Re: MySQL - One RADIUS database per realm

[Dave Thompson]

I think that multiple SQL instances are exactly what I'm looking for! Thank
you for the information!

On Mon, Jul 25, 2011 at 2:54 PM, Danny Stemmet  wrote:

> Hi Dave,
>
> I have not tested this, but I will try it as soon as I have a chance..
>
> Create a sql.conf file per client.
>
> Be sure to create an "instance" of type sql per client/realm.
> eg.
> client1_sql sql {
> .
> lots of configuration parameter (configurable per client, including
> server/database/tables/queries)
> .
> }
>
> In the main server configuration you can then proxy to a client's virtual
> server.
>
>
> Best Regards,
> Danny Stemmet
>
> MSB micro systems
>
>
> On 25 Jul 2011, at 17:37, Dave Thompson  wrote:
>
> > At my place of employment we have a web frontend to our radius server.
> This frontend will be used by several different clients. We want to store
> each client's usernames/passwords and MAC addresses in their own database.
> The database name will be the client's realm name.
> > The reason we want this database separation is to hide users and MAC
> addresses that don't belong to a client from the web frontend. For obvious
> reasons, the client should only be able to see and modify the authentication
> details that belong to them.
> > I haven't been able to find much documentation on the subject, leading me
> to believe that either A) This is not a smart idea and not recommended or B)
> Stuff like this isn't done often and therefore there isn't much
> documentation.
> > So, my question is this: Is there a better way for me to achieve the
> desired results of client separation(modify the frontend and use one
> database probably)? Or, if this is possible, any instructions would be
> greatly appreciated.
> > Thank you.
> >
> > --
> > - Dave
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
- Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MySQL - One RADIUS database per realm

[Dave Thompson]

At my place of employment we have a web frontend to our radius server. This
frontend will be used by several different clients. We want to store each
client's usernames/passwords and MAC addresses in their own database. The
database name will be the client's realm name.
The reason we want this database separation is to hide users and MAC
addresses that don't belong to a client from the web frontend. For obvious
reasons, the client should only be able to see and modify the authentication
details that belong to them.
I haven't been able to find much documentation on the subject, leading me to
believe that either A) This is not a smart idea and not recommended or B)
Stuff like this isn't done often and therefore there isn't much
documentation.
So, my question is this: Is there a better way for me to achieve the desired
results of client separation(modify the frontend and use one database
probably)? Or, if this is possible, any instructions would be greatly
appreciated.
Thank you.

-- 
- Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

query about users file and Radius restarting

[Yagnesh Dave]

Hi All,

I want to know that do we need to restart the radius server once we add a new 
user in the users file or it is automatically taken in affect. Because at the 
moment I re-start the freeRadius every time I add a new user. 

Regards,
Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

debug lofile

[Yagnesh Dave]

Hello,

I wanted know that is there any way by which we can direct the debug logs of 
the radius server to a file created with date extension on daily 
basis...similar to the detail-%Y%m%d.

Regards,
Dave.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

not able to get authenticated by free Radius

[Yagnesh Dave]

##

rad_recv: Access-Request packet from host 192.168.243.250 port 1645, id=139, 
length=164
Framed-Protocol = PPP
User-Name = "t...@cisco1.com"
CHAP-Challenge = 
0xe9c73ba6d4a4d55f4ecb135615450c55dcb53dc4a438afe357bb024f5e
CHAP-Password = 0x012699c4cf08980486a7c5a2f124022fb7
NAS-Port-Type = Virtual
NAS-Port = 502
NAS-Port-Id = "Uniq-Sess-ID502"
Calling-Station-Id = "404000834680158"
Connect-Info = "64000/57600"
Service-Type = Framed-User
NAS-IP-Address = 192.168.243.250
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm "cisco1.com" for User-Name = "t...@cisco1.com"
[suffix] Found realm "cisco1.com"
[suffix] Adding Realm = "cisco1.com"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "t...@cisco1.com" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> t...@cisco1.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 37 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 37
Sending Access-Reject of id 139 to 192.168.243.250 port 1645

###

Please let me know where I have done a mis-config.

Thanks and Regards,
Dave.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

error := Invalid version in module 'rlm_exec'

[Yagnesh Dave]

Hi Everybody,

I am getting this error while trying to run the freeradius, pls help me to get 
this resolved.

The error is,

radiusd:  Instantiating modules 
 instantiate {
/usr/local/etc/raddb/modules/exec[24]: Invalid version in module 'rlm_exec'
Errors initializing modules

Thanks in advance.

Regards,
Dave,-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failed to link to module 'rlm_exec'

[Yagnesh Dave]

Hi All,

I am getting this error while starting the radius (free radius 1.1.7). Please 
help me to resolve the problem.

The error is 

/usr/local/etc/raddb/modules/exec[24]: Failed to link to module 'rlm_exec': 
ld.so.1: radiusd: fatal: /usr/local/lib/rlm_exec.a: unknown file type 

Thanks and Regards,
Yagnesh Dave.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Could not link driver rlm_sql_mysql:

[Yagnesh Dave]

Hi All,

While trying to run the FreeRadius I got this error. Please let me know what 
should be done to overcome this. While checking it on FreeRadius emails, i 
found the same problem has been encountered by others too, but did`nt get to 
see the solution, thus posting it.

ERROR:

Could not link driver rlm_sql_mysql: ld.so.1: radiusd: fatal: rlm_sql_mysql.so: 
open failed: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your 
system's ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module "sql".
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize 
section. 
Errors initializing modules
r...@cn# 


Thanks and Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Yagnesh Dave]

Hi,

Thanks for the quick answer. I removed nohup.out and its not throwing that 
error. But now it is throwing this error. It would be great if you can point 
out the solution.

###
bash-3.00# tail  nohup.out
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,   
 callingstationid, framedprotocol   
 FROM radacctWHERE username = 
'%{SQL-User-Name}'AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth   
(username, pass, reply, authdate)   VALUES (
   '%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S')"
safe-characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
Could not link driver rlm_sql_mysql: ld.so.1: radiusd: fatal: rlm_sql_mysql.so: 
open failed: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your 
system's ld.
/usr/local/etc/raddb/sql.conf[22]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[161]: Failed to find module "sql".
/usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize 
section. 
Errors initializing modules
bash-3.00# 


Thanks and Regards,
Yagnesh Dave.

On Mon, 30 Nov 2009 15:20:18 +0530  wrote
>Hi,
> Hi Everyone,
> 
> I was trying to set-up mysql for logging the accounting logs for the users. I 
> followed the instruction on http://www.frontios.com/freeradius.html and also 
> on http://wiki.freeradius.org/SQL_HOWTO. The I tried to run the FreeRadius 
> server. It did not start and was giving this error as given below,
> ###
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
> including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
> /usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start 
> brace '{' after "FreeRADIUS Version"
> Errors reading /usr/local/etc/raddb/radiusd.conf
> bash-3.00#
> 

as Josip has said - you have a file called 'nohup.out' in your sites-enabled
directory. this is a special directory that can only contain FreeRADIUS
virtual server files (because it basically loads in sites-enabled/* as 
servers...
this file is messing it up. remove it.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error= Expecting section start brace '{' after "FreeRADIUS Version"

[Yagnesh Dave]

Hi Everyone,

I was trying to set-up mysql for logging the accounting logs for the users. I 
followed the instruction on http://www.frontios.com/freeradius.html and also on 
http://wiki.freeradius.org/SQL_HOWTO. The I tried to run the FreeRadius server. 
It did not start and was giving this error as given below,
###
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/nohup.out
/usr/local/etc/raddb/sites-enabled/nohup.out[1]: Expecting section start brace 
'{' after "FreeRADIUS Version"
Errors reading /usr/local/etc/raddb/radiusd.conf
bash-3.00# 


Please help me to overcome this.

Thanks and Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

solution---Re: Re: help--- IPsec VPN on radius

[Yagnesh Dave]

Hi All,

Found the solution from one of the previous posts. 

 http://lists.cistron.nl/pipermail/freeradius-users/2005-July/msg00273.html

I just the did the same, added the below line in the dictionary file at 
/usr/local/share/freeradius/dictionary

VALUE   Service-Typeoutbound5


Please let me know if this is correct to do.

Regards,
Dave.

On Wed, 18 Nov 2009 16:47:05 +0530  wrote
>Hi,
>

>
Found the problem, it is with the service type attribute.
>

>
I am getting this error on the freeradius
>

>
/usr/local/etc/raddb/users[24719]: Parse error (reply) for entry 
tatablue-vpn.vsnl.net: Unknown value outbound for attribute Service-Type
>

>
How to rectify this problem of "outbound" service type.
>

>
Regards,
>
Dave
>
On Wed, 18 Nov 2009 16:22:30 +0530  wrote
>
>Hi,
>
>
>

>
>
>
I am trying to configure this on Free Radius;
>
>
>

>
>
>
# setup for IPSec VPDN,
>
>
>
ezvpn Password  := "cisco"
>
>
>
Service-Type = outbound,
>
>
>
Cisco-Avpair = "ipsec:tunnel-password=cisco123",
>
>
>
Cisco-Avpair="ipsec:tunnel-type*esp",
>
>
>
Cisco-Avpair="ipsec:group-lock=1",
>
>
>
Cisco-Avpair="ipsec:key-exchange=ike",
>
>
>
Cisco-Avpair="ipsec:addr-pool=hw-pool",
>
>
>

>
>
>

>
>
>
t...@ezvpn Password := "test123"
>
>
>
Cisco-Avpair="ipsec:tunnel-type*esp",
>
>
>
Cisco-Avpair="ipsec:group-lock=1",
>
>
>
Cisco-Avpair="ipsec:key-exchange=ike",
>
>
>
Cisco-Avpair="ipsec:addr-pool=hw-pool",
>
>
>

>
>
>
Now, When I run the freeRadius, I get this error in the log file
>
>
>

>
>
>
/usr/local/etc/raddb/users[24374]: Parse error (reply) for entry ezvpn: Unknown 
value outbound for attribute Service-Type
>
>
>
Errors reading /usr/local/etc/raddb/users
>
>
>

>
>
>

>
>
>
Please tell what is the correct config to get it working.
>
>
>

>
>
>
Regards,
>
>
>
Dave.
>
>
>

>
>
>

>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help--- IPsec VPN on radius

[Yagnesh Dave]

Hi,

Found the problem, it is with the service type attribute.

I am getting this error on the freeradius

/usr/local/etc/raddb/users[24719]: Parse error (reply) for entry 
tatablue-vpn.vsnl.net: Unknown value outbound for attribute Service-Type

How to rectify this problem of "outbound" service type.

Regards,
Dave
On Wed, 18 Nov 2009 16:22:30 +0530  wrote
>Hi,
>

>
I am trying to configure this on Free Radius;
>

>
# setup for IPSec VPDN,
>
ezvpn Password  := "cisco"
>
Service-Type = outbound,
>
Cisco-Avpair = "ipsec:tunnel-password=cisco123",
>
Cisco-Avpair="ipsec:tunnel-type*esp",
>
Cisco-Avpair="ipsec:group-lock=1",
>
Cisco-Avpair="ipsec:key-exchange=ike",
>
Cisco-Avpair="ipsec:addr-pool=hw-pool",
>

>

>
t...@ezvpn Password := "test123"
>
Cisco-Avpair="ipsec:tunnel-type*esp",
>
Cisco-Avpair="ipsec:group-lock=1",
>
Cisco-Avpair="ipsec:key-exchange=ike",
>
Cisco-Avpair="ipsec:addr-pool=hw-pool",
>

>
Now, When I run the freeRadius, I get this error in the log file
>

>
/usr/local/etc/raddb/users[24374]: Parse error (reply) for entry ezvpn: Unknown 
value outbound for attribute Service-Type
>
Errors reading /usr/local/etc/raddb/users
>

>

>
Please tell what is the correct config to get it working.
>

>
Regards,
>
Dave.
>

>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

help--- IPsec VPN on radius

[Yagnesh Dave]

Hi,

I am trying to configure this on Free Radius;

# setup for IPSec VPDN,
ezvpn Password  := "cisco"
Service-Type = outbound,
Cisco-Avpair = "ipsec:tunnel-password=cisco123",
Cisco-Avpair="ipsec:tunnel-type*esp",
Cisco-Avpair="ipsec:group-lock=1",
Cisco-Avpair="ipsec:key-exchange=ike",
Cisco-Avpair="ipsec:addr-pool=hw-pool",


t...@ezvpn Password := "test123"
Cisco-Avpair="ipsec:tunnel-type*esp",
Cisco-Avpair="ipsec:group-lock=1",
Cisco-Avpair="ipsec:key-exchange=ike",
Cisco-Avpair="ipsec:addr-pool=hw-pool",

Now, When I run the freeRadius, I get this error in the log file

/usr/local/etc/raddb/users[24374]: Parse error (reply) for entry ezvpn: Unknown 
value outbound for attribute Service-Type
Errors reading /usr/local/etc/raddb/users


Please tell what is the correct config to get it working.

Regards,
Dave.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

realm --help

[Yagnesh Dave]

Hi,

I have a realm as "vsnl.net" given to all the users (approx 2800 users), with 
different passwords. I have defined it in the "proxy.conf" as 

realm vsnl.net {
type= radius
authhost= local
accthost= local
   }
So, is this correct, as i am not defining any secret above because it is 
different to all the users, and the radius server itself will reply to the 
authentication request.

Also is there a way by which I can migrate from Merit Radius to Freeradius 
seamlessly, as cuurently what I am doing is I have a perl script to convert the 
users file of Merit Radius to the syntax that Free Radius has and then use it.

Thanks and Regards,
Dave.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Re: checking user connect time

[Yagnesh Dave]

Hi,

I also found this command in the Radius E-book by O`reilly.

radiusreport -i 0 -f detail

But this command does not work, i get an error message saying not found.

Please help me.

Regards,
Yagnesh Dave

On Wed, 04 Nov 2009 17:50:55 +0530  wrote
>Hi,
>

>
Thanks for your quick answer. I am very new to radius server, so i was not able 
to understand what you pointed out below. It would be great if you can 
elaborate a bit on it. 
>

>
Regards,
>
Yagnesh Dave.
>

>
On Mon, 02 Nov 2009 17:04:11 +0530  wrote
>
>> Can you let me know where can we check the time for which a particular
>
> user is connected, basically this is required so that we can advice the
>
> customer if his ISDN line is connected for too long.
>

>
SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND
>
AcctStopTime IS NULL
>

>
Ivan Kalik
>
Kalik Informatika ISP
>

>
-
>
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: checking user connect time

[Yagnesh Dave]

Hi,

Thanks for your quick answer. I am very new to radius server, so i was not able 
to understand what you pointed out below. It would be great if you can 
elaborate a bit on it. 

Regards,
Yagnesh Dave.

On Mon, 02 Nov 2009 17:04:11 +0530  wrote
>> Can you let me know where can we check the time for which a particular
> user is connected, basically this is required so that we can advice the
> customer if his ISDN line is connected for too long.

SELECT (now() - AcctStartTime) FROM radacct WHERE UserName='some_user' AND
AcctStopTime IS NULL

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

checking user connect time

[Yagnesh Dave]

Hi,

Can you let me know where can we check the time for which a particular user is 
connected, basically this is required so that we can advice the customer if his 
ISDN line is connected for too long.

Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

separate log file and access list config

[Yagnesh Dave]

Hi All,

How can we use separate flies for logging authentication and accouting 
information. Also wanted to know does free radius configure the access list on 
the interface, similar to the ip address.

One more quick question, how can we set timeout for different users, so if the 
connection is ideal for say 4 hrs, it should get disconnected.

Regards,
Yagnesh-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

getting disconnected.

