the supplicant was sending an empty username. We had to >introduce manually the username and password because wireless card was not >taking correctly domain login values and using an empty value. >The most recent log is: > >Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/attribute>] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: >Login incorrect: [barcmm2/] (from client >172..24.230.15 port 1 cli 00118865b6e5) > > >Thank you, > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter >Enviado el: jueves, 12 de julio de 2007 10:51 >Para: FreeRadius users mailing list >Asunto: Re: Authentication failed > >Hi, > >> About the supplicant, we are using just Windows XP. We have tried with >> several wireless card (enterasys one, integrated Intel Centrino >> 2200b/g...). I have may not understood the supplicant meaning, tell me >> then, please. I thought it could be a problem related to the way the >> freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). > >FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your >NAS is sending an *empty* username. As far as I can tell, your problem does >not lie on the server side, but on the client side. > >Stefan > >-- >Stefan WINTER > >Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de >la Recherche >Ingenieur Forschung & Entwicklung > >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg >E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 >http://www.restena.lu Fax: +352 422473 > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud de la >legislación vigente. >Si ha recibido este mensaje por error, le rogamos nos lo comunique >inmediatamente por esta misma via y proceda a su destrucción. > > >This message is intended exclusively for its addressee and may contain >information that is CONFIDENTIAL and protected by professional privilege. >If you are not the intended recipient you are hereby notified that any >dissemination, copy or disclosure of this communication is strictly >prohibited by law. If this message has been received in error, please >immediately notify us via e-mail and delete it. >___ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique i
RE: Authentication failed
rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [host/PC-BARCMM2.it.local/] (from client 172.24.230.15 port 1 cli 000e359071d6) Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 123 to 172.24.230.15:1279 EAP-Message = 0x04080004 Message-Authenticator = 0x0000 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 116 with timestamp 4695fe85 Cleaning up request 3 ID 117 with timestamp 4695fe85 Cleaning up request 4 ID 118 with timestamp 4695fe85 Cleaning up request 5 ID 119 with timestamp 4695fe85 Cleaning up request 6 ID 120 with timestamp 4695fe85 Cleaning up request 7 ID 121 with timestamp 4695fe85 Cleaning up request 8 ID 122 with timestamp 4695fe85 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 123 with timestamp 4695fe86 Nothing to do. Sleeping until we see a request. Thank you, Ivan Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: jueves, 12 de julio de 2007 12:41 Para: FreeRadius users mailing list Asunto: RE: Authentication failed *** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** What EAP method are you using? PEAP? Can you post the radiusd -X output. Ivan Kalik Kalik Informatika ISP Dana 12/7/2007, "Carlos Jimenez Barranco" <[EMAIL PROTECTED]> piše: > >*** >Mensaje examinado por el antivirus perimetral de Impala Network Solutions >***-*** > > >Hello, Stefan: > >As you told us, the supplicant was sending an empty username. We had to >introduce manually the username and password because wireless card was not >taking correctly domain login values and using an empty value. >The most recent log is: > >Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/attribute>] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: >Login incorrect: [barcmm2/] (from client >172..24.230.15 port 1 cli 00118865b6e5) > > >Thank you, > >Carlos Jimenez Barranco >- Área de Postventa > Telf. +34 933034139 > > >www.impala-net.com > >Sistemas de Comunicaciones Corporativas > > > > > >-Mensaje original- >De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter >Enviado el: jueves, 12 de julio de 2007 10:51 >Para: FreeRadius users mailing list >Asunto: Re: Authentication failed > >Hi, > >> About the supplicant, we are using just Windows XP. We have tried with >> several wireless card (enterasys one, integrated Intel Centrino >> 2200b/g...). I have may not understood the supplicant meaning, tell me >> then, please. I thought it could be a problem related to the way the >> freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). > >FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your >NAS is sending an *empty* username. As far as I can tell, your problem does >not lie on the server side, but on the client side. > >Stefan > >-- >Stefan WINTER > >Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de >la Recherche >Ingenieur Forschung & Entwicklung > >6, rue Richard Coudenhove-Kalergi >L-1359 Luxembourg >E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 >http://www.restena.lu Fax: +352 422473 > > >___ > >Este mensaje se dirije exclusivamente a su destinatario y puede contener >información privilegiada o confidencial de Impala Network Solutions S.L. >Si no es vd. el destinatario indicado, queda notificado de que la utilización, >divulgación y/o copia sin autorización está prohibida en virtud d
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: As you told us, the supplicant was sending an empty username. We had to introduce manually the username and password because wireless card was not taking correctly domain login values and using an empty value. The most recent log is: Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/] (from client localhost port 0) Thu Jul 12 11:03:38 2007 : Auth: Login incorrect: [barcmm2/] (from client 172.24.230.15 port 1 cli 00118865b6e5) Thank you, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:51 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > About the supplicant, we are using just Windows XP. We have tried with > several wireless card (enterasys one, integrated Intel Centrino > 2200b/g...). I have may not understood the supplicant meaning, tell me > then, please. I thought it could be a problem related to the way the > freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your NAS is sending an *empty* username. As far as I can tell, your problem does not lie on the server side, but on the client side. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hi: Thank you, Stefan. We are going to revise the client configuration. Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:51 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > About the supplicant, we are using just Windows XP. We have tried with > several wireless card (enterasys one, integrated Intel Centrino > 2200b/g...). I have may not understood the supplicant meaning, tell me > then, please. I thought it could be a problem related to the way the > freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). FreeRADIUS can't do *anything* if it doesn't know who to authenticate. Your NAS is sending an *empty* username. As far as I can tell, your problem does not lie on the server side, but on the client side. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Hello, Stefan: About the supplicant, we are using just Windows XP. We have tried with several wireless card (enterasys one, integrated Intel Centrino 2200b/g...). I have may not understood the supplicant meaning, tell me then, please. I thought it could be a problem related to the way the freeradius deals credentials (i. e. MSCHAP, with_ntdomain_hack value...). Thank you, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 10:15 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hi, > Thank you for your quick answer Stefan. Just one more question: Who is the > supplicant? The AP or the PC client? On the PC Client (WinXP) we have > always entered a login and password. The supplicant is the PC client. That's odd. If you really have entered a username on the supplicant, the NAS *MUST* put that into the RADIUS packet. So there's two possibilities: - the supplicant software on the PC has a bug and doesn't actually send it even though you have entered it (which supplicant are you using?) - the NAS (AP) is flawed. Unfortunately I have no experience with Enterasys. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failed
*** Mensaje examinado por el antivirus perimetral de Impala Network Solutions ***-*** Good morning: Thank you for your quick answer Stefan. Just one more question: Who is the supplicant? The AP or the PC client? On the PC Client (WinXP) we have always entered a login and password. With kind regards, Carlos Jimenez Barranco - Área de Postventa Telf. +34 933034139 www.impala-net.com Sistemas de Comunicaciones Corporativas -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: jueves, 12 de julio de 2007 9:52 Para: FreeRadius users mailing list Asunto: Re: Authentication failed Hello, > rad_recv: Access-Request packet from host 172.24.230.15:3324, id=10, > length=113 NAS-IP-Address = 172.24.230.15 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 1 > Framed-MTU = 1400 > User-Name = "" > Calling-Station-Id = "00118865b6e5" > Called-Station-Id = "0011885ae5b0" > NAS-Identifier = "RoamAbout AP" > EAP-Message = 0x0201000501 > Message-Authenticator = 0xf6e4825749e3bc4b04a99bc11c37fbba [...] > modcall: entering group authenticate for request 4 > rlm_eap: UserIdentity Unknown > rlm_eap: Identity Unknown, authentication failed > rlm_eap: Failed in handler > modcall[authenticate]: module "eap" returns invalid for request 4 > modcall: group authenticate returns invalid for request 4 > auth: Failed to validate the user. Your NAS is sending an empty User-Name. That's fatal, because then the FreeRADIUS server has no clue which user it should authenticate. Check the settings on your supplicant - enter a user name. > Is it necessarily to attach the system message log? > Tell me if you need more info. Most of the times, radiusd -X is sufficient. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failed
7 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:37:06 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:38:16 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:38:16 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:39:22 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:39:22 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:39:48 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:39:48 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:39:57 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:39:57 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:40:04 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:40:04 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:41:09 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:41:09 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:41:36 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:41:36 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:42:41 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:42:41 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:43:08 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:43:08 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:44:13 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:44:13 2007 : Error: rlm_eap: Identity Unknown, authentication failed Wed Jul 11 14:44:40 2007 : Error: rlm_eap: UserIdentity Unknown Wed Jul 11 14:44:40 2007 : Error: rlm_eap: Identity Unknown, authentication failed Is it necessarily to attach the system message log? Tell me if you need more info. Thanks in advance. Carlos Jimenez ___ Este mensaje se dirije exclusivamente a su destinatario y puede contener información privilegiada o confidencial de Impala Network Solutions S.L. Si no es vd. el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destrucción. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by professional privilege. If you are not the intended recipient you are hereby notified that any dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
Thanks for all help, this last tip is very good. I need exactly this Jean Alexander Serkin wrote: > we did this that way: > > 1. modified usergroup table to (it's oracle): > Name Null?Type > -- > ID NOT NULL NUMBER(38) > USERNAMEVARCHAR2(128) > CLIDVARCHAR2(15) > GROUPNAME VARCHAR2(30) > PRIORITYNOT NULL NUMBER(38) > > 2. modified auth sql queries: > > authorize_group_check_query = "SELECT > ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op > > FROM ${groupcheck_table},${usergroup_table} WHERE > (${usergroup_table}.Username = '%{SQL-User-Name}' or > ${usergroup_table}.CLID = '%{Calling-Station-Id}') AND > ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY > ${usergroup_table}.PRIORITY,${groupcheck_table}.id" > authorize_group_reply_query = "SELECT > ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op > > FROM ${groupreply_table},${usergroup_table} WHERE > (${usergroup_table}.Username = '%{SQL-User-Name}' OR > ${usergroup_table}.CLID = '%{Calling-Station-Id}') AND > ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY > ${groupreply_table}.id" > group_membership_query = "SELECT GroupName FROM > ${usergroup_table} WHERE UserName='%{SQL-User-Name}' OR > CLID='%{Calling-Station-Id}' order by priority" > > 3. created group profile: > insert into RADGROUPCHECK values('','blackholed','Auth-Type',':=','Reject'); > insert into RADGROUPCHECK values('','blackholed','Fall-Through','=','No'); > insert into RADGROUPREPLY > values('','blackholed','Reply-Message','=','Access denied due to > agreement violation'); > > 4. to blacklist client just add the MAC to "blackholed" group: > insert into USERGROUP values('','','','blackholed','10'); > > Jean Carlos Oliveira Guandalini wrote: > >> I use freeradius for authentication of pppoe wifi. >> >> I need to make new sql query in a table with a list of mac-address, if >> the CallingStationId will be equal to the some mac-adress of the table >> then will not have to be connected. >> A system of mac-adress blacklist. >> I tried to make adding one query in sql.conf but it does not function. >> >> I find that it would have to add a new function in rlm_sql.c, but am not >> habil C programmer. >> >> Somebody can help me? >> >> Sorry for my english >> >> Thanks >> >> Jean >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new query verification in sql.conf
