Re: Invalid User in RADIUS Logs
Hi, Thanks! Is there a way that I can set log level in RADIUS to make it log like when in debug mode? Coz I cannot trace exactly what causes the 'Invalid user' log in RADIUS. I have already confirmed that for this case it is not the password. So now, I'm left to look into other causes. thanks a lot! det From: Alan DeKok To: FreeRadius users mailing list Sent: Tuesday, December 13, 2011 11:32 PM Subject: Re: Invalid User in RADIUS Logs det.explo...@yahoo.com wrote: > Will a wrong password also will sometimes log 'invalid user' in the RADIUS > log file? Coz recently i get a lot of these in the log file. But the users > are actually valid and was able to authenticate successfully later on. Just > want to get possible reasons on what could be causing RADIUS to log that. I'm > also suspecting perhaps it was not able to lookup/connect to MySQL db at that > time. Would that be possible cause also? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use For Group Using Unlang
Hi, Where do I put this piece of code? Can I do this invocation in the authorize block? Or is it something I put in the radiusd.conf? And where do I put the custom procedure itself? Is it in /etc/freeradius/modules? Sorry about this. I'm confused about the placement. First time to add a custom procedure. Possible to extend this example to show which codes go to which file? Thanks a lot! Det From: Alan DeKok To: FreeRadius users mailing list Sent: Wednesday, November 9, 2011 9:57 PM Subject: Re: Simultaneous-Use For Group Using Unlang det.explo...@yahoo.com wrote: > I'd like to implement this using unlang but not sure where to start. The part > that I am having difficulty is on where to create the procedure and how to > call the procedure. The rest of the things like the DB query I can reuse from > the existing program. I want to implement this using unlang to avoid having > to open a new MySQL connection. > > Any example, I can follow? The SQL module supports string expansion. The input strings are just SQL statements. The output is just a one-line string containing the result of the SQL query. This means you can call SQL procedures directly from unlang: if ("%{sql: call procedure with args}" > 2) { ... more than 2 people logged in .. } Very simple! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling login access and denied to be logged in radius log file
I had tried to use the reply_log. It logs access or reject in log file but does not include the username. How do I add the username info? From: Det Det To: FreeRadius mailing list Sent: Thursday, October 27, 2011 2:15 PM Subject: Enabling login access and denied to be logged in radius log file Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling login access and denied to be logged in radius log file
Hi, How do i enable logging of user accept and deny logins in log file? I tried to put sql_log in post-auth but didn't work. thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop Logging in radpostauth table
hey thanks! that did it. From: Arran Cudbard-Bell To: Det Det ; FreeRadius users mailing list Sent: Monday, October 24, 2011 6:09 PM Subject: Re: Stop Logging in radpostauth table On 24 Oct 2011, at 12:03, Det Det wrote: Hi, > > >How do I stop logging in radpostauth table? Is commenting out the query that >inserts to radpostauth a correct way of doing that? > > No... comment out the SQL call in the post-auth section. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop Logging in radpostauth table
Hi, How do I stop logging in radpostauth table? Is commenting out the query that inserts to radpostauth a correct way of doing that? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Determine Whether an Attribute is a Check Item or Reply Item
Thank you. Does it mean one attribute can exist (as both or in both) radcheck/radreply tables? Like for example, NAS-Port-Type? The reason I asked is because dialupadmin segregates the attribute to a check/reply attribute. Then I happen to check NAS-Port-Type, the RFC says below... Does it mean access-request = check attribute? Sorry if this is another wrong question. Just want to clarify. It is only used in Access-Request packets. thanks! det From: Alan DeKok To: Det Det ; FreeRadius users mailing list Sent: Thursday, October 13, 2011 2:12 PM Subject: Re: How to Determine Whether an Attribute is a Check Item or Reply Item Det Det wrote: > how to find out whether the attribute is a check/reply attribute? Read the documentation for the module. *It* is the one which decided which attributes go where. So it's wrong to ask if an *attribute* is a check/reply attribute. Attributes are (mostly) just attributes. They're not check or reply. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Determine Whether an Attribute is a Check Item or Reply Item
Hi there, how to find out whether the attribute is a check/reply attribute? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL IP Pool Not Accepting Redundant SQL