[Yagnesh Dave]

dent
031460: Oct 12 17:23:15.893 IST: RADIUS: no sg in radius-timers: ctx 0x654F7FC4 
sg 0x
031461: Oct 12 17:23:15.893 IST: RADIUS: Retransmit to (172.31.6.158:1645,1646) 
for id 1646/186
031462: Oct 12 17:23:15.893 IST: RADIUS: acct-delay-time for C0040B4 (at 
C004194) now 10
031463: Oct 12 17:23:15.909 IST: RADIUS: Received from id 1646/188 
202.54.6.101:1646, Accounting-response, len 20
031464: Oct 12 17:23:15.909 IST: RADIUS: Response for non-existent request ident
031465: Oct 12 17:23:16.565 IST: RADIUS: no sg in radius-timers: ctx 0x50802954 
sg 0x
031466: Oct 12 17:23:16.565 IST: RADIUS: Retransmit to (172.31.6.158:1645,1646) 
for id 1646/187
031467: Oct 12 17:23:16.565 IST: RADIUS: acct-delay-time for C3A1DF4 (at 
C3A1EF8) now 10
031468: Oct 12 17:23:16.581 IST: RADIUS: Received from id 1646/189 
202.54.6.101:1646, Accounting-response, len 20
031469: Oct 12 17:23:16.581 IST: RADIUS: Response for non-existent request ident
031470: Oct 12 17:23:20.949 IST: RADIUS: no sg in radius-timers: ctx 0x654F7FC4 
sg 0x
031471: Oct 12 17:23:20.949 IST: RADIUS: Retransmit to (172.31.6.158:1645,1646) 
for id 1646/188
031472: Oct 12 17:23:20.949 IST: RADIUS: acct-delay-time for C0040B4 (at 
C004194) now 15
031473: Oct 12 17:23:20.965 IST: RADIUS: Received from id 1646/190 
202.54.6.101:1646, Accounting-response, len 20
031474: Oct 12 17:23:20.965 IST: RADIUS: Response for non-existent request ident
031475: Oct 12 17:23:21.781 IST: RADIUS: no sg in radius-timers: ctx 0x50802954 
sg 0x
031476: Oct 12 17:23:21.781 IST: RADIUS: Retransmit to (172.31.6.158:1645,1646) 
for id 1646/189
031477: Oct 12 17:23:21.781 IST: RADIUS: acct-delay-time for C3A1DF4 (at 
C3A1EF8) now 15
031478: Oct 12 17:23:21.797 IST: RADIUS: Received from id 1646/191 
202.54.6.101:1646, Accounting-response, len 20
031479: Oct 12 17:23:21.797 IST: RADIUS: Response for non-existent request ident
031480: Oct 12 17:23:26.005 IST: RADIUS: no sg in radius-timers: ctx 0x654F7FC4 
sg 0x
031481: Oct 12 17:23:26.005 IST: RADIUS: No response from 
(172.31.6.158:1645,1646) for id 1646/190
031482: Oct 12 17:23:26.005 IST: RADIUS/DECODE: parse response no app start; 
FAIL
031483: Oct 12 17:23:26.005 IST: RADIUS/DECODE: parse response; FAIL
031484: Oct 12 17:23:27.381 IST: RADIUS: no sg in radius-timers: ctx 0x50802954 
sg 0x
031485: Oct 12 17:23:27.381 IST: RADIUS: No response from 
(172.31.6.158:1645,1646) for id 1646/191
031486: Oct 12 17:23:27.381 IST: RADIUS/DECODE: parse response no app start; 
FAIL
031487: Oct 12 17:23:27.381 IST: RADIUS/DECODE: parse response; FAIL
__

Thanks and Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

need help for cisco vrf /ip address radius config

[Yagnesh Dave]

Hi,

I am trying to create a dynamic interface for the dail-up users assign 
it to a vrf and then configure the ip address. The config that I have 
done in the users file is as;

tcl Cleartext-Password := "tcl"
#...@cisco1.com Cleartext-Password := "tcl"
Service-Type = Framed-User,
Framed-Protocol = PPP,
  #  Cisco-AVpair = "lcp:interface-config=ip vrf forwarding 
RWCustomer-A\n ip add 10.110.11.2 255.255.255.252",
Cisco-AVpair += "lcp:interface-config=ip vrf forwarding \ 
RWCustomer-A",
Framed-IP-Address = 10.110.11.1,
Framed-IP-Netmask = 255.255.255.252,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP


With this I am not able to see as expected from the radius server. I 
have also made an entry in proxy.conf file for realm cisco1.com

Any inputs or guidance on this will be a appreciated.

Thanks in Advance.

Regards,
Yagnesh Dave.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius updating /etc/hosts?

[Dave]

Ive been using freeradius for years to authenticate pppoe users for my 
WISP., Customers get dynamic IP addresses from an IP pool.
Im going to be implementing a new monitoring system, and I need to use 
hostnames to check on customer status.
Anyone have ideas how freeradius can update /etc/hosts so a dns server 
such as dnsmasq can serve the hostnames of customers as their IP changes?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius help to update /etc/hosts?

[Dave]

Ive been using freeradius for years to authenticate pppoe users for my 
WISP., Customers get dynamic IP addresses from an IP pool.
Im going to be implementing a new monitoring system, and I need to use 
hostnames to check on customer status.
Anyone have ideas how freeradius can update a DNS server such as BIND or 
other linux DNS server?


Is it possible?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Distinguish RADIUS requests from NAS device

[Dave Rummel]

Andrew are you looking to do different groups or are you looking to 
differentiate logging into say a router with standard privileges vs 
enabled privileges ?


Andrew Hall wrote:

Hi there.

We have a network device using FreeRADIUS 1.x for authentication. This
RADIUS server in turn queries an LDAP server.

We wish to distinguish between "admin" and "login" requests but are
struggling to differentiate between the two.

At the moment we identify the device by its NAS address but cannot
distinguish which type of login request is being made - so cannot then
choose which LDAP groups to query.

Our only solution so far is to run separate instances of RADIUS and
direct the network device to each instance per the request type it
receives.

Can anyone this of another way to distinguish the requests ?

Thanks very much.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling users

[DAve]

Marinko Tarlac wrote:

You can use expiration attribute or you can disconnect user with PoD.
http://wiki.freeradius.org/Packet_of_Disconnect



Expiration Attribute? I've not seen that in any docs. The POD is useful, 
I think I can provide a cronjob to query the DB once a day and terminate 
  users as needed. Thank you!


DAve




DAve wrote:

Good afternoon all,

We recently retired our old ICRadius servers and installed FreeRadius. 
We run two radius servers with a third server acting as master for the 
radius data and as the accounting server. All is working well.


Billing has approached me with an issue where they need to disable a 
user for lack of payment. Previously we simply changed their password 
through our management system and they were then unable to reconnect. 
Client calls, pays, we enable them again.


Currently we are noticing that because of DSL, and the fact we no 
longer impose any limits on dialup, it may take weeks before a client 
is disconnected and finds their password has changed.


I have read through the docs, looked into Session-Timeout and SQL 
counters, but I do not see how to force a client to re authenticate.
What am I missing? What config information do I need to provide? What 
information/manual/how to have I missed?


Thanks,

DAve


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling users

[DAve]

Alan DeKok wrote:

DAve wrote:

I have read through the docs, looked into Session-Timeout and SQL
counters, but I do not see how to force a client to re authenticate.
What am I missing? What config information do I need to provide? What
information/manual/how to have I missed?


  http://freeradius.org/rfc/attributes.html.  Click on "Session-Timeout".

  If you set Session-Timeout to 86400, the NAS *should* drop the
connection after one day.  This will force them to re-authenticate.


Oddly I have that set for our dialup users but I am being told that 
after changing the password they are staying logged in for over 48 
hours. I may need to take this up with Megapop, it is their NAS.


DAve

--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Openldap and FreeRadius2

[Dave Rummel]

Would like to make a request for an account to the wiki so I can add to it.

Dave Rummel wrote:
If anyone needs help in getting there openldap to work with 
freeradius2 please reply back. I finally was able to figure it out and 
then used unlang to authorize my groups and would like to share what I 
have learned.


Christopher Sheldon wrote:


Does anyone else who subscribes to the list specifically read every 
email Alan sends just to chuckle at him berating the  poor, confused 
people seeking help?


It's like reality TV. ;-)

Chris.

Alan DeKok wrote:

jpablorp wrote:
 

I replace eap.conf with the Default eap.conf file

and this is my debug:



  Where you have *deleted* the real cause of the error.

 
[peap]  Had sent TLV failure.  User was rejected earlier in this 
session.



  Look EARLIER in the debug log for the failure.  It's really not hard.
 Look for words like "reject", or "fail", or "error".

  The messages will tell you what is wrong, and why.  All you need 
to do

is read them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Openldap and FreeRadius2

[Dave Rummel]

If anyone needs help in getting there openldap to work with freeradius2 
please reply back. I finally was able to figure it out and then used 
unlang to authorize my groups and would like to share what I have learned.


Christopher Sheldon wrote:


Does anyone else who subscribes to the list specifically read every 
email Alan sends just to chuckle at him berating the  poor, confused 
people seeking help?


It's like reality TV. ;-)

Chris.

Alan DeKok wrote:

jpablorp wrote:
 

I replace eap.conf with the Default eap.conf file

and this is my debug:



  Where you have *deleted* the real cause of the error.

 
[peap]  Had sent TLV failure.  User was rejected earlier in this 
session.



  Look EARLIER in the debug log for the failure.  It's really not hard.
 Look for words like "reject", or "fail", or "error".

  The messages will tell you what is wrong, and why.  All you need to do
is read them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Disabling users

[DAve]

Good afternoon all,

We recently retired our old ICRadius servers and installed FreeRadius. 
We run two radius servers with a third server acting as master for the 
radius data and as the accounting server. All is working well.


Billing has approached me with an issue where they need to disable a 
user for lack of payment. Previously we simply changed their password 
through our management system and they were then unable to reconnect. 
Client calls, pays, we enable them again.


Currently we are noticing that because of DSL, and the fact we no longer 
impose any limits on dialup, it may take weeks before a client is 
disconnected and finds their password has changed.


I have read through the docs, looked into Session-Timeout and SQL 
counters, but I do not see how to force a client to re authenticate.
What am I missing? What config information do I need to provide? What 
information/manual/how to have I missed?


Thanks,

DAve
--
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Quincy Adams

http://appleseedinfo.org

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Auth

[Dave Rummel]

First off I am totally new to radius...but really love the concept. I 
have radius working with ldap to authorize the user if they are in the 
corporate directory, o=lookout. My next step is to filter it by category 
to the NAS device. I have been looking at quite a few examples, but 
nothing seems to stick.


In order for me to just grasp the concept, I have tried this in the 
users file, o=lookout is our complete list of all of our users


DEFAULT Huntgroup-Name == CiscoAdmin, Ldap-Group == "o=lookout"
Fall-Through = no

DEFAULT Auth-Type := Reject

If I comment out the Reject, the user is able to authenticate to the 
Cisco Router, as soon as uncomment it out, I get rejected...here is the 
log file from it.




Thu Jun  4 16:15:52 2009 : Info: [ldap] user daverummel authorized to 
use remote access

Thu Jun  4 16:15:52 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jun  4 16:15:52 2009 : Info: ++[ldap] returns ok
Thu Jun  4 16:15:52 2009 : Info: ++[expiration] returns noop
Thu Jun  4 16:15:52 2009 : Info: ++[logintime] returns noop
Thu Jun  4 16:15:52 2009 : Info: Found Auth-Type = Reject
Thu Jun  4 16:15:52 2009 : Info: Auth-Type = Reject, rejecting user
Thu Jun  4 16:15:52 2009 : Info: Failed to authenticate the user.
Thu Jun  4 16:15:52 2009 : Auth: Login incorrect: [daverummel] (from 
client R1 port 98 cli 216.103.190.220)

Thu Jun  4 16:15:52 2009 : Info: Using Post-Auth-Type Reject
Thu Jun  4 16:15:52 2009 : Info: +- entering group REJECT {...}
Thu Jun  4 16:15:52 2009 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> daverummel
Thu Jun  4 16:15:52 2009 : Debug:  attr_filter: Matched entry DEFAULT at 
line 11
Thu Jun  4 16:15:52 2009 : Info: ++[attr_filter.access_reject] returns 
updated

Thu Jun  4 16:15:52 2009 : Info: Delaying reject of request 0 for 1 seconds
Thu Jun  4 16:15:52 2009 : Debug: Going to the next request
Thu Jun  4 16:15:52 2009 : Debug: Waking up in 0.9 seconds.
Thu Jun  4 16:15:53 2009 : Info: Sending delayed reject for request 0


The line I am really trying to understand is this one, where is this 
line 11 ?


*Thu Jun  4 16:15:52 2009 : Debug:  attr_filter: Matched entry DEFAULT 
at line 11


*Thanks for your help

Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help with a redirect / splash page for sign up

[Dave Sinclair]

Maybe not perfect for this list, but I gotta think somone on here has
done this before.

We just got handed over 500 DSL subscribers.  Old ISP is dead, no
records, no accounting data. Just the ATM PVC's are on our network.

I'm trying to figure out how to do a one time redirect so that they
sign up into our billing system and once thats done then they have
internet access.

I'm willing to pay reasonable $$ for somone that knows how to do this
using open source tools and our cisco routers.

Mucho thanks for the help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to have freeradius/unlang do two or more SQL statements at onetime

[Dave Sinclair]

Hi

Tried this, but it tossed out errors at me :(

2009/3/16  :
>>When Post-Auth-Type REJECT is executed I need to insert two or more
>>rows into a SQL data base.
>>
>>here is what I have at present
>>
>>
>>sites-enabled/default
>>
>>        Post-Auth-Type REJECT {
>>                sql
>>        }
>>
>>sql.conf -> sql/mysql/dialup.conf
>>
>>
>>        postauth_query = "INSERT INTO ${authcheck_table} VALUES
>>(NULL,'%{User-Name}','Password', '==',
>>'%{User-Password:-Chap-Password}');"
>>        postauth_query = "INSERT INTO ${usergroup_table} values
>>('%{User-Name}','Dynamic','');"
>>
>>
>>The FIRST insert runs, but the second one doesn't.
>>
>
> Yes, only one gets executed. Try this:
>
> postauth_query = "INSERT INTO ${authcheck_table} ... ; INSERT INTO
> ${usergroup_table} ... "
>
> If that doesn't work you will have to do inserts with perl.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to have freeradius/unlang do two or more SQL statements at onetime

[Dave Sinclair]

Hi Arran,

Where might one find your patch ???

2009/3/16 Arran Cudbard-Bell :
> Hi All,
>
> The old rlm_xlat function only supported SELECT statements, and threw up
> errors on any others.
>
> The patch Alan mentioned makes rlm_sql look for INSERT, DELETE and UPDATE
> keywords at the beginning of SQL statements. If one of these keywords is
> found and instead of expanding to the first row of the first column of the
> result, rlm_sql expands to the number of rows affected by the statement, and
> no longer throws an error.
>
> It is now therefore possible, to replicate most of the functionality of
> rlm_sql with unlang statements.
>
>
>>    Yes, only one gets executed. Try this:
>>
>>    postauth_query = "INSERT INTO ${authcheck_table} ... ; INSERT INTO
>>    ${usergroup_table} ... "
>>
>>    If that doesn't work you will have to do inserts with perl.
>
> You'll now be able to do them with unlang to :).
>
> Thanks,
> Arran
> --
> Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
> Authentication, Authorisation and Accounting Officer,
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to have freeradius/unlang do two or more SQL statements at one time

[Dave Sinclair]

Hi,

When Post-Auth-Type REJECT is executed I need to insert two or more
rows into a SQL data base.

here is what I have at present


sites-enabled/default

Post-Auth-Type REJECT {
sql
}

sql.conf -> sql/mysql/dialup.conf


postauth_query = "INSERT INTO ${authcheck_table} VALUES
(NULL,'%{User-Name}','Password', '==',
'%{User-Password:-Chap-Password}');"
postauth_query = "INSERT INTO ${usergroup_table} values
('%{User-Name}','Dynamic','');"


The FIRST insert runs, but the second one doesn't.

mucho thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: trying to use Post-Auth-Type REJECT to insert users

[Dave Sinclair]

Hi,

Their isnt' a backup.