I did not explain correctly. I have a table in database with mac-adress registered, when the user connect, radius makes a verification in this table(on database) comparing mac-address of the user with mac-address registered in the database, if the mac-adress of user contain in the table(on database), user not be able to connect. Sorry for my english. I use translator! lol Thanks Jean > > > Subject: > > From: > <[EMAIL PROTECTED]> > Date: > Wed, 14 Mar 2007 15:09:49 +0100 > To: > "FreeRadius users mailing list" > > To: > "FreeRadius users mailing list" > > > use huntgroups: > > ohnoyouwont Calling-Station-ID == whatever > SQL-Group == suspended > > where suspended is a group with Auth-Type reject. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 14/3/2007, "Jean Carlos Oliveira Guandalini" > <[EMAIL PROTECTED]> piše: > > >> I use freeradius for authentication of pppoe wifi. >> >> I need to make new sql query in a table with a list of mac-address, if >> the CallingStationId will be equal to the some mac-adress of the table >> then will not have to be connected. >> A system of mac-adress blacklist. >> I tried to make adding one query in sql.conf but it does not function. >> >> I find that it would have to add a new function in rlm_sql.c, but am not >> habil C programmer. >> >> Somebody can help me? >> >> Sorry for my english >> >> Thanks >> >> Jean >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new query verification in sql.conf
I use freeradius for authentication of pppoe wifi. I need to make new sql query in a table with a list of mac-address, if the CallingStationId will be equal to the some mac-adress of the table then will not have to be connected. A system of mac-adress blacklist. I tried to make adding one query in sql.conf but it does not function. I find that it would have to add a new function in rlm_sql.c, but am not habil C programmer. Somebody can help me? Sorry for my english Thanks Jean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with mysql and shadow encryption
Hello, I have installed a freeradius with mysql and dialupadmin , but I need to migrate theusers of system and the passwords that are in /etc/shadow are encrypted with DES and crypt of dialupadmin use MD5, How Do I can do to migrate this users? any idea? or How do I make for that crypt of dialupadmin work with DES? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
I World like to have a copy too. Carlos Rosero S. Programmer / IT www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s). It is covered by the Electronic Communications Privacy Act, 18 U.S.C§2510-2521 and is legally privileged. Unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient and have received this communication in error, please contact the sender by reply e-mail and destroy all copies of the original message. THANK YOU -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 23, 2006 4:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Report Generator Yes, Sean. May I have a copy? Thanks a bunch. Edward -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Sean Sent: Wednesday, August 23, 2006 12:58 PM To: freeradius-users@lists.freeradius.org Subject: Report Generator Hi, Ive written a report generator in PHP and HTML that will allow your clients to generate usage reports from the FreeRadius log files. When the user logs in he/she is asked for their IP address and the Month that they want to display. If anyone wants a copy let me know. If there is enough interest I'll make it available for public download. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Authentication
Why don't you try to use users file as your configuration method! Carlos Rosero S. Programmer / IT www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thibault Le Meur Sent: Wednesday, July 19, 2006 3:28 AM To: 'FreeRadius users mailing list' Subject: RE : Radius Authentication > i'm facing a little problem. > in some times my mysql DB server is down & the radius can't insert > records into it of-course, so the users can't login as the radius > doesn't authenticate them unless he can record them. > Is there any solution to make the radius authenticate the > users without > insert records in the DB. I suppose your mysql DB server isn't used to authenticate your users, otherwise having your radius server work even if your DB is down would make no sense (unless you have another module able to authenticate users?). If your DB server is used only for logging purpose (accounting, post-authenticate, ...). You may find interresting information in the doc/configurable_failover file in order to make the DB module failure be non-critial. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius with mac address authentication
Hi, Germán: please bring me your example, and any other useful information. Carlos Rosero S. Programmer / IT www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: The information contained in this e-mail message, including any attachments, is for the sole use of the intended recipient(s). It is covered by the Electronic Communications Privacy Act, 18 U.S.C§2510-2521 and is legally privileged. Unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient and have received this communication in error, please contact the sender by reply e-mail and destroy all copies of the original message. THANK YOU From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DESETech - German P. Santillan Sent: Wednesday, July 12, 2006 8:24 AM To: 'FreeRadius users mailing list' Subject: RE: freeradius with mac address authentication I have an example with “users” file (plain text) it serves to you? Germán P. Santillán Administrador de Redes Responsable Dpto. Técnico DESETech Argentina S.A. San Martín 133 - CP: B8000FIC Bahía Blanca - Argentina Tel/Fax: +54 (291) 456-5642 [EMAIL PROTECTED] http://www.desetech.com.ar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Rosero Sent: Tuesday, July 11, 2006 7:33 PM To: freeradius-users@lists.freeradius.org Subject: freeradius with mac address authentication Hi, I am new in this, I am looking for a tutorial that let me know how to configure freeradius with mac address authentication. Thanks, Carlos Rosero S. www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with mac address authentication
Hi, I am new in this, I am looking for a tutorial that let me know how to configure freeradius with mac address authentication. Thanks, Carlos Rosero S. www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
working huntgroups