hey thanks! got it working using that configuration below. It also worked when placed in instantiate block. From: Arran Cudbard-Bell To: FreeRadius users mailing list Cc: Det Det Sent: Tuesday, October 4, 2011 6:24 PM Subject: Re: SQL IP Pool Not Accepting Redundant SQL > >You can't, 'redundant_sql' is not an sql-instance. You need to create two >instances of sqlippool, then wrap them in a redundant block... If you're using FR >= 2.1.11 or 3.* Overload the sqlippool module policy.conf policy { sqlippool { redundant { sqlippool1 sqlippool2 } } } Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Not Accepting Redundant SQL
Hi, How to make sqlippool accept redundant SQL as below? sqlippool { sql-instance-name = "redundant_sql" ippool_table = "radippool" ... } radiusd.conf ... redundant redundant_sql { sql1 sql2 } ... if I use sql-instance-name = "sql1" or sql-instance-name = "sql2", it works. But then, I'd like to do redundancy. sql-instance-name = "sql1 sql2" or sql-instance-name = "sql1, sql2" also does not work. Thanks! Det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using DB instead of radutmp for simultaneous-use tracking
Hi, Thanks a lot! Got it working! I'd like to extend the simul-check to group simul value. That is a group has simul limit, then if limit is reached a user belonging to that group should be denied login. Any idea how to implement this? Thanks! Det From: Fajar A. Nugraha To: Det Det ; FreeRadius users mailing list Sent: Friday, September 30, 2011 3:11 PM Subject: Re: Using DB instead of radutmp for simultaneous-use tracking On Fri, Sep 30, 2011 at 1:50 PM, Det Det wrote: > Hi there, > In the accounting section, radutmp is used for tracking simultaneous-use. Is > there a way to use DB::radacct table instead to check for simultaneous-use? Sure. Comment-out radutmp and uncomment sql from "session" and "accounting" section. See also sql/*/dialup.conf, look for "simul_count_query". I usually enable simul_count_query and comment-out simul_verify_query. -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using DB instead of radutmp for simultaneous-use tracking
Hi there, In the accounting section, radutmp is used for tracking simultaneous-use. Is there a way to use DB::radacct table instead to check for simultaneous-use? thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error in Activation Attribute
Hi, I have Activation attribute in radcheck table (which has a date VALUE) in old RADIUS server. I don't find this attribute in FreeRADIUS. I get this error. any idea? Failed to create the pair: Invalid octet string "Mar 09 2010 " for attribute name "Activation" thanks det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: References for New RADIUS Names/Old RADIUS Names
thanks! :) From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Thursday, September 8, 2011 1:48 PM Subject: Re: References for New RADIUS Names/Old RADIUS Names On Thu, Sep 8, 2011 at 12:44 PM, Fajar A. Nugraha wrote: > On Thu, Sep 8, 2011 at 12:29 PM, Det Det wrote: >> Hi, >> Any idea where I can see list of new names for those RADIUS >> attributes/values that's been obsoleted. > > Should be share/dictionary.compat > >> Just want to confirm, for example, >> Framed-Filter-Id is obsolete, is Filter-Id a replacement to that? > > Yes. Look for the same type (number). Should've been more clear. Look for the attribute number in share/dictionary.compat, and then look for the attribute name with the same number on the other dictionaries (e.g. dictionary.rfc2865) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
References for New RADIUS Names/Old RADIUS Names
Hi, Any idea where I can see list of new names for those RADIUS attributes/values that's been obsoleted. Just want to confirm, for example, Framed-Filter-Id is obsolete, is Filter-Id a replacement to that? thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
yeah you are right. realized that the ports value is actually not in use. it actually get the shortname not the nasname which is why i get an 'unknown client' error. i left the shortname empty. From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Thursday, September 8, 2011 11:40 AM Subject: Re: Specifying Any Port for RADIUS Client On Thu, Sep 8, 2011 at 10:15 AM, Det Det wrote: > please disregard this email. I thought that the 'ports' field in 'nas' table > means the 'source' port the client will use to connect to the RADIUS server > when it actually means the port on the RADIUS server that the client will > connect to. I don't think that's the case. While the default nas table has many columns (including ports), the default query on dialup.conf is nas_query = "SELECT id, nasname, shortname, type, secret, server FROM ${nas_table}" ... which should mean only those columns are used. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specifying Any Port for RADIUS Client