So I'm having problems with:

  postauth_query = "INSERT INTO ${authcheck_table} VALUES
(NULL,'%{User-Name}','Password', '==',
'%{User-Password:-Chap-Password}');"
postauth_query = "INSERT INTO ${usergroup_table} values
('%{User-Name}','Dynamic','');"


I want BOTH SQL statements to insert data.  At present the first
INSERT runs, but the second one doesn't.  I cant seem to sort out how
to do in unlang.

help ??  thanks


2009/3/15 Fajar A. Nugraha :
> On Sun, Mar 15, 2009 at 4:35 PM,   wrote:
>>>Is there a better way ??
>>
>> Don't they have a backup of their user database on a tape/DVD?
>>
>
> Unlikely. We had a similar situation once (also with DSL ATM), and the
> only user data we got was usernames and encrypted (with some unknown
> encryption) passwords. We ended up doing it the hard way, full
> migration (which involves giving out new usernames and passwords).
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

trying to use Post-Auth-Type REJECT to insert users

[Dave Sinclair]

Hi,

The high level goal is to have a new radius server "slurp" all the
users on a DSL ATM aggregation link into a SQL database.
We are taking over a bunch of users from a defunct ISP and don't have
the UserName / Password data.

What I'm thinking is that there should be a way to have Post-Auth-Type REJECT
do two SQL insert commands.   Then when the user tries to auth again
there will be a valid user.

Will this work ??
How to have two SQL statements run when this event is triggered???

Is there a better way ??

mucho thanks.;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wimax.c

[dave anderson]

I would like to write the Wimax Freeradius Wiki but need an account. Can 
you help me get a log in. 

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: February 17, 2009 6:15 AM
To: FreeRadius users mailing list
Subject: Re: wimax.c

dave anderson wrote:
> Wimax.c needs a small fix in order to print the right debug message 
> content.

  Fixed, thanks.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wiki

[dave anderson]

I would be willing to update the wiki with what I have learned about how 
to configure Freeradius to use the wimax module.  However it seems you 
need an account to do any wiki edits and there is no place to allow you 
to create and account.  Does anyone have a link to how to do so ?

Dave 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wimax.c

[dave anderson]

Wimax.c needs a small fix in order to print the right debug message 
content.


DEBUG2("rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 
%17s",vp->vp_octets);

Rather than as written

DEBUG2("rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 
%s",buffer);


-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: February 15, 2009 12:09 AM
To: FreeRadius users mailing list
Subject: Re: wimax.c

dave anderson wrote:
> Also the raddact table has empty field for calling station-id for 
wimax. 
>  I know wimax has this field in hex rather than ascii which is a 
problem 
> addressed wimax.c for auth.  Changing the library to octet instead 
sting 
> solves it for auth.  

  Don't.  Instead, list the "wimax" module in the "authorize" and
"preacct" sections.  It will re-write the Calling-Station-Id to
something sane.

  This issue has been brought to the attention of the WiMAX forum, and
after some pushing, it will be fixed in a future revision of their
specifications.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wimax.c

[dave anderson]

Also the raddact table has empty field for calling station-id for wimax. 
 I know wimax has this field in hex rather than ascii which is a problem 
addressed wimax.c for auth.  Changing the library to octet instead sting 
solves it for auth.  

Can you tell me which module or .c to look at for repairing this for 
accting and I will make the change.

DA

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: February 14, 2009 10:32 AM
To: FreeRadius users mailing list
Subject: Re: FW: wimax.c

dave anderson wrote:
> However to populate these other variable into the reply such as 
Session 
> reply, it is not clear how to do so: 
> 
> WiMAX-AAA-Session-ID = ? 
> WiMAX-HA-RK-SPI = ? 
> WiMAX-HA-RK-Lifetime = ? 

  The WiMAX specifications really aren't clear how most of those are
calculated.  i.e. it says "up to local administrator".

> How to I get the reply to include these with correct values ? 
> 
> Further, putting  WiMAX-MN-NAI = %{User-Name} in the default 
config 
> prior to calling the wimax function still results in the WiMAX module 
> warning that WiMAX-MN-NAI has not been set. 

  That's fixed in git, and will be in 2.1.4.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wimax.c

[dave anderson]

Ok thanks, so for the first item I can just put some function in to 
calculate it as I want or static code them.

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: February 14, 2009 10:32 AM
To: FreeRadius users mailing list
Subject: Re: FW: wimax.c

dave anderson wrote:
> However to populate these other variable into the reply such as 
Session 
> reply, it is not clear how to do so: 
> 
> WiMAX-AAA-Session-ID = ? 
> WiMAX-HA-RK-SPI = ? 
> WiMAX-HA-RK-Lifetime = ? 

  The WiMAX specifications really aren't clear how most of those are
calculated.  i.e. it says "up to local administrator".

> How to I get the reply to include these with correct values ? 
> 
> Further, putting  WiMAX-MN-NAI = “%{User-Name}” in the default config 
> prior to calling the wimax function still results in the WiMAX module 
> warning that WiMAX-MN-NAI has not been set. 

  That's fixed in git, and will be in 2.1.4.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FW: wimax.c

[dave anderson]

-Original Message-
From: dave anderson 
Sent: February 13, 2009 5:14 PM
To: freeradius-users
Subject: FW: wimax.c


I have the Wimax FreeRadius (2.1.3) working but I am a bit unclear on a 
few key reply parameters: 

In the default server I have added 

update "reply"{ 
WiMAX-MSK = “%{reply:EAP-MSK}” 

Which successfully produces the right length MSK in the reply. 

However to populate these other variable into the reply such as Session 
reply, it is not clear how to do so: 

WiMAX-AAA-Session-ID = ? 
WiMAX-HA-RK-SPI = ? 
WiMAX-HA-RK-Lifetime = ? 

How to I get the reply to include these with correct values ? 

Further, putting  WiMAX-MN-NAI = “%{User-Name}” in the default config 
prior to calling the wimax function still results in the WiMAX module 
warning that WiMAX-MN-NAI has not been set. 


Would anyone have advice on how to resolve these two issues? 

Thanks 

Dave Anderson 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handing out duplicate IP addresses

[Dave]

I made this modification to the ippool.conf and still testing it, I have 
not seen the issue yet again but I havent loaded the server down.
I made some other modifications to the server and database to try to 
make it move as fast possible but removing
non-used modules, database indexing, other stuff.  I will keep an eye on 
it, but so far its already working better than it
has in years. 




I think that best thing to do is to prevent subsequent updates by
altering the allocate-update (adding "AND expiry_time IS NULL" at the
end should do it). That way only first one will update the row while
others will fail (update 0 rows). It should be possible for logic to
detect that no rows were updated and fail the module.
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handing out duplicate IP addresses

[Dave]

>
> AFAIK it is the transaction. Problem is that update will work for all
> three users. Adding expiry_time IS NULL to update will cause it to work
> only for the first user.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
Can I ask what happens when the module fails ? 

My guess is it will still return an access-accept with all other
attributes accumulated minus the "Framed-Ip-Address"  ?

Id rather it return a big fat reject, and let the NAS resend a new request?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handing out duplicate IP addresses

[Dave]

I dont know if this means anything, but Im not using DHCP, Im using
PPPoE. I didnt know FR could even be a dhcp server.

Im just throwing out ideas, but is there a way to not thread the
sqlippool module ?  Let one request at a time for an IP, sure it would
be slower, but for my use would be fine.


Ben Wiechman wrote:
>
> Can’t you do the select and update as part of one transaction?
>
>  
>
> For example with MySQL:
>
> START TRANSACTION;
>
> SELECT @A:=SUM(salary) FROM table1 WHERE type=1;
>
> UPDATE table2 SET summa...@a WHERE type=1;
>
> COMMIT;
>
>  
>
> The transaction may need to be changed to serializable as well. I
> don’t know how the DHCP RFC handles preallocations.
>
>  
>
> You could probably use Repeatable Read level if it is acceptable to
> mark an address as taken when a DHCPOFFER is sent while waiting for a
> DHCPREQUEST from the client, so long as the address if confirmed to be
> free before the DHCPACK is sent, or a DHCPNAK in the case that the
> address was offered to multiple clients.
>
> Ben Wiechman
>
>  
>
>  
>
> *From:*
> freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org
> [mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org]
> *On Behalf Of *Padam J Singh
> *Sent:* Thursday, January 15, 2009 9:39 AM
> *To:* FreeRadius users mailing list
> *Subject:* Re: Handing out duplicate IP addresses
>
>  
>
> Hello Ivan,
>
> Would adding a mutex around the select-update code in the sqlippool
> module solve this issue?
>
> Padam
>
> t...@kalik.net  wrote:
>
> The requests all came in at the same time, to the second (among others),
>
> its like FR took 3 requests and looked at the database at the exact same
>
> time, saw it was an available IP and all those 3 requests assigned it.
>
> 
>
>  
> That can't be avoided. SELECT (allocate-find) will always work much
> faster than UPDATE (allocate-update).
>  
>   
>
> My NAS rejects two of the 3 because the IP is assigned,
>
> 
>
>  
> I think that you make a good point here. If the allocate-update query was
> made to fail in the case that the IP address was already issued to
> another thread between allocate-find and allocate-update (by expanding
> it with AND expiry_time IS NULL in WHERE), point of failure will be in
> sqlippool module and not on the NAS. Logic can then perhaps try to issue
> a new IP address (best just once more in order not to create a loop).
> That way issuing same IP address to multiple threads can be handled by
> the sqlippool module.
>  
> Ivan Kalik
> Kalik Informatika ISP
>  
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>   
>
>
>
> -- 
> PGP Id 9EED2E09
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Handing out duplicate IP addresses

[Dave]

I thought I had this problem licked, but I still suffer from it.  Anyone 
know why FR 2.1.3 with sqlippool (mysql) might decide to hand out the 
same IP more than once while its processing more than one request at a time?


Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx,211 from 
IP-Pool   (did jarvis cli 00:18:D2:00:3E:63 port 449756 user pcollyer)
Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx.211 from 
IP-Pool   (did jarvis cli 00:18:D2:00:5B:0D port 449755 user jhogeterp)
Wed Jan 14 22:05:59 2009 : Info: Allocated IP: 75.119.xxx.211 from 
IP-Pool   (did jarvis cli 00:18:D2:00:2E:C1 port 449752 user mellerpoultry)


The requests all came in at the same time, to the second (among others), 
its like FR took 3 requests and looked at the database at the exact same 
time, saw it was an available IP and all those 3 requests assigned it.  
My NAS rejects two of the 3 because the IP is assigned, and Freeradius 
clears the IP from the ip-pool to be later distributed (even though its 
still in use)


Im open to any suggestions.  Its hard to debug!





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compile Error

[Dave]

Replying to myself, upgrading glibc allowed it to compile..

left me with a whole bunch of other non FR related problems thou
(server been around for a while :)

Dave wrote:
> Oops  glibc 2.3.6
>
>
> Dave wrote:
>   
>> I cant win today.
>>
>> I cant compile the newest FR. 
>>
>> GCC 3.4.6  glibc  2.6.1
>>
>> gmake[6]: Leaving directory
>> `/root/freeradius-server-2.1.3/src/modules/rlm_counter'
>> Making all in rlm_dbm...
>> gmake[6]: Entering directory
>> `/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
>> /root/freeradius-server-2.1.3/libtool --mode=link gcc   \
>> -o rlm_dbm_parser rlm_dbm_parser.lo
>> /root/freeradius-server-2.1.3/src/lib/libfreeradius-radius.la -lndbm 
>> -lnsl -lresolv
>> gcc -o .libs/rlm_dbm_parser .libs/rlm_dbm_parser.o 
>> /root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so
>> -lndbm -lnsl -lresolv
>> /root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so:
>> undefined reference to `___tls_get_addr'
>> collect2: ld returned 1 exit status
>> gmake[6]: *** [rlm_dbm_parser] Error 1
>> gmake[6]: Leaving directory
>> `/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
>> gmake[5]: *** [common] Error 2
>> gmake[5]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
>> gmake[4]: *** [all] Error 2
>> gmake[4]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
>> gmake[3]: *** [common] Error 2
>> gmake[3]: Leaving directory `/root/freeradius-server-2.1.3/src'
>> gmake[2]: *** [all] Error 2
>> gmake[2]: Leaving directory `/root/freeradius-server-2.1.3/src'
>> gmake[1]: *** [common] Error 2
>> gmake[1]: Leaving directory `/root/freeradius-server-2.1.3'
>> make: *** [all] Error 2
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compile Error

[Dave]

Oops  glibc 2.3.6


Dave wrote:
> I cant win today.
>
> I cant compile the newest FR. 
>
> GCC 3.4.6  glibc  2.6.1
>
> gmake[6]: Leaving directory
> `/root/freeradius-server-2.1.3/src/modules/rlm_counter'
> Making all in rlm_dbm...
> gmake[6]: Entering directory
> `/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
> /root/freeradius-server-2.1.3/libtool --mode=link gcc   \
> -o rlm_dbm_parser rlm_dbm_parser.lo
> /root/freeradius-server-2.1.3/src/lib/libfreeradius-radius.la -lndbm 
> -lnsl -lresolv
> gcc -o .libs/rlm_dbm_parser .libs/rlm_dbm_parser.o 
> /root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so
> -lndbm -lnsl -lresolv
> /root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so:
> undefined reference to `___tls_get_addr'
> collect2: ld returned 1 exit status
> gmake[6]: *** [rlm_dbm_parser] Error 1
> gmake[6]: Leaving directory
> `/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
> gmake[5]: *** [common] Error 2
> gmake[5]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
> gmake[4]: *** [all] Error 2
> gmake[4]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
> gmake[3]: *** [common] Error 2
> gmake[3]: Leaving directory `/root/freeradius-server-2.1.3/src'
> gmake[2]: *** [all] Error 2
> gmake[2]: Leaving directory `/root/freeradius-server-2.1.3/src'
> gmake[1]: *** [common] Error 2
> gmake[1]: Leaving directory `/root/freeradius-server-2.1.3'
> make: *** [all] Error 2
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Compile Error

[Dave]

I cant win today.

I cant compile the newest FR. 

GCC 3.4.6  glibc  2.6.1

gmake[6]: Leaving directory
`/root/freeradius-server-2.1.3/src/modules/rlm_counter'
Making all in rlm_dbm...
gmake[6]: Entering directory
`/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
/root/freeradius-server-2.1.3/libtool --mode=link gcc   \
-o rlm_dbm_parser rlm_dbm_parser.lo
/root/freeradius-server-2.1.3/src/lib/libfreeradius-radius.la -lndbm 
-lnsl -lresolv
gcc -o .libs/rlm_dbm_parser .libs/rlm_dbm_parser.o 
/root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so
-lndbm -lnsl -lresolv
/root/freeradius-server-2.1.3/src/lib/.libs/libfreeradius-radius.so:
undefined reference to `___tls_get_addr'
collect2: ld returned 1 exit status
gmake[6]: *** [rlm_dbm_parser] Error 1
gmake[6]: Leaving directory
`/root/freeradius-server-2.1.3/src/modules/rlm_dbm'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/root/freeradius-server-2.1.3/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/root/freeradius-server-2.1.3/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/root/freeradius-server-2.1.3/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/root/freeradius-server-2.1.3'
make: *** [all] Error 2

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Optimum MYSQL settings

[Dave]

Hi all.  I promise this is my last question before I flip the switch on
this new installation.