Hi, I need to separate the users in the machines that they have access to, i read about the huntgroups file, but is not working, it seems that the radius is not checking the huntgroup file to give the access. I have a freeradius on a Redhat machine, running with the MySQL database for the users and groups information. I have the information on the radcheck, the radgroupcheck, and the radgroup repply tables, all the connections and the authentication works ok, the problem is that the users have access to all of the machines, even the ones that they shouldn´t. This is what i have in my radgroup reply table.. GroupName Attribute op Value test Cisco-AVPair = shell:cmd* test Cisco-AVPair = shell:priv-lvl=15 test Service-Type = Shell-User test Huntgroup-Name = name the hunt group is like this. #name huntgroup name NAS-IP-Address == 10.0.2.244 name NAS-IP-Address == 10.0.2.246 name NAS-IP-Address == 10.0.2.248 Group = test It suppose that the user with that huntgroup name in their attribute should only be able to connect to those IP addresess.. or that´s what i expect.. ;) Thank you.. in advance.. Carlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accessing diferent devices
Hi, I just installed the fre radius in a linux box. I got it working ok, but there is a couple of thig that i don´t know how to do or if they can be done. The first one is i need to create special kind of groups of people that can access some devices but no others, like i have the admin group that has to access all of the 20 devices (switches, routers..) but i also have the operator group that only has to access 2 of them, and on the same radius i need to enable some VPN users that only need to registrate to the radius for the VPN account that connects to the PX firewall and not to any of the devices... Can that be done?, how can i specify witch equipments the users have access to? Thanks. Carlos Reyes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Use of Service type attribute
=?iso-8859-1?B?Q2FybG9zIFBl8WFmaWVs?= <[EMAIL PROTECTED]> wrote: > I am trying to do something like "amount of quality of service" that a user > have. What does that mean? Im sorry for my English. I want to have a variable (attribute) saying that for each user who has authorization using the network, I want to offer a QoS going outside (to the internet) for him/her. > I have the control over the radius client because I am using a HostAP, but > looking at the documentation and on Google, I cant find a way to solve this. > can you help me a little but more? Edit the source code to the client to look for, and interpret, the new attribute. Re-use an attribute of a similar name, or invent a new one. If the attribure is used only in your local deployment, it doesn't really matter what number you pick. It just has to be a number that goes into a RADIUS packet. Alan DeKok. Ok. Thank you for your time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Create and Send attributes
Carlos Peñafiel wrote: > Hello!!! > > I want to send from my radius server several attributes to the client, > but I've been looking at the documenation. I can do that if my > attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also > the documentation says that a new attribute has to have an ID greater > than 3000. > > So, are not "the attributes between 100 (256) and 3000" sent to the > client radius? (I guess, they could be used for local management) If it > is not, how can I create an attribute with id grater that 3000 and send > to the radius client? If you are creating your own attributes, get an IANA enterprise number (either apply for one or re-use one if AND ONLY IF you're certainly it will only be used internally) and use a vendor-specific attribute space. See the dictionary.$vendor files for examples. Alternatively, have a dig in the dictionary files and/or RFCs for an existing attribute that closely matches the purpose. What are you trying to do? Obviously you'll have to have control over the radius client to make it actually use the new attribute. Most will only use attributes they already know about. Hello and thank you to answer so soon. I am trying to do something like "amount of quality of service" that a user have. I have the control over the radius client because I am using a HostAP, but looking at the documentation and on Google, I cant find a way to solve this. can you help me a little but more? Thank you in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Create and Send attributes
Hello!!! I want to send from my radius server several attributes to the client, but I've been looking at the documenation. I can do that if my attribute-ID is between 1 and 100 (I guess, maybe is it 256), but also the documentation says that a new attribute has to have an ID greater than 3000. So, are not "the attributes between 100 (256) and 3000" sent to the client radius? (I guess, they could be used for local management) If it is not, how can I create an attribute with id grater that 3000 and send to the radius client? Thank in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re:Send information to the Radius Client
Hello again why don't you use ldap for that?for the info. Because I really have to add only one more attribute. My client is a hostAp (working like a router), so the "new attribute" should be "amount of broadband" (I am trying to use QoS), and for only one attribute, I think (maybe I am wrong) that a LDAP is too much for my purpose. Will the client understand those attributes, and do something with them? If the client doesn't already say "send phone number in attribute X", you'll have to modify it's source code to add that feature. Not yet. I was thinking about at the same time when the client receives the confirmation (the authentication), the RADIUS could send my-other-new-attribute ("amount of QoS"), because I guess I only need this attribute. > I am not sure if I have to create a module (I do not know if it is > necessary). But I do not know what files I must change. Can you help > me? can you give an idea? The server contains documentation on how to configure it, and how to send any attribute with any value to a client. Do you have a more specific question? Where can I get that information? I have been looking for it on the Internet and I did not find this information. Also, I was looking the man pages and I was thinking in the attributes in the dicctionary, but it said that the radius server never sends it to the client, so I declined that way. I will get any information or any idea which you all want to contribute. Thank you again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send information to the Radius Client
Hello, I want to be able to send information (such a name, address, phone number ...) from the Radius Server to the Radius Client( I want to do that to a Host AP) after the Radius client has been authenticated. I am not sure if I have to create a module (I do not know if it is necessary). But I do not know what files I must change. Can you help me? can you give an idea? I am using freeradius-1.1.1 and the client is Hostap-0.4.8. Thank you a lot in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP and LDAP
Thanks Thor, I will see that option or to work with an Active Directory. Best reggards, Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Thor Spruyt wrote: Carlos Martínez-Troncoso Cera wrote: Hello. We are trying to use FreeRadius with PEAP and LDAP. You might consider TTLS with PAP instead of PEAP with MS-CHAP-V2 -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PEAP and LDAP