please disregard this email. I thought that the 'ports' field in 'nas' table means the 'source' port the client will use to connect to the RADIUS server when it actually means the port on the RADIUS server that the client will connect to. ________ From: Det Det To: FreeRadius mailing list Sent: Thursday, September 8, 2011 11:07 AM Subject: Specifying Any Port for RADIUS Client Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and "any ports". When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Specifying Any Port for RADIUS Client
Hi, I want to connect to RADIUS server using RADIUS client software, not through NAS. Using RADIUS client software such as radperf will generate different port numbers when connecting to the RADIUS server. How do I place client information in NAS table such that I am able to specify IP and "any ports". When client connects to RADIUS server, server will just respond with, Ignoring request to authentication address * port 1812 from unknown client 192.168.0.10 port 52268 thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL IP Pool Control Attribute Placement
Hi, For the sqlippool, http://wiki.freeradius.org/Rlm_sqlippool, which table should the below control attribute be placed on? It says, it is not a reply attribute, does it then go to radcheck/radgroupcheck table? DEFAULT Pool-Name := main_pool Fall-Through = Yes thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use Per Domain
Hi, Just want to get inputs on how simultaneous-use can be checked per domain not per user. That is limit mydomain.com to have simultaneous-use=x. radgroupcheck will have something like mydomain.com -- simultaneous-use -- x thanks! det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Sending Duplicate Reply
yeah it is confirmed network issue. had to reboot the NAS. thanks guys! From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Tuesday, September 6, 2011 4:51 PM Subject: Re: RADIUS Sending Duplicate Reply On Tue, Sep 6, 2011 at 3:26 PM, Det Det wrote: > Hi, > This question maybe a bit off from RADIUS, but is there a way to limit NAS > or RADIUS to send only one access-request/access-accept in a single dial > attempt? You're looking at things the wrong way. It's like you're on a beach, and there's a big sign saying "no swimming" because the beach is infested with jellyfish, but you decide to swim anyway. And then when the jellyfish stings you asked "how to make it so it doesn't hurt". > i am connecting via PPPoE. I can see from RADIUS logs receiving > multiple access-request thus it is also giving multiple access-accept. How > do i prevent this? Coz it is causing an issue "connection is terminated > because the remote server did not respond in a timely manner". Then I have > to redial again coz the IP does not get assigned to the client. I'm guessing what happens is something like this: - the NAS sends access-request - radius accepts the request, and consult whatever backend it uses (e.g. files, db, ldap, etc) - backend processing takes a long time - client sends the request again since radius hasn't respond - radius accepts the request again, and notice that it's a duplicate request - processing finally completes. since there are multiple request received, radius sends multiple response (and logs them as duplicates) OR - the NAS sends access-request - radius accepts the request, and consult whatever backend it uses (e.g. files, db, ldap, etc) - radius sends the response, but the response comes from different IP address then what the NAS expects - client sends the request again since it didn't receive expected response from the correct IP address - radius accepts the request again, notice that it's a duplicate request, and simply sends the response again If it's case #1, you need to fix the backed. Usually it involves indexing, fixing schemas/queries, upgrading hardware, and so on. If it's #2, the easiest way is to just register the radius's primary IP address in client's radius server list. Another alternative is to use "--with-udpfromto" when compiling freeradius. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS Sending Duplicate Reply
Hi, This question maybe a bit off from RADIUS, but is there a way to limit NAS or RADIUS to send only one access-request/access-accept in a single dial attempt? i am connecting via PPPoE. I can see from RADIUS logs receiving multiple access-request thus it is also giving multiple access-accept. How do i prevent this? Coz it is causing an issue "connection is terminated because the remote server did not respond in a timely manner". Then I have to redial again coz the IP does not get assigned to the client. rad_recv: Access-Request packet from host 10.10.11.223 port 1645, id=110, length=93 Sending duplicate reply to client 10.10.11.223 port 1645 - ID: 110 Sending Access-Accept of id 110 to 10.10.11.223 port 1645 thanks!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration Module Not Returning the Error Message