I was using 1.1.7 and I had a number of problems  with sqlippool 
handing out duplicate IPs, stop records not getting recorded, etc.  Only
under many requests (20-30) at one time. It was ok with small load.

I have 2.1.3 ready to go but am not sure Im going to suffer from the
same problems.

Anyone have any suggestions on how to set up mysql to optimize its
performance for sqlippool? 
It seemed that if two requests come in right at the right time, it would
hand out the same IP to 2 different users before there was a chance it
was recorded.


Its a dual core 3.0ghz machine that also has mysql running for mail
server authentication for about 220 users. This is my current config.

# /etc/mysql/my.cnf: The global mysql configuration file.
# $Header: /var/cvsroot/gentoo-x86/dev-db/mysql/files/my.cnf-4.1,v 1.3
2006/05/05 19:51:40 chtekk Exp $

# The following options will be passed to all MySQL clients
[client]
#password   = your_password
port= 3306
socket  =
/var/run/mysqld/mysqld.sock

[mysql]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[mysqladmin]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[mysqlcheck]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[mysqldump]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[mysqlimport]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[mysqlshow]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8

[myisamchk]
character-sets-dir=/usr/share/mysql/charsets

[myisampack]
character-sets-dir=/usr/share/mysql/charsets

# use [safe_mysqld] with mysql-3
[mysqld_safe]
err-log = /var/log/mysql/mysql.err

# add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations
[mysqld]
max_connections = 500
character-set-server= utf8
default-character-set   = utf8
user= mysql
port= 3306
socket  =
/var/run/mysqld/mysqld.sock
pid-file= /var/run/mysqld/mysqld.pid
log-error   = /var/log/mysql/mysqld.err
basedir = /usr
datadir = /var/lib/mysql
skip-locking
key_buffer  = 64M
max_allowed_packet  = 8M
table_cache = 64
sort_buffer_size= 2M
net_buffer_length   = 8K
read_buffer_size= 256K
read_rnd_buffer_size= 512K
myisam_sort_buffer_size = 8M
language= /usr/share/mysql/english
# old_passwords   = 1

# security:
# using "localhost" in connects uses sockets by default
# skip-networking
#bind-address   = 127.0.0.1

log-bin
server-id   = 1

# point the following paths to different dedicated disks
tmpdir  = /tmp/
#log-update =
/path-to-dedicated-directory/hostname

# you need the debug USE flag enabled to use the following directives,
# if needed, uncomment them, start the server and issue
# #tail -f /tmp/mysqld.sql /tmp/mysqld.trace
# this will show you *exactly* what's happening in your server ;)

#log= /tmp/mysqld.sql
#gdb
#debug  = d:t:i:o,/tmp/mysqld.trace
#one-thread

# uncomment the following directives if you are using BDB tables
#bdb_cache_size = 4M
#bdb_max_lock   = 1

# the following is the InnoDB configuration
# if you wish to disable innodb instead
# uncomment just the next line
#skip-innodb
#
# the rest of the innodb config follows:
# don't eat too much memory, we're trying to be safe on 64Mb boxes
# you might want to bump this up a bit on boxes with more RAM
innodb_buffer_pool_size = 16M
# this is the default, increase it if you have lots of tables
innodb_additional_mem_pool_size = 2M
#
# i'd like to use /var/lib/mysql/innodb, but that is seen as a database :-(
# and upstream wants things to be under /var/lib/mysql/, so that's the route
# we have to take for the moment
#innodb_data_home_dir   = /var/lib/mysql/
#innodb_log_arch_dir= /var/lib/mysql/
#innodb_log_group_home_dir  = /var/lib/mysql/
# you may wish to change this size to be more suitable for your system
# the max is there to avoid run-away growth on your machine
innodb_data_file_path = ibdata1:10M:autoextend:max:128M
#

MYSQL check_error: 1064 received

[Dave]

I get this error on some of my queries but not from all users in the
database, just some?  I cant find much useful google information on it
Here is a query that fails with that error: 

rad_recv: Access-Request packet from host 127.0.0.1 port 42830, id=69,
length=57
User-Name = "hheeg"
User-Password = "hheeg"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1348
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "hheeg", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql]   expand: %{User-Name} -> hheeg
[sql] sql_set_user escaped user --> 'hheeg'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'hheeg'   ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER
BY id -> SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'hheeg'   ORDER BY id
[sql]   expand: SELECT groupname   FROM usergroup  
WHERE username = '%{SQL-User-Name}'   ORDER BY priority ->
SELECT groupname   FROM usergroup   WHERE username =
'hheeg'   ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck  
WHERE groupname = 'wisp-dynamic-pool2'   ORDER BY id
[sql] User found in group wisp-dynamic-pool2
[sql]   expand: SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   value, op   FROM radgroupreply  
WHERE groupname = 'wisp-dynamic-pool2'   ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "hheeg"
[pap] Using clear text password "hheeg"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool] expand: %{User-Name} -> hheeg
[sqlippool] sql_set_user escaped user --> 'hheeg'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
[sqlippool] expand: UPDATE radippool  SET nasipaddress = '',
pool_key = 0,  callingstationid = '', username = '',  expiry_time IS
NULL  WHERE expiry_time <= NOW() - INTERVAL 1 SECOND  AND nasipaddress =
'%{Nas-IP-Address}' -> UPDATE radippool  SET nasipaddress = '', pool_key
= 0,  callingstationid = '', username = '',  expiry_time IS NULL  WHERE
expiry_time <= NOW() - INTERVAL 1 SECOND  AND nasipaddress = '127.0.0.1'
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool  SET
nasipaddress = '', pool_key = 0,  callingstationid = '', username = '', 
expiry_time IS NULL  WHERE expiry_time <= NOW() - INTERVAL 1 SECOND  AND
nasipaddress = '127.0.0.1''
[sqlippool] expand: SELECT framedipaddress FROM radippool  WHERE
pool_name = '%{control:Pool-Name}' AND expiry_time < NOW()  ORDER BY
(username <> '%{User-Name}'),  (callingstationid <>
'%{Calling-Station-Id}'),  expiry_time  LIMIT 1  FOR UPDATE -> SELECT
framedipaddress FROM radippool  WHERE pool_name = 'IP-Pool' AND
expiry_time < NOW()  ORDER BY (username <> 'hheeg'),  (callingstationid
<> ''),  expiry_time  LIMIT 1  FOR UPDATE
[sqlippool] expand: UPDATE radippool  SET nasipaddress =
'%{NAS-IP-Address}', pool_key = '%{NAS-Port}',  callingstationid =
'%{Calling-Station-Id}', username = '%{User-Name}',  expiry_time = NOW()
+ INTERVAL 60 SECOND  WHERE framedipaddress = '75.119.231.190' -> UPDATE
radippool  SET nasipaddress = '127.0.0.1', pool_key = '1348', 
callingstationid = '', username = 'hheeg',  expiry_time = NOW() +
INTERVAL 60 SECOND  WHERE framedipaddress = '75.119.231.190'
[sqlippool] Allocated IP 75.119.231.190 [bee7774b]
[sqlippool] expand: COMMIT -> COMMIT
rlm_sql (sql): Released sql socket id: 3
[sqlippool] expand: Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name}   (did %{Called-Station-Id} cli
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated
IP: 75.119.231.190 from IP-Pool   (did  cli  port 1348 user hheeg)
Allocated IP: 75.119.231.190 from IP-Pool   (did  cli  port 1348 user hheeg)
+

Re: Just need a little help w/sqlippool

[Dave]

It seems adding the Fall-Through=Yes fixed it.. I never had that in
there before, maybe I had it in a users text file somewhere in the old
version and it read it from there?
>
> You are not using sql.conf from 1.1.7? Try adding Fall-Through = yes to
> radreply group entries. And give different priorities to groups. Posting
> the debug would help.
>
> Ivan Kalik
> Kalik Informarika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Just need a little help w/sqlippool

[Dave]

Ive been fighting with upgrading my working 1.7 freeradius to 2.1.3 .
Ive been using the sqlippool module all this time, and while I think I'm
close I just cant figure this out.  The database is the original
database I used with 1.7 but the configs are all new from the ground up
for 2.1.3.I think maybe it changed in the way it works.

With 1.7

I was inserting a username and password into radcheck table;
I was inserting the username into usergroup table with the groupname
value of "wisp-dynamic-pool2" among one other group for my NAS;

my radgroupcheck table:

+++---++-+
| id | GroupName  | Attribute | op | Value   |
+++---++-+
|  2 | wisp-dynamic-pool2 | Pool-Name | := | IP-Pool |
+++---++-+


part of my radippool table;

+-+---+-+--+-+--+-+--+--+
| id  | pool_name | framedipaddress | nasipaddress | calledstationid |
callingstationid | expiry_time | username | pool_key |
+-+---+-+--+-+--+-+--+--+
| 304 | IP-Pool   | 75.119.xxx.xxx  |  |
|  | -00-00 00:00:00 |  |  |
| 305 | IP-Pool   | 75.119.xxx.xxx  |  |
|  | -00-00 00:00:00 |  |  |


Part of my radcheck table;

| 217 | preichenbach| Cleartext-Password | := | preichenbach|
| 218 | dfast   | Cleartext-Password | := | dfast   |
| 219 | jhoffman| Cleartext-Password | := | jhoffman|


my radgroupreply table;

++---+-++-+--+
| id | GroupName | Attribute   | op |
Value   | prio |
++---+-++-+--+
|  1 | wisp-1500 | Mikrotik-Rate-Limit | =  | 384k/1500k 600k/4000k
128k/128k 8/8 |0 |
|  2 | wisp-1500 | Port-Limit  | =  |
1   |0 |
|  3 | wisp-2500 | Mikrotik-Rate-Limit | =  | 384k/2500k 600k/4000k
128k/128k 8/8 |0 |
|  4 | wisp-2500 | Port-Limit  | =  |
1   |0 |
|  9 | wisp-256  | Port-Limit  | =  |
1   |0 |
|  8 | wisp-256  | Mikrotik-Rate-Limit | =  |
64k/256k|0 |
++---+-++-+--+

My usergroup table with a user for example:

+--++--+
| UserName | GroupName  | priority |
+--++--+
| kcase| wisp-1500  |0 |
| kcase| wisp-dynamic-pool2 |0 |
+--++--+


The above worked with 1.7

BUT this isnt working for 2.1.3;

Do I have to insert into the radcheck table the username as well as the
pool name into radcheck?

+-+--+++-+
| id  | UserName | Attribute  | op | Value   |
+-+--+++-+
|  78 | kcase| Cleartext-Password | := | kcase   |
| 230 | kcase| Pool-Name  | := | IP-Pool |
+-+--+++-+

The above seems to work, if I don't put the pool-name in radcheck; and I
leave the user into the usergroup table, and put the user into group
wisp-dynamic-pool2 where radgroupcheck has wisp-dynamic-pool2 setting
Pool-Name := IP-Pool. I get no pool name defined error.   The rest works
as expected though using the usergroup table as it did before, (put my
user into wisp-1500 group for example and radtest returns the correct
attributes)

Any suggestions would be great.!







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Is 2.1.3 sqlippool fast enough?

[Dave]

(repost, was posted as part of wrong thread)

I have had a number of problems with 1.1.7 and sqlippool that its simply
not able to process more than 10-20 connections at any one time.

I will upgrade to 2.1.3 if its capable of handing 50-80 connections at
one time?  Does any one know?
My server is a p4 dual core 3.0ghz and its also handing some load of
emails for about 200 accounts.


I tried to optimize my mysql installation, etc num_server but I could
never get it fast enough.

Anyone know of tricks, or if 2.1.3 freeradius is any better? or should I
be looking at some other way to hand out IPs?  I really like the
sqlippool way of doing things. 

Thanks!



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Is sqlippool fast enough in 2.1.3

[Dave]

I have had a number of problems with 1.1.7 and sqlippool that its simply
not able to process more than 10-20 connections at any one time.

I will upgrade to 2.1.3 if its capable of handing 50-80 connections at
one time?  Does any one know?
My server is a p4 dual core 3.0ghz and its also handing some load of
emails for about 200 accounts.


I tried to optimize my mysql installation, etc num_server but I could
never get it fast enough.

Anyone know of tricks, or if 2.1.3 freeradius is any better? or should I
be looking at some other way to hand out IPs?  I really like the
sqlippool way of doing things. 

Thanks!


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: control panel

[DAve]

Paul Bartell wrote:

I could recomend dalo radius. Its interface looks pretty nice from
here. I havent been able to evaluate it yet though.

On Wed, Nov 12, 2008 at 3:32 AM, Allan Patrick Ksiaskiewcz
<[EMAIL PROTECTED]> wrote:

Hello how are? I would some indication of the control panel, use the dial_up
admin, but it is bad, I tested the phpradmin. Outside the two anyone could
spend some more?
Thanks


We are in process of converting to FreeRadius from ICRadius and we 
installed ARA which seems to work fine and does what we need.


DAve


--
The whole internet thing is sucking the life out of me,
there ain't no pony in there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use check not working

[DAve]

[EMAIL PROTECTED] wrote:
Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, 
and Simultaneous-Use := 2 for the group allowed SU?




OK. This is how Simultaneous-Use works in freeradius: you put that
attribute when you want to set the limit for a number of simultaneous
connections. The number you enter is the number of simultaneous
connections allowed. So:


I saw that the value of Simultaneous-Use was an integer in the docs, but 
I incorrectly assumed a default value existed. I changed my groups to 
the settings above and I get a failed auth,


Reply-Message = "\r\nYou are already logged in - access denied\r\n\n"

Thank you, it looks like that was my last hurdle prior to testing with a 
live nasclient and connection.


DAve




Simultaneous-Use := 1 (only one connection allowed)

Simultaneous-Use := 2 (two simultaneous connections allowed)

Simultaneous-Use := 100 (up to 100 simultaneous connections allowed)

no Simultaneous-Use attribute in the configuration (unlimited number of
simultaneous connections allowed)

Put the user in dialup2 group and he won't be able to connect.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





--
I am watching the debate and I am very disappointed. The rules are
simple, "answer the question". I would vote right now, and I can
in Indiana, for the man who answered the question directly, in
less than a minute, and then sat down before the green light was out.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use check not working

[DAve]

Marcelus Trojahn wrote:

Are you telling the radius to check for Simultaneous-Use := 1 anywhere?

Even if you have the SQL for simultaneous use uncommented, you still
have to configure Simultaneous-Use := 1 to that specific user or
group, otherwise it will just ignore the SQL...

I also use SQL for my authentication but on the /etc/raddb/users file,
I added the following to force every login to match it:

DEFAULT Simultaneous-Use := 1
Fall-Through = Yes

Try adding that to that file or to add one of that for every user or
group you have in your SQL database. The users file is easier to debug
later IMO...


Hmmm, the previous ICR install has only Simultaneous-Use = 2 for the 
group allowed SU.


Do I need to set Simultaneous-Use := 1 for the groups not allowed SU, 
and Simultaneous-Use := 2 for the group allowed SU?


DAve




--
Marcelus Trojahn
I-Conecta Redes de Telecomunicação Ltda


On Mon, Oct 27, 2008 at 1:46 PM, DAve <[EMAIL PROTECTED]> wrote:

Good afternoon,

I have inherited an aged ICRadius install and I am in process of
converting to FreeRadius 1.1.7. Currently I have a master DB on our
Management server replicating to two radius servers. Each radius server
has a unique sql instance to send accounting data to the master DB.
Everything is working, the DB conversion from ICRadius to FreeRadius
went fine.