Thanks for your answer Alan. An option could be to use an MS Active Directory instead Iplanet LDAP? Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Alan DeKok wrote: =?ISO-8859-1?Q?Carlos_Mart=EDnez-Troncoso_Cera?= <[EMAIL PROTECTED]> wrote: I was looking how Sun ONE stores the passwords, it uses SSHA (Salted Secure Hashing Algoritm), I think this is the problem, because I suposse it looks for NT-LM Hashing passwords, what can I do and where can I find info about it? If the passwords are stored as SSHA, then you can't use them to do PEAP. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PEAP and LDAP
Hello. We are trying to use FreeRadius with PEAP and LDAP. Our access point is a 3Com 8750, is talking with a FreeRadius 1.0.4, Freeradius talks with LDAP (Sun One Messaging Server 5.1) and our PEAP clients are Windows XP and 2000. First we configured FreeRadius with LDAP, it works well, then we tried to use this with EAP, it works when we use local users, but when we try to authenticate and authorize PEAP users in LDAP, it doesn´t work. The error is: modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 5 rlm_mschap: Told to do MS-CHAPv2 for cmartinez with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 I was looking how Sun ONE stores the passwords, it uses SSHA (Salted Secure Hashing Algoritm), I think this is the problem, because I suposse it looks for NT-LM Hashing passwords, what can I do and where can I find info about it? Thank you in advance. Carlos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter + PostgreSQL problem
How are you testing? in the radacct table see if AcctSessionTime has some value, this is the data used for the counter, if this value is 0, the query is 0, you can test with NTRadPing sending in AcctSessionTime some value. Miguel you don´t have to change the query, I had your same problem with MySQL, AcctSessionTime was 0, when this value was differente everything was OK. Good luck Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Miguel Cabrera wrote: Hi list! I have a problem with the rlm_sqlcounter. It send the Session-Time-Out correctly but when if check the time limit against the data base it always return 0. I've added some debugging output and recompile. This is the output: Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{User-Name}' AND AcctStartTime > abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime > abstime(1120539600)' Tue Jul 5 14:46:51 2005 : Debug: sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime > abstime(1120539600)}' Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: querystr: %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime > abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: responsestr: %{sqlcca3:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime > abstime(1120539600)} Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor obtenido de la consulta: 0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Valor a checkar: 90 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: (Check item - counter) is greater than zero Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Authorized user ceruno, check_item=90, counter=0 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Sent Reply-Item for user ceruno, Type=Session-Timeout, value=90 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from dailycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module "dailycounter" returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: calling monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Entering module authorize code Tue Jul 5 14:46:51 2005 : Debug: rlm_sqlcounter: Could not find Check item value pair Tue Jul 5 14:46:51 2005 : Debug: modsingle[authorize]: returned from monthlycounter (rlm_sqlcounter) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authorize]: module "monthlycounter" returns noop for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authorize returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: rad_check_password: Found Auth-Type System Tue Jul 5 14:46:51 2005 : Debug: auth: type "System" Tue Jul 5 14:46:51 2005 : Debug: Processing the authenticate section of radiusd.conf Tue Jul 5 14:46:51 2005 : Debug: modcall: entering group authenticate for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall[authenticate]: module "unix" returns ok for request 9 Tue Jul 5 14:46:51 2005 : Debug: modcall: group authenticate returns ok for request 9 Looking at the code in rlm_sqlcounter.c in the sqlcounter_authorize function (the lines starting with * is what I've added). /* third, wrap query with sql module & expand */ sprintf(querystr, "%%{%%S:%s}", responsestr); sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, NULL); * DEBUG2("rlm_sqlcounter: querystr: %s",querystr); * DEBUG2("rlm_sqlcounter: responsestr: %s",responsestr); counter = atoi(querystr); * DEBUG2("rlm_sqlcounter: Valor obtenido de la consulta: %d",counter); * DEBUG2("rlm_sqlcounter: Valor a checkar: %d",check_vp->lvalue); If you compare the output above you will note that when 'counter = atoi(querystr)' happens the value of querystr is : ' %{%S:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='ceruno' AND AcctStartTime > abstime(1120539600)}' . So I think is maybe a bug. I also have a question: Where the SQL query really happens? I couldn't figure it out :( I'am runnig in a FC3 with PostgreSQL 7.4.8
FreeRadius + Mysql + MAC address authentication + linksys WRT54GS
Hi there, I'm sorry if this questions was already answered but I searched all day today and didn't come up with anything usefull for this situation. This is what I need. There will be: * 20 hotspots with a Linksys AP and a modified firmware (OpenWRT) and maybe chilispot. * Freeradius server * apache2 webserver * free-HS (SSID) The objective is to have some free hotspots on a certain area and the user, as soon as he chooses free-HS network, will be redirected to a register page. Maybe using a proxy trick or a php redirect. This page will ask simple questions like age, how did he found this but never username and password. The authentication will be made by MAC address but I could only find some examples regarding AP's MAC address in the users file. My problem is to have this auth made by the mysql database. If he disconnects and connects again his mac address will be in the data-base, and radius will find it and authorize and the internet will be normal, No proxy, no redirect. Maybe a 15m timeout of no activity... So basically what we need is a way for radius to check for this MAC address in the mysql db. I have a working freeradius+mysql server and I can do a radtest with a user's/password and the shared pass and all was ok. rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=163, length=20 My problems: * We don't have any certificate store to sign our certificate, * We don't want people to install certificates Another questions. What type of protocols should we use? EAP, PEAP, CHAP, MSCHAP, EAP/TLS, WEP ? The most simple for the window's users to access. Thank you in advance for the help With best regards Carlos Sobrinho -- # # These PRESERVES should be FORCE-FED to PENTAGON OFFICIALS!! # # pgpByAkgcNZVO.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql counter clarification and issues
In the source code see in doc/rlm_sqlcounter Reggards, Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Ross Tsolakidis wrote: Thanks for responding. Can you give me an example of how to set the counter to reset in SQL ? This is my config for the counter. counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } Thanks again. Regards, -- Ross -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alan DeKok Sent: Wednesday, 29 June 2005 12:58 AM To: FreeRadius users mailing list Subject: Re: sql counter clarification and issues "Ross Tsolakidis" <[EMAIL PROTECTED]> wrote: Looking at that debug, where exactly is it resetting the counter ? The "counter" module is resetting the counter. In the db.daily ? Because it's not resetting in SQL. Yes, the counter module doesn't say it's using SQL. Also what is the db.daily ? How do you read that file ? You don't. Its used by the counter module to keep it's count. What I'm trying to achieve here is to get mysql to reset the counters its doing, and then start a new row if possible. Within the table radacct. AcctInputOctets AcctOutputOctets. Is it possible to do this ? Does the counter actually do that ? You want sqlcounter. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.0.4 Upgrading
I just upgrade in Red Hat Enterprise 3.0 from 1.0.2 to 1.0.4 without problems, my conf files didn´t change. I suggest you to make a copy from /etc/raddb to avoid problems. Reggards, Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Abdul Lateef wrote: Hello, Currently i am using i have 1.0.2 version running on my linux box. I made plan to upgrade it with the letest Version 1.0.4. I have a small question about the 1.0.2 configuration files. How i should upgrade it. Is configuration files will be also upgraded or it will be not effected? Thnak You __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter problem
I modified the users file and now it works, user is now like: DEFAULT Simultaneous-Use := 1 Fall-Through = 1 cmartinez Max-Monthly-Session := 108000, Auth-Type := ldap Service-Type = Framed-User, Framed -Protocol = PPP -- Thanks a lot to Roberto and Alan for their time and help. Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Carlos Martínez-Troncoso Cera wrote: Thanks Roberto for your answer but I did the changes in sqlcounter.conf and with my cisco, sqlcounter doesn´t work, with NTRadping it works very well. I looked into the source code in freeradius 1.0.4 but this module is the same for 1.0.2 version (I have working 1.0.2) What can I do? Do you know how can I debug this module? This is the message with radiusd -X -A (with Cisco): rlm_ldap: user cmartinez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf - with NTRadping: rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'}' radius_xlat: Running registered xlat function of module sql for string 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' rlm_sql (sql): - sql_xlat radius_xlat: 'cmartinez' rlm_sql (sql): sql_set_user escaped user --> 'cmartinez' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 4 radius_xlat: '107853' rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user cmartinez, check_item=10, counter=107853 Thanks for your help! Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Roberto Gonzalez Azevedo wrote: sqlcounter noresetcounter { ## Look here driver = "rlm_sqlcounter" counter-name = Max-All-Session-Time check-name = Max-All-Session ## Look here check-item = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session ## Look here check-item = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { ## Look here driver = "rlm_sqlcounter" counter-name = Monthly-Session-Time check-name = Max-Monthly-Session ## Look here check-item = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime -
Re: rlm_sqlcounter problem
Thanks Roberto for your answer but I did the changes in sqlcounter.conf and with my cisco, sqlcounter doesn´t work, with NTRadping it works very well. I looked into the source code in freeradius 1.0.4 but this module is the same for 1.0.2 version (I have working 1.0.2) What can I do? Do you know how can I debug this module? This is the message with radiusd -X -A (with Cisco): rlm_ldap: user cmartinez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf - with NTRadping: rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'}' radius_xlat: Running registered xlat function of module sql for string 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' rlm_sql (sql): - sql_xlat radius_xlat: 'cmartinez' rlm_sql (sql): sql_set_user escaped user --> 'cmartinez' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((1117602000 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='cmartinez' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '1117602000'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): - sql_xlat finished rlm_sql (sql): Released sql socket id: 4 radius_xlat: '107853' rlm_sqlcounter: (Check item - counter) is less than zero rlm_sqlcounter: Rejected user cmartinez, check_item=10, counter=107853 Thanks for your help! Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Roberto Gonzalez Azevedo wrote: sqlcounter noresetcounter { ## Look here driver = "rlm_sqlcounter" counter-name = Max-All-Session-Time check-name = Max-All-Session ## Look here check-item = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session ## Look here check-item = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { ## Look here driver = "rlm_sqlcounter" counter-name = Monthly-Session-Time check-name = Max-Monthly-Session ## Look here check-item = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } thanks ... - Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: ok Roberto: sqlcounter noresetcounter { counter-name = Max-All-Sess
Re: rlm_sqlcounter problem
ok Roberto: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Roberto Gonzalez Azevedo wrote: Show us your sqlcounter.conf ... You should define 'check-item' in sqlcounter.conf ... - Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: Hello. I have freradius-1.0.2 with autorizathion and authentication in LDAP and accounting in MySQL. I configured to use rlm_sqlcounter to control time connections, testing with NTRadping work well but testing with my Cisco NAS it doesn´t work With my cisco NAS this is the message: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 3 With NTRadPing the message is: rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750 rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout, value=1250 modcall[authorize]: module "monthlycounter" returns ok for request 8 My relevant conf files: -------- clients.conf #PC with NTRadping client 172.16.31.43/32 { secret = x shortname = Carlos type= other } #Cisco NAS client 200.106.138.14/32 { secret= xx shortname= cisco type= cisco } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log_stripped_names = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf mschap { authtype = MS-CHAP } ldap { server = "200.xx.xx.xx" port = "390" identity = "cn=Directory Manager" password = xx basedn = "o=yy,o=yy" password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timeli
Re: rlm_sqlcounter problem
Ok Roberto, here is my sqlcounter.conf sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}'" } sqlcounter dailycounter { driver = "rlm_sqlcounter" counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 Roberto Gonzalez Azevedo wrote: Show us your sqlcounter.conf ... You should define 'check-item' in sqlcounter.conf ... - Roberto Gonzalez Azevedo Carlos Martínez-Troncoso Cera wrote: Hello. I have freradius-1.0.2 with autorizathion and authentication in LDAP and accounting in MySQL. I configured to use rlm_sqlcounter to control time connections, testing with NTRadping work well but testing with my Cisco NAS it doesn´t work With my cisco NAS this is the message: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 3 With NTRadPing the message is: rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750 rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout, value=1250 modcall[authorize]: module "monthlycounter" returns ok for request 8 My relevant conf files: clients.conf #PC with NTRadping client 172.16.31.43/32 { secret = x shortname = Carlos type = other } #Cisco NAS client 200.106.138.14/32 { secret = xx shortname = cisco type = cisco } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}
rlm_sqlcounter problem
Hello. I have freradius-1.0.2 with autorizathion and authentication in LDAP and accounting in MySQL. I configured to use rlm_sqlcounter to control time connections, testing with NTRadping work well but testing with my Cisco NAS it doesn´t work With my cisco NAS this is the message: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 3 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 3 With NTRadPing the message is: rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user cmartinez, check_item=108000, counter=106750 rlm_sqlcounter: Sent Reply-Item for user cmartinez, Type=Session-Timeout, value=1250 modcall[authorize]: module "monthlycounter" returns ok for request 8 My relevant conf files: clients.conf #PC with NTRadping client 172.16.31.43/32 { secret = x shortname = Carlos type = other } #Cisco NAS client 200.106.138.14/32 { secret = xx shortname = cisco type = cisco } radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = yes log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf mschap { authtype = MS-CHAP } ldap { server = "200.xx.xx.xx" port = "390" identity = "cn=Directory Manager" password = xx basedn = "o=yy,o=yy" password_attribute = "userPassword" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } checkval { item-name = Max-Monthly-Session check-name = Max-Monthly-Session data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes
Re: Freeradius make install error
I had the same error installing freeradius 1.0.3 in Linux and Solaris, I saw that this version has bugs for install, and tried with 1.0.2 version and now everything is working, see the fixes for 1.0.3 and if none is for you, you can try with 1.0.2. Reggards, Carlos Martínez-Troncoso Cera Coordinador de Servicios Internet/Intranet Universidad del Norte Barranquilla, Colombia Tel: 57 5 3509367 synackrst wrote: Hello, Any solution for this: #make install ... /usr/local/src/freeradius-1.0.3/install-sh -c -m 755 -s .libs/radiusd /usr/local/sbin/radiusd /usr/local/src/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.420#: File format not recognized make[4]: *** [install] Error 1 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.3/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.3/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.3/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.3' make: *** [install] Error 2 # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about working with LDAP
Hello people. I am a newbie trying to active freeradius 1.0.2 with users in Sun One Directory Server 5.1 (autentication and authorization) and accounting in MySQL. Well I read the docs and my freeradius is talking with LDAP and MySQL and AAA is operating. This works well now. I have 2 questions (there is a lot and old info and I am confussed): 1-How can I control simultaneous logon using LDAP attributes? 2-How can I restrict the time limit in a month (I have my users in LDAP not in MySQL, rlm_sqlcounter doesn´t work for me)? Thanks a lot for your time. Reggards. Carlos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
autentificacion TLS
muy buenos dias !! la intencion de este correo es la de solicitar informacion sobre el radius a ver si me puedes ayudar !! te comento tengo montado un serviodr radius en suse 9.2 el cual esta corriendo bien o eso parece cuando lo coloco a validar los usuarios por MAC Address por medio de un AP1100 de cisco esto lo hace de maravilla. La otra cuestion es que tengo un servidor LDAP donde esta la base de datos de toda la empresa cuando realizo pruebas con el NTRadping el servidor contesta perfecto. Pero cuando lo intento hacer por el AP1100 no lo hace como es devido le tengo configurado para que funcione con EAP/PEAP y me pide un certificado el cual ya se lo configure pero me da un error muy extraño que no entiendo les colocare el error a ver quien me puede ayudar Wed May 25 13:26:38 2005 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 25 13:26:38 2005 : Error: TLS Alert read:fatal:unknown CA Wed May 25 13:26:38 2005 : Error: TLS_accept:failed in SSLv3 read client certificate A 16174:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 16174:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: Wed May 25 13:26:38 2005 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed May 25 13:26:38 2005 : Debug: In SSL Handshake Phase Wed May 25 13:26:38 2005 : Debug: In SSL Accept mode de verdad que si me pueden ayudar seria muy bueno !! -- Juan Carlos Arevalo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid Signature
Dear users, I am having some troubles with FreeRadius 1.0.2 here. I have a Total Control HiperARC as my NAS working today with a Server running Cistron for authetication and accounting. Today I tried to run FreeRadius with SQL support. The authetication works fine, but the accounting is having trouble. I receive the following error during debug: Receive Accounting-Request packet from xxx.xxx.xxx.xxx with invalid signature! (Shared secret is incorrect.) After some time testing, I set up my Cistron again and take my old US Robotics NETServer V34 to do some tests. The NETServer had the same problem. The user authenticate but accounting is off with the same message. What can be wrong? I was googling all the night and I have found some people with the same problem, but with out a solution. Can somebody help me? Thanks -- Carlos Eduardo Terra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS with tunneled PAP Users files
Hi, i need help to configure freeradius + asterisk (PBX) is anybody in this list that can help me? Thank you Carlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
does anybody use freeradius with asterisk (pbx)?
hello, i am trying to setup asterisk with freeradius, but i am totally lost. at the time i write this mail, i started to read freeradius doc. If anybody can help me, i will be very thank. Carlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
Excuse me, just a mistakethis morning in writting the files. I've read a lot the documentations and the files themselves. There are a descriptions for the files; users, clients.conf and proxy.conf : /raddb/users demolocal Auth-Type := Local, Password == "demolocal" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 carlos Auth-Type := Local, Password == "radius" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 /raddb/clients.conf client 127.0.0.1 { secret = demolocal shortname = localhost nastype = other } client 192.168.1.0/24 { secret = demolan shortname = Radius1 } /raddb/proxy.conf realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL secret = demolocal } realm NULL { type = radius authhost = LOCAL accthost = LOCAL secret = demolan } realm DEFAULT type = radius authhost = LOCAL accthost = LOCAL secret = demolan } >From this, please can you tell me where is wrong and make me the answer "no Auth-Type for the reques, (carlos/radius) incorrect" user rejected but authorization was OK but not the authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Auth-Type
Hi, I've go the same problem but no solution. I've added the Auth-Type:=Local in the users file but the same answer: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user and even (username/password) not valide (but I've declared them in the clients.conf). How to do? >From: Kostas Zorbadelos <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Re: Problem with Auth-Type >Date: Mon, 15 Nov 2004 10:49:09 +0200 > >On Wed, Nov 10, 2004 at 11:23:52AM -0300, German P. Santillan - DESETech wrote: > >You won't find that in radiusd.conf. You need to add > Auth-Type := Local >to the users file. Man users to see anything else. > > > > My system requires Local Auth-Type Method, but this method ha not defined in my radiusd.conf, and when I run radiusd with -X param, this appear > > > > auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user > > > > Thanks > > > > Germ??n P. Santill??n > > Administrador de Redes > > DESETech Argentina > > http://www.desetech.com.ar > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > >-- > Kostas Zorbadelos > Systems Developer, Otenet SA > mailto: [EMAIL PROTECTED] > > Out there in the darkness, out there in the night > out there in the starlight, one soul burns brighter > than a thousand suns. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html MSN Messenger : discutez en direct avec vos amis ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access-reject
Hi, i am using freeradius-1.0.1 with redhat8. but always have access-reject (i'm using NTRadping on winwdowswp for the test). The user-name, password and secret i use for the test are those i've declared on the users and clients.conf files. the radius server always says "group authorize return ok" for therequest but says after "auth"No authenticate method (Auth-Type) configuration found for the request:Rejecting the user.Login incorrect". Please how to solve that problem? Carlos MSN Hotmail : antivirus et antispam intégrés - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VoIP
Greg, I have been searching for the same information and have not found much…If I could get pointed in the right direction or get it working, I don’t have a problem with documenting… Good Luck, JC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory D. Burns Sent: Wednesday, August 18, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: Cisco VoIP Group, I have used freeradius for to collect CDR’s from Cisco before. But I want to learn how much can really be done, and also wanted to allow my customers to do some config changes (like adding new gateways) from an web interface. At this point I’m doing a lot of reading and testing, but I notice a lot of what I’m reading does not apply to using it for Cisco voip CDRS. So my question is does anyone know of a good web page, news group, IRC, or what every; that talks about using freeradius on VOIP gateways? -Greg
Re: Can I config freeradius to separate IP address?
Hello Chanin! One alternative is VLAN, but this requiere VLAN-capable AP, like cisco 1100... Another is to capure the MAC address in the loggin phase, and recompute the firewall rules... but, I am not sure if you have in freeradius the MAC address of the user in the login phase... (I'm thing... lunch some script via rlm_exec) Talk to dhcp server is leease of time, because don't support scripting asignament of configurations... CArlos.- Chanin Luangingkasut wrote: Hello All, Now I using eap_tls to authenticate user, and I want to separate subnet for staff in building and visitor. If clients authentication succeeded it get ip in subnet 192.168.1.xxx, but clients don't have client CA, it cannot authentication on radius server, and forward to dhcp server2 get ip in subnet 192.168.2.xxx.I don't know for this feature!! Can I do this? Please let me know. Following in picture this URL: http://www.buraphalinux.org/~chanin/activities/Wireless/Plan1.jpg Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Missing module freeradius-rlm_perl
I need module freeradius-rlm_perl. Any ideas where to get it? I have a RH ES 3 machine. (Embedded image moved to file: pic24773.gif)<>
How to configure freeRadius for LDAP authentication
Hello everyone, I'd like to set up freeRadius to talk to an LDAP server to authenticate VPN users. Can someone point to a how-to LDAP configuration doc. I am not familiar with Radius, so I need an easy-to-follow doc. (Embedded image moved to file: pic04731.gif)<>
Re: Cisco-AVPair attribute
ngl wrote: Hello. I have freeradius-0.9.3 with PostgreSQL. How can i process multiple Cisco-AVPair attributes? regards, Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Try += CArlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius on Red Hat ES 3
I a getting an error when I try to install freeRadius on a Red Hat ES 3 machine. This is the error: error: Failed dependencies: ld.so.1 is needed by freeradius-0.9.3-2 Any ideas if freeRadius is supported on this version of RH? If so, where can I get this module? (Embedded image moved to file: pic21797.gif)<>
MAC address log in 802.1x
Hi! I'm implementing 802.1x EAP-TLS and EAP-PEAP with postgresql. All works fine, but I need to generate three groups of users: red, yellow and green... the green group is for guests (no have any certificate) who only have permission to web browsing in intranet servers, the yellow group can browse in internet and intranet, but, with bandwidth limit and time restriction, and the red group members have full internet and intranet access. I'm searching for alternatives for this kind of implementation, and VLAN is the most acurate for this, but this is not supported by my AP :( (cheap AP, Dlink 2000AP+). One alternative is to capture the MAC address when the user is logged in and then recompute the firewall rules for the kind of usergroup, yea... ok, this has a lot of weekness, but is the best effort with this model of APs. Any ideas?, throw to garbage the actual APs, is not an alternative... :D CArlos.- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html