hey thanks! it's working now. it was because the op in radcheck is "==" which is the default from the schema. I changed it to ":=" and it is working now. :) From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Tuesday, September 6, 2011 1:28 PM Subject: Re: Expiration Module Not Returning the Error Message On Tue, Sep 6, 2011 at 11:41 AM, Det Det wrote: > Hi, > The expiration module works but it is not returning the error message. > Everytime I include the Expiration attribute and set date accordingly. The > user is denied login. The reason is because the account expired and NOT > because there is "no known good password found" as shown below. How to tell > RADIUS to stop processing anything after expiration check? I suspect it > proceeds the rest of the checks and so the error message has been > overwritten by other modules' error message. > > > +++[sql2] returns ok > ++- redundant-load-balance group redundant_load_balance_sql returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop Works for me. From modules/expiration: "It should be included in the *end* of the authorize section in order to handle user Expiration" (or just uncomment expiration line in sites-available/default). The debug log should show something like this [expiration] Checking Expiration time: '2011 Sep 6 03:00:00' [expiration] Account has expired [expiration] expand: Password Has Expired -> Password Has Expired ++[expiration] returns userlock Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]): [testuser] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 242 to 127.0.0.1 port 52990 Reply-Message += "Password Has Expired\r\n" If it doesn't, then either: - you're using an old FR version with some bugs regarding expiration on it, in which case you should upgrade, or - you didn't list expiration in authorize section, or - you didn't have Expiration attribute for your user (in users file/sql/whatever) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying Based on Criteria Other Than REALM
Hey thanks! :) From: Phil Mayers To: freeradius-users@lists.freeradius.org Sent: Thursday, September 1, 2011 10:04 PM Subject: Re: Proxying Based on Criteria Other Than REALM On 01/09/11 14:53, det.explo...@yahoo.com wrote: >> Hi, >> >> Is it possible to proxy based on a group the user belongs to? Or >> attribute? Or based on NAS from where the request was received? >> >> Aside from REALM, is there any other criteria that can be used to >> decide whether or not to proxy a request? There are two attributes: 1. "Realm"; added to the request by e.g. the "suffix" module. Doesn't actually do anything; just used for logging. 2. "Proxy-To-Realm"; added to the "control" items by the "suffix" module, or by other config. This is what actually controls proxying. So for example you can do this: authorize { ... if (NAS-IP-Address == 192.0.2.1) { update control { Proxy-To-Realm := OTHERSERVER } } ... } As you can see, you can therefore proxy on any attribute you like, or even on the output of a script, SQL query, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Fail Over Error When 1 DB is Down
Really? What is the failover feature for? I can specify multiple DBs but if FreeRADIUS cannot connect to at least one of the DBs it will have an error and will not be able to start. There is no way to get around this? That is use first DB if first DB is up. If second DB is down and first DB is up, don't bother, continue to operate, and vice versa, so long as it still has a DB to use. I saw this link but I can't get it to work. It is using the rlm_always module. http://wiki.freeradius.org/Fail-over thanks, det From: Alan DeKok To: Det Det ; FreeRadius users mailing list Sent: Monday, August 29, 2011 6:21 PM Subject: Re: MySQL Fail Over Error When 1 DB is Down Det Det wrote: > When I shutdown one of the DB, it generates an error. How do I tell > freeradius to ignore that and proceed if it can connect to at least one > of the DB? You don't. The only way to change this is via source code patches. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
When I shutdown one of the DB, it generates an error. How do I tell freeradius to ignore that and proceed if it can connect to at least one of the DB? /etc/freeradius/sql2.conf[22]: Instantiation failed for module "sql2" /etc/freeradius/radiusd.conf[75]: Failed to find module "sql2". /etc/freeradius/radiusd.conf[75]: Failed to parse "sql2" entry. /etc/freeradius/sites-enabled/default[1]: Errors parsing authorize section. ________ From: Det Det To: FreeRadius mailing list Sent: Monday, August 29, 2011 2:05 PM Subject: MySQL Fail Over Error When 1 DB is Down Hi there, I can't get FreeRADIUS to ignore error and continue processing when 1 DB is down even when it can connect to the other DB. Below is my config. # radiusd.conf instantiate { ... redundant redundant_sql { sql1 sql2 handled } } modules { ... $INCLUDE sql1.conf $INCLUDE sql2.conf } # sql1.conf sql sql1 { database = "mysql" … } # sql2.conf sql sql2 { ... database = "mysql" } # sites-enabled/default authorize { redundant_sql } accounting { redundant_sql } session { redundant_sql } post-auth { redundant_sql Post-Auth-Type REJECT { redundant_sql attr_filter.access_reject } } bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Fail Over Error When 1 DB is Down
Hi there, I can't get FreeRADIUS to ignore error and continue processing when 1 DB is down even when it can connect to the other DB. Below is my config. # radiusd.conf instantiate { ... redundant redundant_sql { sql1 sql2 handled } } modules { ... $INCLUDE sql1.conf $INCLUDE sql2.conf } # sql1.conf sql sql1 { database = "mysql" … } # sql2.conf sql sql2 { ... database = "mysql" } # sites-enabled/default authorize { redundant_sql } accounting { redundant_sql } session { redundant_sql } post-auth { redundant_sql Post-Auth-Type REJECT { redundant_sql attr_filter.access_reject } } bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: RADIUS does not send reply for all groups the user is a member of
- Forwarded Message - From: Det Det To: Fajar A. Nugraha Sent: Tuesday, August 23, 2011 3:37 PM Subject: Re: RADIUS does not send reply for all groups the user is a member of Thanks Fajar! I just added the fall-through. I leave the priority as is. Worked! Thanks! From: Fajar A. Nugraha To: Det Det ; FreeRadius users mailing list Sent: Tuesday, August 23, 2011 3:10 PM Subject: Re: RADIUS does not send reply for all groups the user is a member of On Tue, Aug 23, 2011 at 1:53 PM, Det Det wrote: > Hi there, > here is the SQL and debug logs from radius. > > mysql> select * from radusergroup; > +---+---+--+ > | username | groupname | priority | > +---+---+--+ > | us...@mydomain.com | defgroup | 1 | > us...@mydomain.com | dynamic | 1 | > +---+---+--+ It'd be easier if you use different priorities. Since the debug log shows it's using "defgroup", try changing "dynamic"'s priority to "2" ... > mysql> select * from radgroupreply; > ++---+---++-+ > | id | groupname | attribute | op | value | > ++---+---++-+ > | 1 | defgroup | Framed-MTU | = | 1500 | > | 2 | defgroup | Service-Type | = | Framed-User | > | 3 | defgroup | Port-Limit | = | 1 | > | 7 | dynamic | Framed-IP-Netmask | = | 255.255.255.255 | > | 6 | dynamic | Framed-IP-Address | = | 255.255.255.254 | > ++---+---++-+ ... and add a radgroupreply entry like defgroup | Fall-Through | = | Yes -- Fajar- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS does not send reply for all groups the user is a member of
s noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxx" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 90 to 127.0.0.1 port 60675 Framed-MTU = 1500 Service-Type = Framed-User Port-Limit = 1 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 90 with timestamp +12 Ready to process requests. And also what does this line for item 5 in rlm_sql mean? What match is it referring to? If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. thanks, det From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Tuesday, August 23, 2011 1:35 PM Subject: Re: RADIUS does not send reply for all groups the user is a member of On Tue, Aug 23, 2011 at 12:23 PM, Det Det wrote: > Hi, > user1 is a member of group1 and group2. both group1 and group2 has replies > in radgroupreply table. > when freeradius query for radusergroup, it will only get the first group the > user is a member of and will proceed to get the reply attributes for that > group as below. > query1: SELECT groupname FROM radusergroup WHERE > username = 'us...@domain.com' ORDER BY priority > query2: SELECT id, groupname, attribute, value, op FROM > radgroupreply WHERE groupname = 'group1' ORDER BY id > from the debug, it does not do this query > query3: SELECT id, groupname, attribute, value, op FROM > radgroupreply WHERE groupname = 'group2' ORDER BY id > any idea why? > i am very sure that query 1 returns more that one value (that is 2 groups, > group1 and group2) If you want more help, you need to provide more output from debug log, and (possibly) what's in the radusergroup/radgroupcheck/radgroupreply. In the mean time, see doc/rlm_sql. A snippet from that file: 5. For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied. 6. Processing continues to the next group IF: a. There was not a match for the last group's check items OR b. Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS does not send reply for all groups the user is a member of
Hi, user1 is a member of group1 and group2. both group1 and group2 has replies in radgroupreply table. when freeradius query for radusergroup, it will only get the first group the user is a member of and will proceed to get the reply attributes for that group as below. query1: SELECT groupname FROM radusergroup WHERE username = 'us...@domain.com' ORDER BY priority query2: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'group1' ORDER BY id from the debug, it does not do this query query3: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'group2' ORDER BY id any idea why? i am very sure that query 1 returns more that one value (that is 2 groups, group1 and group2) thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Auto Header