In testing the only issue I have found is I am unable to stop
Simultaneous use. I read the docs carefully, checked the Wiki, and I
believe I have everything configured properly. Using RadiusTest 2.4.3
and radwho I see the following. I check for a login using radwho and I
see I have a session, I then attempt both a new auth and start
accounting again and still radwho shows only one login.

[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login  Name  What  TTY  When  From  Location
yellowhous yellowhousejake   shell S1   Mon 11:35 192.168.4 192.168.0.1

10/27/2008 11:55:13 AM Test started  [check
newrad1]-
Info:Sending Access-Request of id 0 to 10.0.241.95:1645
   Password = "marlin"
   User-Name = "yellowhousejake"
   Framed-IP-Address = 192.168.0.1
   Acct-Session-Id = "201"
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
   Service-Type = Framed-User
   Framed-Protocol = PPP
   Framed-IP-Address = 255.255.255.254
   Framed-IP-Netmask = 255.255.255.255
   Framed-Routing = None
   Framed-Compression = Van-Jacobson-TCP-IP
   Filter-Id = "std.ppp"
   Framed-MTU = 1500
   Port-Limit = 1
   Idle-Timeout = 600
   Session-Timeout = 28800

  Total approved auths:  1
Total denied auths:  0
  Total lost auths:  0
  Total time(secs):  0
10/27/2008 11:55:13 AM Test finished [check
newrad1]-


10/27/2008 11:55:40 AM Test started  [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
   User-Name = "yellowhousejake"
   Acct-Session-Id = "201"
   Acct-Status-Type = Start
   NAS-Port = 1
   Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
   User-Name = "yellowhousejake"
   Acct-Session-Id = "201"
   Acct-Status-Type = Alive
   NAS-Port = 1
   Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20

  Total approved auths:  2
Total denied auths:  0
  Total lost auths:  0
  Total time(secs):  0
10/27/2008 11:55:40 AM Test finished [start
acct]-

10/27/2008 11:55:40 AM Test started  [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
   User-Name = "yellowhousejake"
   Acct-Session-Id = "201"
   Acct-Status-Type = Start
   NAS-Port = 1
   Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
   User-Name = "yellowhousejake"
   Acct-Session-Id = "201"
   Acct-Status-Type = Alive
   NAS-Port = 1
   Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20

  Total approved auths:  2
Total denied auths:  0
  Total lost auths:  0
  Total time(secs):  0
10/27/2008 11:55:40 AM Test finished [start
acct]-

[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login  Name  What  TTY  When  From  Location
yellowhous yellowho

Re: Simultaneous-Use check not working

[DAve]

[EMAIL PROTECTED] wrote:

It is "other" both in the localhost client and in the client I created
to test using radiustest.

I have, it shows 5 sessions for this user.

mysql> SELECT COUNT(*)  FROM radacct WHERE UserName='yellowhousejake'
AND AcctStopTime = 0;
+--+
| COUNT(*) |
+--+
|5 |
+--+
1 row in set (0.00 sec)


- send Access-Request

Changed Packet-Type to Access-Request, auth is approved.

10/27/2008 2:26:27 PM Test started
[check_simul]-
Info:Sending Access-Request of id 0 to 10.0.241.95:1645
User-Name = "yellowhousejake"
User-Password = "marlin"
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Filter-Id = "std.ppp"
Framed-MTU = 1500
Port-Limit = 1
Idle-Timeout = 600
Session-Timeout = 28800

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0
   Total time(secs):  0

Since I am testing with a test client from my laptop, and using radtest
on the radius server (localhost), and using only accounting data to
check for simultaneous use, does checkrad even come into play?



Not when nastype is set to "other". Post the debug (radiusd -X). And
user/group entry (where is Simultaneous-Use set).


Here is the last debug I ran plus the query results for that user's config.

http://pixelhammer.com/Dan/debug.txt

DAve



Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





--
I am watching the debate and I am very disappointed. The rules are
simple, "answer the question". I would vote right now, and I can
in Indiana, for the man who answered the question directly, in
less than a minute, and then sat down before the green light was out.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use check not working

[DAve]

[EMAIL PROTECTED] wrote:

I check for a login using radwho and I
see I have a session, I then attempt both a new auth and start
accounting again and still radwho shows only one login.



The fact that you have user listed in radwho doesn't mean that he is
connected to the NAS as well. checkrad script will delete stale entries
and allow connection if it "finds out" that there is no such session
on the NAS.

To check if Simultaneous use works from accounting data only:

- change nastype to other in clients.conf


It is "other" both in the localhost client and in the client I created 
to test using radiustest.



- check if radius "thinks that user is online by running
simul_count_query by hand


I have, it shows 5 sessions for this user.

mysql> SELECT COUNT(*)  FROM radacct WHERE UserName='yellowhousejake' 
AND AcctStopTime = 0;

+--+
| COUNT(*) |
+--+
|5 |
+--+
1 row in set (0.00 sec)


- send Access-Request


Changed Packet-Type to Access-Request, auth is approved.

10/27/2008 2:26:27 PM Test started 
[check_simul]-

Info:Sending Access-Request of id 0 to 10.0.241.95:1645
User-Name = "yellowhousejake"
User-Password = "marlin"
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Filter-Id = "std.ppp"
Framed-MTU = 1500
Port-Limit = 1
Idle-Timeout = 600
Session-Timeout = 28800

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0
   Total time(secs):  0

Since I am testing with a test client from my laptop, and using radtest 
on the radius server (localhost), and using only accounting data to 
check for simultaneous use, does checkrad even come into play?


Thanks,

DAve


It should fail. But checkrad script is old and there might be issues with
some nastypes (for instance Cisco OID might need to be changed for some
equipment). You might need to fix it for your particular NAS.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





--
I am watching the debate and I am very disappointed. The rules are
simple, "answer the question". I would vote right now, and I can
in Indiana, for the man who answered the question directly, in
less than a minute, and then sat down before the green light was out.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use check not working

[DAve]

Good afternoon,

I have inherited an aged ICRadius install and I am in process of
converting to FreeRadius 1.1.7. Currently I have a master DB on our
Management server replicating to two radius servers. Each radius server
has a unique sql instance to send accounting data to the master DB.
Everything is working, the DB conversion from ICRadius to FreeRadius
went fine.

In testing the only issue I have found is I am unable to stop
Simultaneous use. I read the docs carefully, checked the Wiki, and I
believe I have everything configured properly. Using RadiusTest 2.4.3
and radwho I see the following. I check for a login using radwho and I
see I have a session, I then attempt both a new auth and start
accounting again and still radwho shows only one login.

[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login  Name  What  TTY  When  From  Location
yellowhous yellowhousejake   shell S1   Mon 11:35 192.168.4 192.168.0.1

10/27/2008 11:55:13 AM Test started  [check
newrad1]-
Info:Sending Access-Request of id 0 to 10.0.241.95:1645
Password = "marlin"
User-Name = "yellowhousejake"
Framed-IP-Address = 192.168.0.1
Acct-Session-Id = "201"
Info: Access-Accept packet from host 10.0.241.95:1645, id=0, length=89
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Framed-Routing = None
Framed-Compression = Van-Jacobson-TCP-IP
Filter-Id = "std.ppp"
Framed-MTU = 1500
Port-Limit = 1
Idle-Timeout = 600
Session-Timeout = 28800

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0
   Total time(secs):  0
10/27/2008 11:55:13 AM Test finished [check
newrad1]-


10/27/2008 11:55:40 AM Test started  [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = "yellowhousejake"
Acct-Session-Id = "201"
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = "yellowhousejake"
Acct-Session-Id = "201"
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20

   Total approved auths:  2
 Total denied auths:  0
   Total lost auths:  0
   Total time(secs):  0
10/27/2008 11:55:40 AM Test finished [start
acct]-

10/27/2008 11:55:40 AM Test started  [start
acct]-
Info:Sending Accounting-Request of id 0 to 10.0.241.95:1646
User-Name = "yellowhousejake"
Acct-Session-Id = "201"
Acct-Status-Type = Start
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=0, length=20
Info:Sending Accounting-Request of id 1 to 10.0.241.95:1646
User-Name = "yellowhousejake"
Acct-Session-Id = "201"
Acct-Status-Type = Alive
NAS-Port = 1
Framed-IP-Address = 192.168.0.1
Info: Accounting-Response packet from host 10.0.241.95:1646, id=1, length=20

   Total approved auths:  2
 Total denied auths:  0
   Total lost auths:  0
   Total time(secs):  0
10/27/2008 11:55:40 AM Test finished [start
acct]-

[EMAIL PROTECTED] /usr/local/etc/raddb]# radwho
Login  Name  What  TTY  When  From  Location
yellowhous yellowhousejake   shell S1   Mon 11:55 192.168.4 192.168.0.1

Here are the parts of my conf I believe I need to check for simultaneous
use.

## radiusd.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = no
callerid = "yes"
}


accounting {
radutmp
##  sradutmp
sql_acct
}

session {
radutmp
sql_acct
}

## sql.conf
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
 FROM ${acct_table1} \
 WHERE UserName='%{SQL-User-Name}' \
 AND AcctStopTime = 0"


Note I enabled radutmp after sql was failing to stop the second login. I
am certain I have missed something simple but I am unable to find it.
Any help, cluesmacks, etc are appreciated.

DAve


--
I am watching the debate and I am very disappointed. The rules are
simple, "answer the question". I wou

Help with IP Pools and multiple ranges with same pool name

[Dave]

I cant seem to find the relative documentation or examples, but I want
to have an IP pool "pool2" with multiple range-start and range-stop IP
ranges in it, but Im not sure how to put together the config for it.

Something like this?


   *ippool* pool2 {
range-start = 208.64.35.2
range-start = 208.5.60.100

range-stop = 208.64.35.254
range-stop = 208.5.60.200
netmask = 255.255.255.255
cache-size = 253
session-db = ${raddbdir}/db.*ippool*
*ip*-index = ${raddbdir}/db.*ipindex*
override = no
maximum-timeout = 0
}


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

[Dave Cummings]

Greetings

I have been working with freeradius v.2.0.1 and a
Cisco 1200 Series Access Point (version 12.3 IOS) for many months now
with no success to getting this working.  I am doing research on
freeradius product for a univeristy campus that I go to for
implementation in the near future.  I am out of ideas of how to
configure this correctly.  I still to this day do not have my Cisco
1200 AP authenticating with freeradius version 2.0.1.  Does anyone have
a configuration setup of this type of scheme or are willing to tell me
how to start from ground up to make this work.  My plan is simple at
this point.  I want to use freeradius, a Cisco 1200 Series Access
Point, and one windows xp pro client to connect to the AP and
authenticate against freeradius.  I appreciate any input on this
matter.  Thanks again open source community.

Dave








 

_
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQLippool problems (duplicate IPs handed out).

[Dave]

Peter Nixon wrote:

I downloaded and installed ver 2.0.0 and have been fighting with it for
hours.  I was going to move to the rlm_ippool module to fix this, but
using this module or the sqlippool module regardless of what is set in
radgroupreply or radreply I always get the error
rlm_ippool: Could not find Pool-Name attribute.
rlm_sqlippool: Could not find Pool-Name attrubute

I have it set in radgroupreply or radreply as Pool-Name := pool2 for example

I havent really changed much except make the config mods to make 2.0
work with mysql

> Dave
>
> This is quite possible, as I dont think the MySQL queries currently do the 
> correct locking. If you can fix the problem, please send us a patch.
>
> -Peter
>
> On Mon 14 Jan 2008, Dave wrote:
>   
>> I use the sql IP pool setup with mysql, and been using it fine for a
>> while, but I have a problem where if I have an influx of connections at
>> one time (30++)  That freeradius will hand out an IP to my NAS, but it
>> doesnt get written to the database fast enuff and another thread of
>> freeradius hands out the same IP to another user, and logs that entry to
>> the radippool table.  So I get users with duplicate IP addresses.. this
>> never happens if the connections are coming in slow enough, (1 or 2 at a
>> time).
>>
>> freeradius 1.1.6 with mysql 5.0.26.
>>
>> Here is my sqlippool.conf.
>> --
>> -- sqlippool {
>>
>> ## SQL instance to use (from sql.conf)
>> sql-instance-name = "sql"
>>
>> ## Table to keep ippool info
>> ippool_table = "radippool"
>>
>> ## lease_duration. fix for lost acc-stop packets
>> lease-duration = 3600
>>
>> ## Attribute which should be considered unique per NAS
>> ## Using NAS-Port gives behaviour similar to rlm_ippool.
>> Calling-Station-Id is for NAS that send fixed NAS-Port
>>  pool-key = "%{NAS-Port}"
>> # pool-key = "%{Calling-Station-Id}"
>>
>> ## Logging configuration.
>> sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
>>  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
>> user %{User-Name})"
>>
>> sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
>> %{check:Pool-Name} \
>>  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
>> user %{User-Name})"
>>
>> sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
>> (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
>>
>> sqlippool_log_failed = "IP Allocation FAILED from %{check:Pool-Name} \
>>  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
>> user %{User-Name})"
>>
>> sqlippool_log_nopool = "No Pool-Name defined \
>>  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
>> user %{User-Name})"
>>
>> # ## This series of queries allocates an IP address
>> # allocate-clear = "UPDATE ${ippool_table} \
>> #  SET nasipaddress = '', pool_key = 0, callingstationid = '', username
>> = '', \
>> #  expiry_time = '-00-00 00:00:00' \
>> #  WHERE pool_key = '${pool-key}'"
>>
>> ## This will clear all expired leases for lost acc-stop packets
>> allocate-clear = "UPDATE radippool \
>>  SET nasipaddress = '', pool_key = 0, callingstationid = '', username =
>> '', \
>>  expiry_time = '-00-00 00:00:00' \
>>  WHERE expiry_time <= NOW() - INTERVAL 1 SECOND"
>>
>>
>> # ## The ORDER BY clause of this query tries to allocate the same
>> IP-address # ## which user had last session...
>>  allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
>>   WHERE pool_name = '%{check:Pool-Name}' AND expiry_time < NOW() \
>>   ORDER BY (username <> '%{User-Name}'), (callingstationid <>
>> '%{Calling-Station-Id}'), expiry_time \
>>   LIMIT 1 \
>>   FOR UPDATE"
>>
>> ## If you prefer to allocate a random IP address every time, use this
>> query instead
>> #allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
>> # WHERE pool_name = '%{check:Pool-Name}' AND expiry_time = '-00-00
>> 00:00:00' \
>> # ORDER BY RAND() \
>> # LIMIT 1 \
>> # FOR UPDATE"
>>
>>
>> ## If an IP could not be allocated, check to see if the pool

SQLippool problems (duplicate IPs handed out).

[Dave]

I use the sql IP pool setup with mysql, and been using it fine for a
while, but I have a problem where if I have an influx of connections at
one time (30++)  That freeradius will hand out an IP to my NAS, but it
doesnt get written to the database fast enuff and another thread of
freeradius hands out the same IP to another user, and logs that entry to
the radippool table.  So I get users with duplicate IP addresses.. this
never happens if the connections are coming in slow enough, (1 or 2 at a
time). 

freeradius 1.1.6 with mysql 5.0.26. 

Here is my sqlippool.conf. 

sqlippool {

## SQL instance to use (from sql.conf)
sql-instance-name = "sql"

## Table to keep ippool info
ippool_table = "radippool"

## lease_duration. fix for lost acc-stop packets
lease-duration = 3600

## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool.
Calling-Station-Id is for NAS that send fixed NAS-Port
 pool-key = "%{NAS-Port}"
# pool-key = "%{Calling-Station-Id}"

## Logging configuration.
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
user %{User-Name})"

sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{check:Pool-Name} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
user %{User-Name})"

sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"

sqlippool_log_failed = "IP Allocation FAILED from %{check:Pool-Name} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
user %{User-Name})"

sqlippool_log_nopool = "No Pool-Name defined \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port}
user %{User-Name})"

# ## This series of queries allocates an IP address
# allocate-clear = "UPDATE ${ippool_table} \
#  SET nasipaddress = '', pool_key = 0, callingstationid = '', username
= '', \
#  expiry_time = '-00-00 00:00:00' \
#  WHERE pool_key = '${pool-key}'"

## This will clear all expired leases for lost acc-stop packets
allocate-clear = "UPDATE radippool \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', username =
'', \
 expiry_time = '-00-00 00:00:00' \
 WHERE expiry_time <= NOW() - INTERVAL 1 SECOND"


# ## The ORDER BY clause of this query tries to allocate the same IP-address
# ## which user had last session...
 allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
  WHERE pool_name = '%{check:Pool-Name}' AND expiry_time < NOW() \
  ORDER BY (username <> '%{User-Name}'), (callingstationid <>
'%{Calling-Station-Id}'), expiry_time \
  LIMIT 1 \
  FOR UPDATE"

## If you prefer to allocate a random IP address every time, use this
query instead
#allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
# WHERE pool_name = '%{check:Pool-Name}' AND expiry_time = '-00-00
00:00:00' \
# ORDER BY RAND() \
# LIMIT 1 \
# FOR UPDATE"


## If an IP could not be allocated, check to see if the pool exists or not
## This allows the module to differentiate between a full pool and no pool
## Note: If you are not running redundant pool modules this query may be
commented
## out to save running this query every time an ip is not allocated.
pool-check = "SELECT id FROM ${ippool_table} WHERE
pool_name='%{check:Pool-Name}' LIMIT 1"


allocate-update = "UPDATE ${ippool_table} \
 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool-key}', \
 callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', \
 expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
 WHERE framedipaddress = '%I'"


## This series of queries frees an IP number when an accounting
## START record arrives
start-update = "UPDATE ${ippool_table} \
 SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
 WHERE nasipaddress = '%{NAS-IP-Address}' AND  pool_key = '${pool-key}'"

## This series of queries frees an IP number when an accounting
## STOP record arrives
stop-clear = "UPDATE ${ippool_table} \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', username =
'', \
 expiry_time = '-00-00 00:00:00' \
 WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND username = '%{User-Name}' \
 AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
'%{Framed-IP-Address}'"


## This series of queries frees an IP number when an accounting
## ALIVE record arrives
alive-update = "UPDATE ${ippool_table} \
 SET expiry_time = NOW() + INTERVAL ${lease-duration} SECOND \
 WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '${pool-key}'
AND username = '%{User-Name}' \
 AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress =
'%{Framed-IP-Address}'"


## This series of queries frees the IP numbers allocate to a
## NAS when an accounting ON record arrives
on-clear = "

Bug?

[Dave Gibelli]

This is a snippet from radiusd -X

rad_recv: Access-Request packet from host 192.166.0.10:1645, id=216, length=78
NAS-IP-Address = 192.166.0.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "daveg"
Calling-Station-Id = "192.166.0.231"
User-Password = "abcdef"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "daveg", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 1
  modcall[authorize]: module "files" returns ok for request 0

My users file is just:

DEFAULT Auth-Type == "PAP"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 1

there should be no match on line 1 because the check item doesn't
match. I get the same match if I change PAP to EAP, is this a bug?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP help!

[Dave Gibelli]

All

Here is a snippet from radiusd -X

I just want mschap to allow the user on without checking the password,
but I cannot work out where to configure freeradius to allow access
without checking the password.

All I want to do is place the port into the correct vlan. (I assume I
have to use PEAP with XP.)

  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for daveg with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6

Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and AD

[Dave Gibelli]

On 11/12/2007, joe vieira <[EMAIL PROTECTED]> wrote:
>
> i do the exact same thing like this.
>
> DEFAULT Prefix == "domainnameinputted", Strip-User-Name = No
> domain = "domainnameoutputted"
>
>

Where does this go? is it the users file, the radiusd.conf or the eap.conf file?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius and AD

[Dave Gibelli]

Hi

I am testing Freeradius within an 802.1x environment.

I want to send authentication request to 4 different AD DC's depending
on the Domain sent from the client to the Authenticator.

Can Freeradius forward request in this way?

Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius compile problem

[Dave Gibelli]

Alan

I have OpenSSL installed, I thought that is where the crypto libraries
come from?

Where do I get the crypto libraries from?

It would help if Freeradius supplied a reference to where to obtain
these crypto libraries.

Dave


On 08/12/2007, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Dave Gibelli wrote:
> > Hi>
> > I am having problems compiling with eap module. Here is the section
> > from config.log showing what I think is the problem. I have the latest
> > OpenSSL and Freeradius 1.1.7
> >
> > Any ideas?
> >
> > configure:20584: gcc -o conftest -g -O2 -D_REENTRANT
>
>  It's not a compile problem.  The "configure" tests are there so that
> the server can find out if your system has the packages to *start* the
> compilation.
>
>  In this case, your system fails to meet the minimum prerequisites to
> build all of the modules in EAP.
>
> > -D_POSIX_PTHREAD_SEMANTICS   conftest.c -lssl  -L/usr/local/ssl/lib
> > -lnsl -lresolv  -lpthread >&5
> > /usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_clear':
> > ssl_lib.c:(.text+0x28): undefined reference to `ERR_put_error'
>
>  You do not have the crypto libraries installed.
>
>  Alan DeKok,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius compile problem

[Dave Gibelli]

Hi

I am having problems compiling with eap module. Here is the section
from config.log showing what I think is the problem. I have the latest
OpenSSL and Freeradius 1.1.7

Any ideas?

configure:20584: gcc -o conftest -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS   conftest.c -lssl  -L/usr/local/ssl/lib
-lnsl -lresolv  -lpthread >&5
/usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_clear':
ssl_lib.c:(.text+0x28): undefined reference to `ERR_put_error'
ssl_lib.c:(.text+0x13a): undefined reference to `BUF_MEM_free'
/usr/local/ssl/lib/libssl.a(ssl_lib.o): In function `SSL_new':
ssl_lib.c:(.text+0x1ba): undefined reference to `CRYPTO_malloc'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Operator rlm_sql question

[Dave]

HI,

I have a question regarding the rlm_sql module and the := operator. In going
through the documentation, the rlm_sql module goes through the radcheck
table, then pulls the reply items from the radreply table. Then the
usergroup, radgroupcheck and radgroupreply table. So if I specify for
example Framed-IP-Address = 192.168.1.1 in the radreply table for a user,
then specify Framed-IP-Address := 255.255.255.254 in a particular group
entry in the radgroupreply table, shouldn't the reply item become
Framed-IP-Address = 255.255.255.254 in the reply? I was under the impression
that the := operator would add the reply item if it didn't exist, or modify
the value if it did already exist.

I am trying to set up one group where the user gets a static address
specified in the radreply table, then another group where they get dynamic
specified in the radgroupreply table based upon the NAS-IP-Address check in
the radgroupcheck table. But I always seem to get the static address, even
though the other reply items are correct for the respective groups.

This is with  freeradius 1.1.6, with the standard mysql table schema.

Thanks,

Dave

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

To update, turning on interim updates on my NAS, fixed my problem... 
Thanks for all your help.

Peter Nixon wrote:
> On Tue 10 Jul 2007, Dave wrote:
>   
>>
>> My NAS is currently NOT sending interm updates, but there is an option
>> to use that, just wasn't sure what it did, or how it would apply to me,
>> but it makes sense, that it  "extends" the lease time, do all NAS's send
>> interim updates? on the DSL side of my operation I don't see any interim
>> updates until the user logs off (or lost carrier) (this is a proxied
>> operation to me) I don't have control of that NAS, only my wireless NAS
>> 
>
> Then we have found the problem. Basically you need to set the expiry time 
> greater then the time in between in interim accounting updates. If you don't 
> get interim accounting updates set the expiry time to larger than your 
> maximim possible session length.
>
> Cheers
>
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Hugh Messenger wrote:
> On Behalf Of Dave said:
>   
>> Yes accounting is working well from the NAS
>> 
>
> Are you sure the NAS is sending 'interim update' accounting packets, not
> just start/stop?
>
>   

My NAS is currently NOT sending interm updates, but there is an option 
to use that, just wasn't sure what it did, or how it would apply to me, 
but it makes sense, that it  "extends" the lease time, do all NAS's send 
interim updates? on the DSL side of my operation I don't see any interim 
updates until the user logs off (or lost carrier) (this is a proxied 
operation to me) I don't have control of that NAS, only my wireless NAS




> Here's my understanding of how it works (I'm sure Peter will correct me if
> I'm wrong!):
>
> On an access request, sqlippool will first check to see if this looks like a
> 'lost stop' case (allocate-clear) by checking to see if there are any
> assigned IP's in the pool with the same 'pool-key' (NAS-Port in a dialup
> context) as the request.  If so, free up that IP.
>
> Then it looks for an IP to assign (allocate-find), by checking for a free or
> expired IP in the pool, allocates it (allocate-update) and sets the
> expiry_time to "now + lease-duration".
>
> On an accounting 'stop', it frees up the IP (stop-clear).
>
> On an accounting 'update', it extends the expiry_time by 'lease-duration'
> seconds (alive-update).
>
> There's a little more to it than that (like accounting on/off), but that's
> the basic life cycle of an IP assignment.
>
> So ... if your NAS isn't sending accounting updates, then it will start
> re-assigning IP's after the initial expiry_time (lease-duration).  If your
> NAS doesn't implement accounting updates, you may have to set session
> timeouts to less than your lease-duration.
>
>-- hugh
>
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Yes accounting is working well from the NAS

> Are you receiving accounting packets from your NAS?
>
>
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Its posted a few posts back in this thread, that version is still the 
one Im using.


>
> Dave - can you copy and paste your sqlippool.conf, so we can see what your
> actual queries look like?
>
>-- hugh
>
>   



> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Alan DeKok wrote:
> Dave wrote:
>   
>> Im still having trouble with this problem, I switched the pool key to 
>> NAS port, the expiry time is 24 hours, and it seems after 24 hours, it 
>> wipes all the existing entries from the database,
>> 
>
>   That would seem to fit the 24-hour expiry time you set.
>
>   
>> again re-assigning 
>> IP's that are already in use, these IPs could be used indefinitely by 
>> some customers assuming they don't disconnect, I guess the 
>> sqlippool.conf seems to think that the stop packets are lost..?   
>> 
>
>   No.  The leases are set to expire after 24 hours, as you said.
>
>   If you don't want the leases to expire, edit the SQL queries so that
> they don't set or look for an expiry field.
>
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

Ok I will look into that, and anyone else reading, I would love other 
sqlippool.conf files that work for you :) Im new to using this module.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Im still having trouble with this problem, I switched the pool key to 
NAS port, the expiry time is 24 hours, and it seems after 24 hours, it 
wipes all the existing entries from the database, again re-assigning 
IP's that are already in use, these IPs could be used indefinitely by 
some customers assuming they don't disconnect, I guess the 
sqlippool.conf seems to think that the stop packets are lost..?   

I can make an attempt at upgrading to 2.0 but Im concerned with downtime 
if I cant get the new version up quick enough, how much do the 
configuration files need to be changed for the new version?

Peter Nixon wrote:
> On Tue 03 Jul 2007, Dave wrote:
>   
>> Hugh Messenger wrote:
>> 
>>> Dave <[EMAIL PROTECTED]> said:
>>>   
>>>> I use the sqlippool setup for handling IP pools, and it works well,
>>>> except I want to rid of the expiry time, (maximum timeout=0). right now
>>>> its setting for 24 hours, and then it cleans itself out, and then
>>>> freeradius starts handing out already assigned/used IP addresses.  Im
>>>> not sure where to put the maximum timeout=0 value when using sqlippool.
>>>> 
>>> That shouldn't happen, regardless of the expiry time.  The expiry_time
>>> value in the radippool entries is derived from the 'lease-duraction' set
>>> in sqlippool.conf.  But the expiry_time should only affect clearing
>>> unique sessions which have gotten "stuck" (like for lost 'stop'
>>> packets).  It shouldn't just start handing out in-use IP's based on
>>> expiry time.
>>>
>>> What do you have $pool-key set to in sqlippool.conf?  And are you sure
>>> whatever value you are using (usually either NAS-Port or
>>> Calling-Station-Id) is a unique value from the NAS?
>>>   
>>   I have pool-key = "%{Calling-Station-Id}", which I just realized is not
>> always unique, (NAS is returning MAC address for Calling station ID, which
>> if passing thru one of my bridge devices always returns the MAC address of
>> the ethernet bridge)
>> 
>
> Yep. That would cause havoc. Use pool-key = "%{NAS-Port}" unless you have a 
> very good reason not to!
>
>   
>>> What flavor of db do you have - postgres or mysql?  They use different
>>> configs, and depending where you got the query file from, you may have
>>> an earlier broken version (especially if you are using MySQL).
>>>
>>> What version of freeradius are you running?
>>>   
>>  Im using mysql, and I believe I have a working version of
>> sqlippool.conf, Ill paste it here.   Freeradius 1.1.6
>> 
> -snip-
>
> Hugh recently spent quite some effort sending and testing patches for 
> rlm_sqlippool with MySQL. They are in cvs head as of a few days ago. As 
> always, I recommend sqlippool users run 2.0preX or cvs head as we have made 
> a lot of changed since 1.1.x which have not been backported.
>
> Cheers
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SQL IP Pool maximum timeout.

[Dave]

Hugh Messenger wrote:
> Dave <[EMAIL PROTECTED]> said:
>   
>> I use the sqlippool setup for handling IP pools, and it works well,
>> except I want to rid of the expiry time, (maximum timeout=0). right now
>> its setting for 24 hours, and then it cleans itself out, and then
>> freeradius starts handing out already assigned/used IP addresses.  Im
>> not sure where to put the maximum timeout=0 value when using sqlippool.
>> 
>
> That shouldn't happen, regardless of the expiry time.  The expiry_time value
> in the radippool entries is derived from the 'lease-duraction' set in
> sqlippool.conf.  But the expiry_time should only affect clearing unique
> sessions which have gotten "stuck" (like for lost 'stop' packets).  It
> shouldn't just start handing out in-use IP's based on expiry time.
>
> What do you have $pool-key set to in sqlippool.conf?  And are you sure
> whatever value you are using (usually either NAS-Port or Calling-Station-Id)
> is a unique value from the NAS?
>   
  I have pool-key = "%{Calling-Station-Id}", which I just realized is not 
always unique, (NAS is returning MAC address for Calling station ID, which if 
passing thru one of my bridge devices always returns the MAC address of the 
ethernet bridge)



> What flavor of db do you have - postgres or mysql?  They use different
> configs, and depending where you got the query file from, you may have an
> earlier broken version (especially if you are using MySQL).
>
> What version of freeradius are you running?
>
>   
 Im using mysql, and I believe I have a working version of 
sqlippool.conf, Ill paste it here.   Freeradius 1.1.6

sqlippool.conf 
***
sqlippool {

## SQL instance to use (from sql.conf)
sql-instance-name = "sql"

## Table to keep ippool info
ippool_table = "radippool"

## lease_duration. fix for lost acc-stop packets
lease-duration = 3600

## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. 
Calling-Station-Id is for NAS that send fixed NAS-Port
# pool-key = "%{NAS-Port}"
 pool-key = "%{Calling-Station-Id}"

## Logging configuration.
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} 
user %{User-Name})"

sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from 
%{check:Pool-Name} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} 
user %{User-Name})"

sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"

sqlippool_log_failed = "IP Allocation FAILED from %{check:Pool-Name} \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} 
user %{User-Name})"

sqlippool_log_nopool = "No Pool-Name defined \
 (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} 
user %{User-Name})"

# ## This series of queries allocates an IP address
# allocate-clear = "UPDATE ${ippool_table} \
#  SET nasipaddress = '', pool_key = 0, callingstationid = '', username 
= '', \
#  expiry_time = '-00-00 00:00:00' \
#  WHERE pool_key = '${pool-key}'"

## This will clear all expired leases for lost acc-stop packets
allocate-clear = "UPDATE radippool \
 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = 
'', \
 expiry_time = '-00-00 00:00:00' \
 WHERE expiry_time <= NOW() - INTERVAL 1 SECOND"


# ## The ORDER BY clause of this query tries to allocate the same IP-address
# ## which user had last session...
# allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
#  WHERE pool_name = '%{check:Pool-Name}' AND expiry_time < NOW() \
#  ORDER BY (username <> '%{User-Name}'), (callingstationid <> 
'%{Calling-Station-Id}'), expiry_time \
#  LIMIT 1 \
#  FOR UPDATE"

## If you prefer to allocate a random IP address every time, use this 
query instead
allocate-find = "SELECT framedipaddress FROM ${ippool_table} \
 WHERE pool_name = '%{check:Pool-Name}' AND expiry_time = '-00-00 
00:00:00' \
 ORDER BY RAND() \
 LIMIT 1 \
 FOR UPDATE"


## If an IP could not be allocated, check to see if the pool exists or not
## This allows the module to differentiate between a full pool and no pool
## Note: If you are not running redundant pool modules this query may be 
commented
## out to save running this query every time an ip is not allocated.
pool-check = "SELECT id FROM ${ippool_table} WHERE 
pool_name='%{check:Pool-Name}' LIMIT 1"


all

SQL IP Pool maximum timeout.