Yeah, perhaps, the header was not in the password value. I use dialup-admin and MySQL. Anyway, I ended up using the specific password attribute "Crypt-Password" instead of "User-Password". the debug from freeradius shows this. so i guess could be the password storage as you said. Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = yes } From: Arran Cudbard-Bell To: FreeRadius users mailing list Cc: Det Det Sent: Monday, August 22, 2011 6:16 PM Subject: Re: PAP Auto Header * added, And no you shouldn't need to use auto-hearder if you've set the appropriate password attribute. The recommended way is to prepend the headers, and use auto_header as its more flexible, and allows you to migrate between hash schemes non disruptively. -Arran On 22 Aug 2011, at 12:00, Arran Cudbard-Bell wrote: That would depend on whether you've add the correct header to the hash :) > > >/* >* For auto-header discovery. >*/ >static const FR_NAME_NUMBER header_names[] = { >{ "{clear}", PW_CLEARTEXT_PASSWORD }, >{ "{cleartext}", PW_CLEARTEXT_PASSWORD }, >{ "{md5}", PW_MD5_PASSWORD }, >{ "{smd5}", PW_SMD5_PASSWORD }, >{ "{crypt}", PW_CRYPT_PASSWORD }, >{ "{sha}", PW_SHA_PASSWORD }, >{ "{ssha}", PW_SSHA_PASSWORD }, >{ "{nt}", PW_NT_PASSWORD }, >{ "{nthash}", PW_NT_PASSWORD }, >{ "{x-nthash}", PW_NT_PASSWORD }, >{ "{ns-mta-md5}", PW_NS_MTA_MD5_PASSWORD }, >{ "{x- orcllmv}", PW_LM_PASSWORD }, >{ "{X- ORCLNTV}", PW_NT_PASSWORD }, >{ NULL, 0 } >}; > >-Arran > > > > > > >On 22 Aug 2011, at 11:46, Det Det wrote: > >Hi, >> >> >>I set PAP module as below. In my DB, user attribute is User-Password. Value >>of User-Password is an MD5 or CRYPT password. Shouldn't auto-header=yes able >>to detect the encryption scheme used in the password? What will the >>auto-header setting for if I still have to specifically set attributes such >>as MD5-Password or Cleartext-Password, etc. >> >> >> >>pap { >> auto_header = yes >>} >> >> >>thanks, >>det- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >Arran Cudbard-Bell >a.cudba...@freeradius.org > > >RADIUS - Half the complexity of Diameter >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Auto Header
Hi, I set PAP module as below. In my DB, user attribute is User-Password. Value of User-Password is an MD5 or CRYPT password. Shouldn't auto-header=yes able to detect the encryption scheme used in the password? What will the auto-header setting for if I still have to specifically set attributes such as MD5-Password or Cleartext-Password, etc. pap { auto_header = yes } thanks, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
methods to redirect select users to authenticate to another radius server
hi, i'm testing radius migration. i plan to do it by phase so it will be safer and would have less impact in case something won't turn out right. users will be grouped and thus will be migrated by group. i'm thinking what are available methods/options to do this? i want to have the new radius server replace the old radius server slowly. old radius should still be running when i deploy the new one. AAA of selected group of users will be redirected to the new one. this will be done recursively until all groups of users are served by the new radius server. only after that will i take the old radius server down. can anyone give some more detailed instructions on how this can be achieved? like can i redirect based on user group? thanks a lot. bregards, det - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to tell freeradius of the encryption used in DB
Thanks fajar! It worked with MD5-Password. Is there a way to use User-Password attribute in MySQL and tell freeradius somewhere what encryption algo it is using? coz dialup admin by default will use User-Password when inserting this attribute in DB. Thanks! From: Fajar A. Nugraha To: FreeRadius users mailing list Sent: Wednesday, August 17, 2011 11:04 PM Subject: Re: How to tell freeradius of the encryption used in DB On Wed, Aug 17, 2011 at 10:00 PM, det.explo...@yahoo.com wrote: > Fajar thanks for the reply. I checked the freeradius attribute list, there is > no md5-password. Should i need to add it? If yes how to add that attribute? > > http://freeradius.org/rfc/attributes.html https://github.com/alandekok/freeradius-server/blob/v2.1.x/share/dictionary.freeradius.internal The attribute is internal to freeradius, and should never transmitted to/from the client. > > I didn't touch freeradius config on the auth protocols. I suppose, by default > freeradius is set to accept all auth protocols? Do i need to say in the > config use PAP exclusively? Let's just say that if you're using radtest without any fancy switch, then you're using PAP. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html