[Dave]

I use the sqlippool setup for handling IP pools, and it works well, 
except I want to rid of the expiry time, (maximum timeout=0). right now 
its setting for 24 hours, and then it cleans itself out, and then 
freeradius starts handing out already assigned/used IP addresses.  Im 
not sure where to put the maximum timeout=0 value when using sqlippool.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Center for Internet Security - Call for Participation for FreeRADIUS Benchmark

[Dave Shackleford]

***Thanks to moderators for allowing this post - it's for a good
cause!***

 

Hi folks, I'd like to introduce myself. My name is Dave Shackleford, and
I represent the Center for Internet Security. Some of you may know of
us, and some of you may not.

 

CIS is a non-profit that coordinates teams of volunteers who collaborate
to create benchmark guides for securing systems. Many of you may have
used some of the CIS tools to score your systems against the benchmarks
at one time or another, and thousands of people download the benchmarks
and scoring tools every month. We are actively seeking IT and security
professionals to participate in the benchmark development process. We
are also looking for anyone experienced in Java and/or XML programming
to assist with our newest scoring tool development (contact me
off-list).

 

We are about to begin the consensus process for a FreeRADIUS security
benchmark. Time commitments are minimal, all you need to do is go and
sign up on the mailing list and provide some input to the group on the
benchmark draft when it's released. We always have a team leader who
puts together the initial draft, pulling from a variety of sources; this
is then sent to the mailing list for review and comment. After a
consensus is reached, we publish it. We also list participants' names on
our "Honor Roll" page at http://www.cisecurity.org/honor_roll.html.

 

Our benchmarks are gaining a lot of attention right now. We are
mentioned specifically in the PCI DSS (section 2.2), we are working with
NIST to develop tools and content, and a lot more. If you would like to
participate, please visit the site and sign up. We won't send you any
unsolicited email, just the list postings for benchmark development.
Also, please feel free to sign up for anything not mentioned below, we
will be working on all of the benchmarks over the course of the next
year or so. There are also lots of opportunities to earn CPE credits for
participation.

 

If you have any questions, please reply to me off-list (dshackleford at
cisecurity dot org). Thanks for your help! -Dave

 

1. FreeRADIUS Benchmark (OpenLDAP will also be discussed here)

MAILING LIST:
http://lists.cisecurity.org/mailman/listinfo/access-controls

 

Also the Virtualization Benchmark (may interest some)

MAILING LIST:
http://lists.cisecurity.org/mailman/listinfo/vm-security-benchmark

 

Note: This list will benefit from varied backgrounds and skill sets.

 

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS FreeBSD port

[Dave]

On Jan 20, 2007, at 1:53 AM, Alan DeKok wrote:

In the case of FreeRADIUS, assuming you don't set PREFIX  
explicitly to

something else, the default configuration files go in
/usr/local/etc/raddb, suffixed with .sample - so
/usr/local/etc/raddb/radiusd.conf.sample and so on.


  That's awkward.  Especially because the sample configs *work* out of
the box.  That's the whole point of the sample configs.  And worse,
there are a number of files that need to be set up properly before the
server runs, which makes copying the sample files even more work.

  Could you update the port to install the files if they don't already
exist?


And reading the Handbook you mentioned, it seems to support Alan's
suggestion that both be installed when the configuration files don't
exists with only the .sample files being listed in the package list.

<http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/ 
plist-config.html>


--
Dave

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Accounting data not being properly written to mySQL database.

[Dave Martin]

GentlePersons,

I'm in the process of converting from flat file to mySQL database for 
our RADIUS accounting.  I've modified the accounting_start_query 
entry in sql.conf to:


accounting_start_query = "INSERT into ${acct_table1} \
SET \
AcctSessionId  = '%{Acct-Session-id}', \
AcctUniqueId   = '%{Acct-Unique-Session-Id}', \
UserName   = '%{SQL-User-Name}', \
Realm  = '%{Realm}', \
NASIdentifier  = '%{NAS-Identifier}', \
NASPortId  = '%{NAS-Port}', \
NASPortType= '%{NAS-Port-Type}', \
AcctStartTime  = '%S', \
AcctStopTime   = '0', \
AcctSessionTime= '0', \
AcctAuthentic  = '%{Acct-Authentic}', \
ConnectInfo_start  = '%{Connect-Info}', \
ConnectInfo_stop   = '0', \
AcctInputOctets= '0', \
AcctOutputOctets   = '0', \
CalledStationId= '%{Called-Station-Id}', \
CallingStationId   = '%{Calling-Station-Id}', \
AcctTerminateCause = '', \
ServiceType= '%{Service-Type}', \
FramedProtocol = '%{Framed-Protocol}', \
FramedIPAddress= '%{Framed-IP-Address}', \
AcctStartDelay = '%{Acct-Delay-Time}', \
AcctStopDelay  = '0', \
XAscendDataRate= '%{X-Ascend-Data-Rate}', \
XAscendDisconnectCause = '%{X-Ascend-Disconnect-Cause}', \
XAscendModemPortNo = '%{X-Ascend-Modem-Port-No}', \
XAscendModemShelfNo= '%{X-Ascend-Modem-Shelf-No}', \
XAscendModemSlotNo = '%{X-Ascend-Modem-Slot-No}', \
XAscendXmitRate= '%{X-Ascend-Xmit-Rate}'"

I'm seeing all the fields written to the database as expected, but 
several of them (all the 'XAscend' parameters) are being written to 
the database as '0'.  I still have flat file logging enabled and the 
values are being written properly there in the Start records. e.g.:


Wed Dec 13 06:47:37 2006
Event-Timestamp = "Dec 13 2006 06:47:25 PST"
*User-Name = "***"
*NAS-IP-Address = 1.2.3.4
*NAS-Identifier = "nasid"
Ascend-Owner-IP-Addr = 0.0.0.0
NAS-Port = 101072015
Ascend-NAS-Port-Format = 5
NAS-Port-Type = Async
Service-Type = Framed-User
Acct-Status-Type = Start
Acct-Delay-Time = 0
Acct-Session-Id = "521456215"
Acct-Authentic = RADIUS
Ascend-Auth-Delay = 240
X-Ascend-Data-Rate = 24000
X-Ascend-Xmit-Rate = 49333
X-Ascend-Modem-PortNo = 192
X-Ascend-Modem-SlotNo = 34
X-Ascend-Modem-ShelfNo = 1
*Calling-Station-Id = "1234567890"
Ascend-Calling-Id-Type-Of-Num = National-Number
Ascend-Calling-Id-Number-Plan = ISDN-Telephony
Ascend-Calling-Id-Presentatn = Allowed
Ascend-Calling-Id-Screening = Network-Provided
    *Called-Station-Id = "1234567890"
X-Ascend-Data-Svc = 0
Framed-Protocol = PPP
*Framed-IP-Address = 1.2.3.4
*Client-IP-Address = 1.2.3.4
Acct-Unique-Session-Id = "90bb5c1dcbf6939d"
*Stripped-User-Name = "user"
Realm = "NULL"
Timestamp = 1166021257

(fields beginning with '*' have been sanitized).

Any ideas?  Thanks!

Dave Martin
--

Dave Martin Netcetera, Inc.[EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Adding proxying to our EAP setup

[Dave Mussulman]

Thanks for the help, Phil and Alan.  This message is pretty much an
FYI/wrapup for the archives (and for me, since it might be a bit before
I get back to it.)

The users I want to proxy have a fairly programmatic username pattern,
so I think the best thing for me is to expression match in a users file
(as opposed to hints or realms.)  My setup looks like:

authorize {
  preprocess
  eap
  files
  Autz-Type EAPINNER {
eapfiles
mschap
}

files has a DEFAULT line that catches the RADIUS server stripping
through the tunnels, and applies it to the EAPINNER Autz-Type:

DEFAULT NAS-IP-Address == "127.0.0.1", Autz-Type := EAPINNER

The eapfiles is a second instance of the users file with the line:

DEFAULT User-Name =~ "^vpn[0123456789]+$", Proxy-to-Realm := "VPNaccts"

(I wonder if I couldn't combine the NAS-IP-Address, User-Name and
Proxy-to-Realm in the first users file.  Maybe I'll try that later.  If
I did it on the outer loop, it proxied the full EAP session, instead of
just the inner authentication.)

In eap.conf, setting peap's proxy_tunneled_request_as_eap toggle let me
control whether I sent on EAP messages or MSCHAP messages.  (My copy of
the config didn't have that option, but it worked when I added it from
the 1.1.3 eap.conf)  Unfortunately, my upstream RADIUS server doesn't
yet support MSCHAP or EAP, so I'm waiting on that.  But I'm pleased with
what I've been able to do so far.

The catch I ran into involved the mschap section not authenticating off
the User-Password in the users file if I had ntlm_auth line configured.
This is my test system, and I don't have samba/winbindd configured so
those attempts always failed, but it never seemed to fall back to
figuring out itself.  That made troubleshooting difficult when I
couldn't get the simple users file entry to work.  Commenting out the
ntlm_auth line did the trick.  I haven't changed anything on our
production servers, but it must do things differently as we have
ntlm_auth configured and authenticating from the AD or a sql database
with local passwords.  Maybe FreeRADIUS handles different ntlm_auth
failures differently (cannot bind versus bad user password?)

Until the upstream server gets the functionality I'm looking for, there
were a few possible future issues I wanted to document before I lost
them.  If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address
== 127.0.0.1 trick doesn't work.  I was also concerned that proxying
seems to keep the NAS-IP-Address set to 127.0.0.1, and I didn't know if
the upstream provider would be concerned about that.  I put a setting in
the preproxy_users file to set that to an allowed NAS IP, but didn't get
to fully test/confirm that worked.

Thanks again for the help, and great product!

Dave
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Adding proxying to our EAP setup

[Dave Mussulman]

Hello,

I've been using FreeRADIUS for years to do PEAP/MSCHAP2 WPA
authentications, and it's worked well enough to be a
set-it-and-forget-it solution.  I'm currently running 1.0.4, but would
upgrade if it would help me accomplish the goals in this message.

However, changing environments bring me back into the config, and I'm
not sure how to do what I want.  We've been using ntlm_auth against the
AD for our primary authentication, with a fallback to sql and plaintext
passwords for local accounts.  I'd like to change from maintaining my
own sql copy/user database to RADIUS proxying to someone else's server.
>From a few trial/error tests, I have two questions about proxying and
EAP.

What's the recommended way to configure failover proxying/realms when
there's no realm-ish identifier?  When "user" logs in, I want them to
check against ntlm_auth, and if that fails, resort back to a proxied
realm as "user".  Right now, I'm doing that via the default config realm
suffix {} module, and a realm NULL section in proxy.conf.  Is there a
better way?  Hints or something?  Does this involve the
configurable_failover documentation?

Second question involves proxies and EAP.  Since my upstream RADIUS
server I'm proxying to doesn't seem to support EAP, is it even possible
for my RADIUS server (in its PEAP/MSCHAPv2 decoding,) to create a
'normal' RADIUS packet to relay?  Or do I have to get the upstream
server to support EAP?  It seems like if suffix (realm) module is
anywhere in the authorize section, it proxies the entire EAP packet.
Can I tell it only to do that at a certain stage in the process?

How would you recommend I configure this?

Dave
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error with libmysqlclient_r.so.14

[Dave]

Im No expert but I had the same problem with SSL not linking even though
it was in the system path.  To fix it I did:

export LD_PRELOAD=/usr/lib/libssl.so

Maybe doing the same with your mysql library might help you?


Bruno Machado wrote:
> Hi all
>
> Im trying to use Radius, but Im receiving this error:
>
> rlm_sql (sql): Could not link driver rlm_sql_mysql:
> libmysqlclient_r.so.14: cannot open shared object file: No such file
> or directory
> rlm_sql (sql): Make sure it (and all its dependent libraries!) are in
> the search path of your system's ld.
> radiusd.conf[14]: sql: Module instantiation failed.
> radiusd.conf[1825] Unknown module "sql".
> radiusd.conf[1754] Failed to parse authorize section.
>
> The server already have MySQL 5.0.22 installed. Anybody knows what is
> happening?
>
> Thanks
>
> 
> Yahoo! Acesso Grátis
> 
> - Internet rápida e grátis. Instale o discador agora!
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Undelivered Mail Returned to Sender

[Dave]

Mail Delivery System wrote:
> This is the Postfix program at host wavetail.420.am.
>
> I'm sorry to have to inform you that your message could not be
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to 
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
>   The Postfix program
>
> <[EMAIL PROTECTED]>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1
> Message content rejected, UBE, id=02941-03 (in reply to end of DATA
> command)
>   
> 
>
> Reporting-MTA: dns; wavetail.420.am
> X-Postfix-Queue-ID: 0CC3BFC817B
> X-Postfix-Sender: rfc822; [EMAIL PROTECTED]
> Arrival-Date: Sun, 30 Jul 2006 22:07:43 -0700 (PDT)
>
> Final-Recipient: rfc822; [EMAIL PROTECTED]
> Action: failed
> Status: 5.0.0
> Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
> content rejected, UBE, id=02941-03 (in reply to end of DATA command)
>   
>
> 
>
> Subject:
> New
> From:
> Dave <[EMAIL PROTECTED]>
> Date:
> Mon, 31 Jul 2006 01:05:23 -0400
> To:
> [EMAIL PROTECTED]
>
> To:
> [EMAIL PROTECTED]
>
> Received:
> from 206-248-144-82.dsl.teksavvy.com (206-248-144-82.dsl.teksavvy.com
> [206.248.144.82]) by wavetail.420.am (Postfix) with ESMTP id
> 0CC3BFC817B for <[EMAIL PROTECTED]>; Sun, 30 Jul 2006
> 22:07:43 -0700 (PDT)
> Received:
> from localhost (localhost [127.0.0.1]) by
> 206-248-144-82.dsl.teksavvy.com (Postfix) with ESMTP id 7E7921CF7D0
> for <[EMAIL PROTECTED]>; Mon, 31 Jul 2006 00:15:46
> -0400 (EDT)
> Received:
> from 206-248-144-82.dsl.teksavvy.com ([127.0.0.1]) by localhost
> (206-248-144-82.dsl.teksavvy.com [127.0.0.1]) (amavisd-new, port
> 10024) with ESMTP id 20791-16 for <[EMAIL PROTECTED]>;
> Mon, 31 Jul 2006 00:15:46 -0400 (EDT)
> Received:
> from [192.168.1.150] (206-248-139-111.dsl.teksavvy.com
> [206.248.139.111]) by 206-248-144-82.dsl.teksavvy.com (Postfix) with
> ESMTP id DBF361CF1C4 for <[EMAIL PROTECTED]>; Mon, 31
> Jul 2006 00:15:45 -0400 (EDT)
> Message-ID:
> <[EMAIL PROTECTED]>
> User-Agent:
> Thunderbird 1.5.0.2 (X11/20060504)
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding:
> 7bit
> X-Virus-Scanned:
> amavisd-new at dsl.teksavvy.com
> X-Spam-Status:
> No, score=-1.147 tagged_above=-100 required=3
> tests=[ALL_TRUSTED=-1.44, AWL=0.293]
> X-Spam-Score:
> -1.147
>
>
> New
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Operation of a radius server

[Dave]

I was just hoping someone here could explain to me how the radius server
process works.
My situation will be authorizing for DSL.

I think the process is:  My DSL wholesaler gets requests for a logins
under my realm to their NAS, then sends it to me, then I send back a yes
or no answer.

My question is what information do I have to supply to my DSL wholesaler
and what information do I need from them? regarding authorization types
or encryption?

Any info would help a lot.

Thanks




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error on startup: undefined symbol: SSL_set_ex_data

[Dave]

types/rlm_eap_tls/rlm_eap_tls.c:SSL_set_ex_data(ssn->ssl, 0,
(void *)handler);
types/rlm_eap_tls/rlm_eap_tls.c:SSL_set_ex_data(ssn->ssl, 1,
(void *)inst->conf);

Found in the modules/rlm_eap

Something in the TLS end of things. I do believe it to be a bug of some
sorts either in openssl or freeradius



Alan DeKok wrote:
> Dave <[EMAIL PROTECTED]> wrote:
>   
>> freeradius 1.1.0 does not have this error, 1.1.1 and 1.1.2 both do. for
>> me, using ssl 0.9.7j and 0.9.8b. 
>> 
>
>   1.1.2 doesn't have references to SSL_set_ex_data in libeap, and
> neither does 1.1.1.  It looks to me like OpenSSL has wrappers around
> some other function that calls SSL_set_ex_data.
>
>   And I don't know why it doesn't link, sorry.
>
>   Alan DeKok.
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error on startup: undefined symbol: SSL_set_ex_data

[Dave]

Alan DeKok wrote:
> Dave <[EMAIL PROTECTED]> wrote:
>   
>> Im using currently 0.9.7j for version openssl, I thought that may have
>> been my problem but the version is up to date.
>> 
>
>   Then you have two versions of OpenSSL installed.
>
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
No its not the problem, even if I did, Ive never installed lower than
0.9.7 on this machine. 1.1.0 doesnt have this error, only versions 1.1.1
and 1.1.2 do.

The error is also there in 0.9.8 version of openSSL
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error on startup: undefined symbol: SSL_set_ex_data

[Dave]

Alan DeKok wrote:
> Dave <[EMAIL PROTECTED]> wrote:
>   
>> Error: radiusd.conf[10] Failed to link to module 'rlm_eap':
>> /usr/lib/libeap-1.1.1.so: undefined symbol: SSL_set_ex_data
>> 
>
>   You've built using an older version of OpenSSL.  Use OpenSSL 0.9.7
> or later.
>
>   Alan DeKok.
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   



freeradius 1.1.0 does not have this error, 1.1.1 and 1.1.2 both do. for
me, using ssl 0.9.7j and 0.9.8b. 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error on startup: undefined symbol: SSL_set_ex_data

[Dave]

Alan DeKok wrote:
> Dave <[EMAIL PROTECTED]> wrote:
>   
>> Error: radiusd.conf[10] Failed to link to module 'rlm_eap':
>> /usr/lib/libeap-1.1.1.so: undefined symbol: SSL_set_ex_data
>> 
>
>   You've built using an older version of OpenSSL.  Use OpenSSL 0.9.7
> or later.
>
>   Alan DeKok.
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   


Im using currently 0.9.7j for version openssl, I thought that may have
been my problem but the version is up to date.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error on startup: undefined symbol: SSL_set_ex_data

[Dave]

Hi all, this is my first post to the list.

I am getting some startup errors now after upgrading to 1.1.1, although
I never had 1.1.0 working in a real environment either.

I get this error during startup in the logs:

Error: radiusd.conf[10] Failed to link to module 'rlm_eap':
/usr/lib/libeap-1.1.1.so: undefined symbol: SSL_set_ex_data

Ive tried using the value in radiusd.conf about library paths to no avail.


Ive not found a solution to this anywhere  :( 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: D-link and freeradius

[Dave Huff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


> Date: Mon, 13 Mar 2006 12:58:49 +0200
> From: "Christoforos Ntantogian" <[EMAIL PROTECTED]>
> Subject: D-link and freeradius
> To: 
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="iso-8859-7"

> Hello,

> I am going to setup an 802.1X wireless authentication with EAP-MD5,
EAP-TLS and EAP-SIM. 
> I would like to ask if freeradius supports the D-link wireless access
points. The NAS list > that freeradius support doesnt include D-link
products. I have a D-link 900+ access point. > How can i make it work with
freeradius or i cant?

I'm using FR with a Dlink 624.  I did have to download the latest firmware
from Dlink before it would work.

Dave H




-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.5 (Build 5050)

iQEVAwUBRBWYpiKWt8bugsEpAQiToAgAlX84Z+D2YHOUl+ZfYr25dUx3xYCKcJjY
P+aEnUimIv1gpOCpU73DpgH+1LJP1ecdA/n1W9cBlf84Tu95pn0Hhj4JpVVqkhUh
wBeemR+bdxBgMEVdLGoORQITtDXOgyp6rAx+oEa8KFMQEZm+VuEbSz4WNWawZ7o8
fse5qr7M9F+QRZJHZ1CQ9eafW/iBl3l8EMQN4mFibi/0M21NlZawqo4ymHey2mCQ
5ICQ2SrMKLMtdSnGKjZjiAw9EgV4OXsu3G7Ts5+R5IjetmHNmiv2fVK33Br2ycLT
D3rdPpojdCwnvvbLQMU2B/NOOac3gH22ap41odNzaM3MStWljh1S0g==
=N4A9
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Client certs with MSCHAPV2 in PEA

[Dave Huff]

 
> 
> Dave Huff wrote:
> > .
> >> From: "Alan DeKok" <[EMAIL PROTECTED]>
> > 
> >> Robert Myers <[EMAIL PROTECTED]> wrote:
> >>> The reason I ask, is that I'm using a client cert signed 
> by my CA to 
> >>> do eap/tls, and it's working.  I have not implemented the server 
> >>> cert as of yet.
> > 
> >>  Then it *should* work with PEAP.  But I don't know of many people 
> >> that use client certs with PEAP.  I suspect no one has 
> tested that, 
> >> and that the client may be doing something different than 
> with EAP-TLS.
> > 
> >>  My suggestion is don't use client certs with PEAP.
> > 
> >>  Alan DeKok.
> > 
> > Ah well, I'm trying to authenticate both a machine (cert) and a user
> > (password) to prevent people from using unchecked machines 
> on the network.
> > PEAP sort of does that I guess since the internal CA isn't 
> set up on a 
> > client, but that's not a very secure method.  Any suggestions 
> > appreciated and thanks for your help.
> 
> Interesting. What client is this?
FC4/2.6.15-1.1831
Freeradius 1.0.4
Intel PROset 9.0.3.0

Is there a debug mode that would show me exactly which certs are being
exchanged?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Client certs with MSCHAPV2 in PEA

[Dave Huff]

.
>From: "Alan DeKok" <[EMAIL PROTECTED]>

>Robert Myers <[EMAIL PROTECTED]> wrote:
>> The reason I ask, is that I'm using a client cert signed by my CA to do 
>> eap/tls, and it's working.  I have not implemented the server cert as of 
>> yet.

>  Then it *should* work with PEAP.  But I don't know of many people
>that use client certs with PEAP.  I suspect no one has tested that,
>and that the client may be doing something different than with EAP-TLS.

>  My suggestion is don't use client certs with PEAP.

>  Alan DeKok.

Ah well, I'm trying to authenticate both a machine (cert) and a user
(password) to prevent people from using unchecked machines on the network.
PEAP sort of does that I guess since the internal CA isn't set up on a
client, but that's not a very secure method.  Any suggestions appreciated
and thanks for your help.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Client certs with MSCHAPV2 in PEAP

[Dave Huff]

 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Alan DeKok
> 
> "Dave Huff" <[EMAIL PROTECTED]> wrote:
> >   rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal 
> > certificate_unknown TLS Alert read:fatal:certificate unknown
> 
>   SSL is telling FreeRADIUS that the certificate sent by the 
> client is bad.
That's what I thought too, but I configured the CA, server, and client certs
all on Openssl pretty much like
http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap
ter09186a00805ac269.html

Windows is using the cert I installed from the linux box, at least I have a
choice in ProSET.  If Windows overrides for some reason, I wouldn't
know...can I set a debug mode that would tell me?
> 
>   You're probably doing EAP-TLS where the server has one 
> cert, and the client has cert signed by someone else 
> entirely.  For EAP-TLS to work, the client certs have to be 
> signed by the server cert.
Signed by the server cert or by the CA cert?  I have a CA that signed the
server and client certs, and the eap.conf file knows where server and CA
certs are.

Dan
  
> 
>   Alan DeKok.
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Client certs with MSCHAPV2 in PEAP

[Dave Huff]

 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Alan DeKok

> 
> "Dave Huff" <[EMAIL PROTECTED]> wrote:
> > I would like to configure this setup using Freeradius.  My WinXP 
> > client (Intel ProSET) supports this, but FR chokes on it 
> when enabled.
> 
>   Would you be willing to run the serve rin debugging mode, 
> as suggested in the FAQ, README, INSTALL, and daily on this list?

Sure, thought my question needed a quick answer, but here I've included the
log AFTER inserting the line in the users file, and turning on the client
cert part of MSCHAPV2 in ProSET:

auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 71 to 192.168.0.1:1201
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xd4448443a5823bb9ceffabd590f27721
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 71 with timestamp 43fcc0a4
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.0.1:1201, id=72, 
length=243
User-Name = "[EMAIL PROTECTED]"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "00-0f-3d-3f-49-92"
Calling-Station-Id = "00-0e-35-60-27-1f"
NAS-Identifier = "HomeAP"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 
0x0202006a19800060160301005b0157030143fcc0c5eb46025dd5e3662940ba6406
6bed01df2be7d94eb754c77da12672c33000390038003500160013000a00330032002f00
66000500040065006400630062006000150012000900140011000800030100
State = 0xd4448443a5823bb9ceffabd590f27721
Message-Authenticator = 0xdcd7050a2c3750c9314d44818cf15867
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "b.com" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: No such realm "b.com"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 106
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 75
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0780], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 72 to 192.168.0.1:1201
EAP-Message = 
0x0103040a19c0084d160301004a0246030143fcc0c6b503405d5825db4720dc2d66
93c9570afd72cd19086b5e9d890c2f4f2010fa22c781d6954b8b8a8a8d1e7c1f3fc0d5bbf96b
c540e87c90018c4636459f00350016030107800b00077c00077900035d3082035930820241a0
03020102020102300d06092a864886f70d01010405003063310b300906035504061302555331
1530130603550408130c50656e6e73796c76616e69613112301006035504071309576f726365
7374657231153013060355040a130c494420576174636

Client certs with MSCHAPV2 in PEAP

[Dave Huff]

 
I would like to configure this setup using Freeradius.  My WinXP client
(Intel ProSET) supports this, but FR chokes on it when enabled.  I've got
PEAP-EAP-MSCHAPV2 working with just password authentication.

I noted this
http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/
1873393.html but was unable to figure out where the DEFAULT
EAP-TLS-Require-Client-Cert := Yes should be set.

Relative Linux/Freeradius noob,

FC4/2.6.15-1.1831
Freeradius 1.0.4

Thanks,
Dan H


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login incorrect- RAS autentication

[Dave Weis]

Why did you send this three times? It's normal for the TNT line to try and 
download configuration settings via radius unless you have turned it off. 
I don't remember the name of the setting but it's listed in the 
documentation and google can find it.


On Tue, 15 Nov 2005, Danny Zenzano wrote:


hi,

I am trying to make work an RAS(lucent-max6000) with the freeRADIUS,I
configure the MAX6000, and  the radius obtains an authentication order from
the RAS, but as result I obtain a login error message.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

newbie question on using digest authentication with postgresql

[Horton, Dave]

I'm a newbie with freeradius (understand radius protocol though), and
I'm struggling with some basics of configuration re: digest
authentication and use of postgresql for subscriber database.  I haven't
found much documentation so far on the freeradius site about
authentication using sql (besides the basic install of the schema), and
I feel I'm probably missing something/somewhere, so please feel free to
point me towards docs if this is covered somewhere.

Anyways, my simple attempt at digest authentication is currently
failing.  Here is what I have done:

1.  Provisioned the following simple data in my postgresql radius
database (this is the area where I'm most in the dark, any pointers to
information on the purpose and use of each of these tables would be
useful):

radius=# select * from radreply ;
 id | username |  attribute   | op | value
+--+--++---
  1 | dhorton  | Idle-Timeout | == | 60
(1 row)

radius=# select * from radcheck ;
 id | username | attribute | op | value
+--+---++---
  1 | dhorton  | Password  | == | 0276
(1 row)

radius=# select * from usergroup ;
 id | username | groupname
+--+---
  2 | dhorton  | pactolus
(1 row)

2. Edited my radiusd.conf file to uncomment the 'digest' lines in the
'authorize' and 'authenticate' sections.

3. Send an access-request message that looks like this (here is debug
output from radiusd):

rad_recv: Access-Request packet from host 10.10.105.11:1812, id=1,
length=579
User-Name = "dhorton"
User-Password = "NULL"
NAS-IP-Address = 10.10.105.11
NAS-Port = 0
Cisco-AVPair = "h323-incoming-conf-id=664A92F5 C5305B22 A8C5F339
06C5803D"
h323-conf-id = "h323-conf-id=68F37347 92CF847A 3676C449
5361F60E"
Cisco-NAS-Port = "0:0"
Cisco-AVPair = "sip-hdr=From: Dave Horton
"
Cisco-AVPair = "sip-hdr=Authorization: Digest
username="dhorton",realm="voip.dogan.com",nonce="3e320b5b5dbd4a37cb7168b
f607455b5",response="325d8976711bc76a7c1a25b53c8b0cf9",uri="sip:voip.dog
an.com""
Acct-Status-Type = Start
NAS-Port-Type = Virtual
Digest-Response = "325d8976711bc76a7c1a25b53c8b0cf9"
Digest-Attributes =
0x0110766f69702e646f67616e2e636f6d02223365333230623562356462643461333763
62373136386266363037343535623504147369703a766f69702e646f67616e2e636f6d03
0a52454749535445520a0964686f72746f6e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Realm = "voip.dogan.com"
Digest-Nonce = "3e320b5b5dbd4a37cb7168bf607455b5"
Digest-URI = "sip:voip.dogan.com"
Digest-Method = "REGISTER"
Digest-User-Name = "dhorton"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 0
rlm_realm: No '@' in User-Name = "dhorton", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
radius_xlat:  'dhorton'
rlm_sql (sql): sql_set_user escaped user --> 'dhorton'
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'dhorton' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'dhorton' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'dhorton' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck