Re: freeBSD and freeRADIUS with mySQL
On 2/25/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > We've been trying to get freeradius, freebsd and mysql to all work > together now for a week... If anyone has figured out how to do this - > please let me know. There are literally hundreds of posts on various > forums I found by googleing the errors and all are having the same > issues... > > the ports for freeradius don't seem to install correctly, and when we > build from lates binaries there is errors when trying to load mysql... In > the mandrake 10.2 system I had - all I did was install mysqlxx-dev > development extensions, and all was good... I can't find any support for > freebsd. > > -grateful for any links or how-to's... > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > I've never had a problem installing freeradius w/ mysql on freebsd. I've heard of others having issues when they install mysql with linux threads, such as WITH_LINUXTHREADS=yes on a port install. I'd try first installing mysql 50 server from the ports collection, without using linux threads. I usually just do a make install clean w/out any additional arguments. Then install freeradius from the ports collection. That's always worked for me. What version of freebsd are you using? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open Authentication for a realm
I want to have open authentication on a realm and setup an IP pool for that realm. So if your username is [EMAIL PROTECTED], you will be authenticated, no matter what your password is and you will be given an IP from the pool 10.0.0.0/24. Where in the config files do I have to put this? users file will work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free realm
I'm looking for a solution to add a 'free' realm to my conf. The object is to always send an access-accept if freeradius receives a request from a NAS with username e.g. 'free/nonexistinguser/password' Is this possible with freeradius? thanks and have a nice week-end, Bart Sure. Read the users manpage (man 5 users) and the comments in the users file. Here are some hints. DEFAULT Realm == "somerealm", Auth-Type := Accept or DEFAULT User-Name =~ "[EMAIL PROTECTED]@somedomain$", Auth-Type := Accept or someusernameAuth-Type := Accept etc... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using multiple auth methods, ports
the request, which doesn't help me). The only thing the NAS can do that is "helpful" is send cert auth requests to a different UDP port than regular auth requests. Perhaps there are new features that can take care of this for you in one place, but if not, you can just run two radiusd instances. One for "oldschool" and one for cert. For example, say your raddb dir is in /etc/raddb now. You would create two subdirs of that directory mkdir /etc/raddb/oldschoool mkdir /etc/raddb/cert and perhaps for logging seperately as well mkdir /var/log/radius/oldschool mkdir /var/log/radius/cert cp all the files from raddb to the two directories. Modify the top of radiusd.conf to point to the new directories for raddbdir, confdir, logdir, etc.. Modify the listen or port arguments to make one listen on 1645 and the other on 1812. Then modify the rest of it, such as the users file, to do what you want for each seperate instance. Then modify your startup script to fire off two instances using the -d option, and make sure you get both instances as well no stop/restarts. eg: /pathto/radiusd -d /etc/raddb/oldschool /pathto/radiusd -d /etc/raddb/cert That will give you two seperate instances. One will be configured to only handle oldschool logins and the other to only handle certs. It will be another port/process you'll have to monitor, but it should give you what you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAP Search Bases - Per NAS
Could we configure FreeRadius to look in a different ou, say ou=dialup,ou=radius,dc=test,dc=com, when it received an authentication request from the dialup NASes? Try with huntgroups. huntgroups file dialup NAS-IP-Address == 1.1.1.1 dialup NAS-IP-Address == 1.1.1.2 adslNAS-IP-Address == 1.1.1.3 Then in your ldap section basedn = "ou=%{Huntgroup-Name},ou=radius,dc=test,dc=com" I think that should work, I'd give it a shot with radiusd -X to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hints and stripped-user-name
I have more hints trouble on another radius server. I want to look for a realm and strip it if it is there, else, send on the username untouched. User-Name = "[EMAIL PROTECTED]" try this DEFAULT User-Name =~ "^([EMAIL PROTECTED])@camalott.com" User-Name := "%{1}" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FDS + Freeradius = pain.
On Fri, 3 Feb 2006, Joey McDonald wrote: I wonder why can't I just use an ldap bind to authenticate? I'm already doing it to authorize.. seems like I should be able to do it to authenticate as well. --joey Because you don't have a password to do a simple bind with. During authorization, you are programming the username/password into radius.conf. So, ldap has a username/password to bind with. During authentication, if you use ldap, it uses the username/password that comes in the access-request to bind with. In this case, you don't have a user-password because you're doing CHAP. Can you get your NAS to send over the Access-Request with a plaintext password (PAP)? Then it will work, just like it does when you use radclient. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.5 + openLDAP 2.3.17 ( with bdb ?? )
On Wed, 1 Feb 2006, sumi wrote: HI Folks, Do anyone know which berkeley database version is compatible with openLDAP 2.3.17?? Im trying to compile the openldap2.3.17 with bdb-4.0 which is giving incompatibility error. Any earliest reply will be of great help. I would recommend using BDB 4.2.52 with the 4 patches from Sleepycat. That is considered the most stable right now. I've seen a few reports of good performance from the 4.4.20 release, however, I've also heard of some issues with it and it hasn't been around long enough to get good tests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't import ldap schema provided in ldap howto
I've been following the instructions in ldap_howto.txt, and I created the schema.ldif file exactly as outlined in the doc. But when I run the ldapadd command it gives the following error: [EMAIL PROTECTED] ldapadd -f schema.ldif -x -D "cn=root,dc=mydomain,dc=com" -w secret adding new entry "dc=mydomain,dc=com" adding new entry "ou=radius,dc=mydomain,dc=com" adding new entry "ou=profiles,ou=radius,dc=mydomain,dc=com" adding new entry "ou=users,ou=radius,dc=mydomain,dc=com" adding new entry "ou=admins,ou=radius,dc=mydomain,dc=com" adding new entry "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com" ldap_add: Object class violation (65) additional info: no structural object class provided I do have the include statement for "RADIUS-LDAPv3.schema" configured in my slapd.conf, and I already verified that it is readable by the user ldap (and that the path is correct). Here is the entry ldapadd is erroring on: dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: dial radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None I apologize, I wrote that document and it hasn't been updated in some time. The ldap_howto uses the uid attribute instead of the cn. This was changed a few years ago in the default ldap schema that came with freeradius, but I haven't updated that doc. Here are some choices for you. 1. Use cn instead of uid. If you haven't yet built your ldap schema, then this will be the easiest route. It will also be compatiable with upgrades w/out having to mess with the ldap schema. Just change your ldap section in radiusd.conf to use cn instead of uid and then add your users to the directory using cn instead of uid. 2. Modify RADIUS-LDAPv3.schema to use the uid attribute. In the objectclass of radiusprofile change the MUST (cn) to Must (uid). If you already have your directory built and you aren't using cn, but are using uid, then this will work for you. However, remember if you ever upgrade and copy the new RADIUS-LDAPv3.schema to your openldap instance, you will need to modify the file again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant-load-balance question
Is there any way to use a redundant-load-balance w/in the users file, for something such as ldap-group? For example: Autz-Type GROUP1 { redundant-load-balance { ldap1 ldap2 ldap3 } } Then in users file DEFAULT SomeAttr == "something", GROUP1-Ldap-Group == "group", Autz-Type := GROUP1 I've tried that and it doesn't like it. Seems I have to do something like below, which gives me failover, but not load-balance. DEFAULT SomeAttr == "something", ldap1-Ldap-Group == "group"... DEFAULT SomeAttr == "something", ldap2-Ldap-Group == "group"... DEFAULT SomeAttr == "something", ldap3-Ldap-Group == "group"... OR, just setup one ldap instance that points to all the servers, such as ldap ldap1 { server = "ldap1 ldap2 ldap3" } w/ DEFAULT SomeAttr == "something", ldap1-Ldap-Group == "group" But, I'd really like to get that ldap-group setup to use the same redundant-load-balance configuration? Any ideas? Thanks Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius in a production environment
On Fri, 20 Jan 2006, Susana Macias wrote: Hy :-) I am interested to know about success stories of people using FreeRadius in a production environment. I have read http://www.freeradius.org/testimonials.html but I would like to obtain a few more experiences. Best regards, Susana Read my most recent reply to "Performance features of FreeRadius" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance features of FreeRadius
Hy all, I would like to know where I can find information about the performance features of the FreeRadius product. I would like to propose my boss tu use this product because I have been testing it with differents configurations and it is a very good product (congratulations!). But I need that information first. Thank you very much in advance, Marta Lajas I use it for an ISP for authenticating users to dial, dial-isdn, adsl service-selection, wifi, vpn, ftp (homepages), dial accelerator and nntp. We have 3 radius servers to handle the load and average about 80,000 logins per day out of a few hundred thousand users. We use an ldap backend for authentication and mysql for accounting. The machines are freebsd 5.4 hw.machine: i386 hw.model: Intel(R) Xeon(TM) CPU 2.80GHz hw.ncpu: 2 hw.physmem: 1064525824 hw.usermem: 962187264 hw.realmem: 1073479680 They are basically sitting there idle since we've put them in. The traffic isn't enough to push it. # uptime 11:48AM up 98 days, 13:04, 1 user, load averages: 0.03, 0.01, 0.00 I hope I don't jinx myself, but we've never had an outage with freeradius. Using configurable_failover inside freeradius we didn't even notice a burp when one of our ldap servers's motherboard choked and the machine went down hard. Freeradius just kindly switched over to another ldap server. Using radrelay for pushing accounting to our mysql servers, makes the uptime on that sql machine less important, even though it never seems to have issues. I know that's not an "official" number, but perhaps it could help. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dummy newbie question
On Tue, 17 Jan 2006, Rich Marriner wrote: The radacct will be empty, because your not working with accounting packets using radtest, only Auth packets. Fernando wrote: Hy! I have a dummy question... running radtest, i get a Accept-Accept, and everything seems ok, but the database radacct table doesn't get updated, in fact the table is blank after many tests. Is it normal? Or i've mistaken something? Thanks for the help You can simulate accounting packets with radclient. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.5 rlm_ldap crashing
On Fri, 13 Jan 2006, Alan DeKok wrote: "Paul Khavkine" <[EMAIL PROTECTED]> wrote: Any clues ? bug in OpenLDAP library maybe ? Looks that way to me. What version of openldap are you using for this and how did you install it? For example, perhaps you installed freeradius from ports and it pulled in openldap-client as well for the build? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help me
On Sat, 14 Jan 2006, trioka.dudi.p wrote: Im newbie feeradius... error in madake 10.2 pls help my, configur in linux madrake This is a joke, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where are these "Client-IP-Address = 127.0.0.1" messages coming from?
But it looks like it always comes from request->packet->src_ipaddr which leads me to believe that I'm getting a packet sourced from 127.0.0.1 even though tcpdump doesn't see it. I also noticed that the udpfromto source could generate packets from 127.0.0.1 but it was not compiled in, and even if it was I should see it in tcpdump. Any thoughts on this? I need to get rid of these spurious accounting messages. Your server isn't running radrelay or proxying to itself, is it? Probably not, just taking a stab at it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Where are these "Client-IP-Address = 127.0.0.1" messages coming from?
Not that I know off, and if it was I would see it in tcpdump. Thanks for your comments though... I'll probably upgrade to the new radius server today and pray and hope this goes away, otherwise I'll have to run in debug mode (which I have been avoiding on a prod system) and figure this out. Yah, I usually try to avoid that too, but its not so bad. I'd typically do something like this. kill ;radiusd -X > outfile That way it stops and reloads into debug quickly. Pipe the debug to outfile. Tail -f the outfile if you want to make sure its still working fine. Wait enough time that you think you might capture that event. Ctrl-C and start it back up. Then go back through the outfile to find the culprit. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2 RAdius server on a single linux box
hello Everyone, Can anyone please tell that is there any way to run 2 (or more) FREE RADIUS Servers on a single linux machine. Make a new directory for each server instance. Say you had two. /etc/raddb1 /etc/raddb2 Copy all the files from your original raddb dir to both directories. Modify the files in each directory to do what you want them to do. Make sure to modify the raddbdir variable on the top of each radiusd.conf file. eg: from raddbdir = ${sysconfdir}/raddb to raddbdir = ${sysconfdir}/raddb1 (and raddb2 for the other). Make sure to modify either the bind_address/port variables or the listen directives so you are either a) listening on a different IP for each instance or b) listening on a different port for each instance. eg: (in raddb1) port = 1812 (in raddb2) port = 1645 Then fire them up with the -d option of radiusd. (man radiusd for explanation) eg: $ radiusd -d /etc/raddb1 $ radiusd -d /etc/raddb2 You could open two shells and start up each one in debug mode too. in first shell $ radiusd -X -d /etc/raddb1 from other shell $ radiusd -X -d /etc/raddb2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP-Address assignment - NAS Pool if value is empty in LDAP
I am running freeradius-1.0.2-5.5 and need a solution for the following problem: we want to achieve that freeradius sends back an IP-Address if there is one for that user in LDAP. If the value is empty freeradius shouldnt send back an IP-Address and the NAS should choose one from his own ip-pool. That will work out of the box. Make sure in ldap.attrmap you have replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask **You can change those to whatever you store it as in ldap. Then in the user, you put the IP. dn: uid=someuser,ou=. radiusFramedIPAddress: 1.1.1.1 radiusFramedIPNetmask: 255.255.255.0 Then rlm_ldap, will look for an attribute of radiusFramedIPAddress and radiusFramedIPNetmask in ldap. If it exists, it will send it back in the access-accept as a reply item. If it doesn't exist, it won't send anything. Did you try this yet? If so and it isn't working for you, please send debug output (radiusd -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP vs.mySQL
The only statement that matters is whether you are familiar with either MySQL or LDAP. I don't agree with the other assertions about performance and distributed model of storage. The MySQL database of users can be replicated so each RADIUS server query a local slave database. There is no bottleneck on a single database. (exactly like in a LDAP setup) http://dev.mysql.com/doc/refman/4.1/en/replication.html For example, the RADIUS servers on my site received yesterday 6 millions requests (auth + acct), and the servers were always under 5% of CPU usage. (Pentium 4 2.4GHz) So unless you have good reasons, I think you should keep the MySQL solution if it works for you. -- Nicolas Baradakis I agree with that. I was previously stating what I liked about ldap. The most important thing though is being able to support it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: openLDAP vs.mySQL
Thank you Dusty, could you please provide complete URL for your "doc/ldap_howto.txt", I'd a look to http://www.freeradius.org/doc/ , but didn't find it. Hmm, used to be in the doc directory when you untarred the source. Maybe its too old now. Its still up at http://doris.name/radius. I'm not actually using distributed directories, its a pretty simple setup here for me. Perhaps you can contribute some documentation of your setup when you've completed it. My interest in LDAP is not related to performance but to the scalability (distributed directories, referrals, etc...) that it provides compared to SQL. The system is already working with LDAP as backend database, but only as free access. In these day we are developing the prepaid solution for Wi-Fi access (scratch cards), but completely with mySQL, because it is simpler to use (tables radacct, radcheck, etc... are already built) and develop. As we arrive to a stable solution it is my intention to move the authentication process to openLDAP. I'm doing wifi prepaid w/ mysql right now too and I'm in the process of moving that to ldap. Once I get it built and documented I'll let you know how I did it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait multiple reply items
Hello, I have recently migrated to freeradius (latest stable on debian sarge - 1.0.2-4) and faced with the following problem: I use Exec-Program-Wait attribute as a reply item in users file. It returns 3 attributes: NAS-Identifier, Framed-IP-Address and Framed-Route. These attributes are printed on stdout with trailing "\n". However they are not returned to the NAS as are not comma separated. Is there any known workaround for this problem? Thanks in advance. There was a thread about this in the end of December. I believe you have to return the attributes comma seperated, like in the users file. Instead of something like printf "Some-Attribute = Somevalue\nAnother-Attribute = Anothervalue\n" It should be printf "Some-Attribute = Somevalue, Another-Attribute = Anothervalue\n" If that doesn't work, please show your debug (radius -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP vs.mySQL
Despite this, I've seen that LDAP is not widely used. Is this for its complexity or are there deeper reasons that suggest to use SQL database for both (user data, accounting) purposes? Does anybody have links that might help to build a system made using this architecture? I use ldap for users and sql for accounting for the same reasons you listed. Installing and using openldap has a much higher learning curve than mysql, which is why I would guess more users use mysql. There is an old doc in the source under doc/ldap_howto.txt. I wrote that several years ago and keep promising a new version. Well, I was finally given a week at the end of this month or early next month to stop all my projects and start documenting. So, at that time, I will be re-writing that doc to be more current. I agree that ldap is a perfect place to store user objects. For example, I have it setup like this. ou=users uid=someuser,ou=users... radiusgroupname: dial radiusgroupname: adsl accountNumber: 1 uid=anotheruser,ou=users... radiusgroupname: adsl accountNumber: 1 ou=accounts accountNumber=1,ou=accounts... radiusgroupname: wifi Using ldap, I can specify the services the user has access to as an attribute of that user. I can also do account level groups as well. In the users above, with my freeradius configuration, I can assure that someuser has access to adsl and dial, while another user can only login to adsl. Any user in the 1 account can login to wifi, which would be both of those users. Now, you can easily do the same thing in mysql as well. But, I feel that ldap is a better model for this data. Also, with openldap it is very easy to replicate and setup distribution of these users. Also, since ldap is a standard protocol, my provisioning system can write to it whether its from windows, solaris, linux, etc... It just needs to understand the ldap protocol. Using mysql, means your provisioning system must understand mysql syntax, although that isn't usually a difficult task to get setup. Finally, as you said, ldap is optimized for reads and that's exactly what I'm doing. I've never experienced any issues with the ldap servers being overloaded. Then again I don't get a whole lot of traffic maybe 60k-80k logins a day. The only downside I can think of with openldap is that it doesn't support multi-master setups. There are workarounds I've heard of people using with some kind of heartbeat setup and a shared IP, but I don't have the need for a multi-master setup. As long as my master is replicating to my slaves and freeradius is hitting my slaves, I can assure that no users are ever denied access because of an ldap server going down. If the master goes down, the only effect is on provisioning (such as adding new users or changing passwords). In this case we take a slave server and manually upgrade it to a master while we fix the master server. Freeradius with its configurable_failover solution, will allow us to point to all of our slave servers and it takes care of any slave servers going down automatically for us, without the need for a load balancer. As an alternative for non-freeradius ldap queries, I've also setup two ldap proxy servers that point back to my three slaves. The two proxy servers share an IP, so one is always master (on the ip). If it goes down, the slave takes over that IP. In that scenario, you can point applications that don't do failover to the proxyldap shared IP and it will take care of the failover for you. I really like ldap, but its taken me some time to become comfortable with it. I hope that doc helps you with your setup, if you need more help, post questions to the list. Be sure to explain what you are trying to do and show debug info (radiusd -X) so we can see the difference between what its doing and what you want it to do. Take care. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connection TimeOut!!!
Do you mean max connection time before logging in again? In that case, you usually just need to add Session-Timeout = xxx Yes. I have looked into various files and can not find out where I enter this setting. Kindly, point out the file & the location (or the module), where I enter this command? The users file. Read man 5 users and the comments in the file named users. If you want this for everyone. DEFAULT Session-Timeout = 7200 You can also make it so only certain users get it depending on something. DEFAULT NAS-IP-Address == 1.1.1.1 Session-Timeout = 7200 Or DEFAULT Ldap-Group == dial Session-Timeout = 7200 Or individual users bob User-Password == password Session-Timeout = 7200 etc.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connection TimeOut!!!
Hello: RH 9.0, freeRADIUS 1.4 I have been using freeRADIUS for the last 10 Months. Works great. I like to setup a maximum connection time of 120 minutes for each user. I am a complete newbie. Can somebody direct me to the file I need to set the timeout time? I also need to know the exact command, if possible. Do you mean max connection time before logging in again? In that case, you usually just need to add Session-Timeout = xxx With xxx being the number of seconds before timing out. If you want to give them say 120 minutes each day or week or month. Then you should look at rlm_sql_counter. Install freeradius with experimental modules and read experimental.conf. This is all dependant on your NAS accepting the Session-Timeout variable and actually ending the session at that time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any Good Documentation for newbies
On Thu, 23 Dec 2005, Manuj wrote: Hello As I am new to this free radius, could you please suggest me a good documentation(free) available on the net. Version I am using is Free RADIUS 1.0.5. Regards Manuj Download the source. Untar the package and cd into the doc/ directory. When you're done with that, cd back into the raddb directory and read the comments in the config files. Most of the time, what you want to do will just work with minimal changes. Then set it up and give it a shot. Run it in debug mode (radiusd -X) and send some test packets to it with radclient (this is all in the docs I listed). If you want to learn more about radius, you could even do a package capture with tcpdump and then read the packets with ethereal. That will show you what is going back and forth between the servers. If you're feeling really ambitious, read the radius RFCs. It probably won't make much sense if your not used to that kind of document but it will help give you an idea of how radius works if your new to it. Then post questions here and be sure to include your debug output and a detailed description of what you're trying to do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize a group by multivalued "Service-Type" (in MySql)
We have a problem using mysql. We have defined a group (e.g. admin) in mysql and wanted to assign it a multivalue attribute (e.g. Service-Type) inorder to have different services but it does not work properly. it only accepts requests with smaller id (i.e. 12) and rejects the other one (i.e. 13). ++-+---+--+--+ | id | GroupName | Attribute | op | Value | ++-+---+--+--+ | 5 | user | Auth-Type | := | Local | | 4 | admin | Auth-Type | := | Local | | 12 | admin | Service-Type | == | Login-User | | 13 | admin | Service-Type | == | Framed-User | ++-++--+--+ Are these reply items? Read man 5 users. == is not allowed as a reply item. If you want to add multiple reply-items of the same kind see +=. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Thanks for your fine input and the reminder on the index (I completely forgot about that). I'll give the ldap module filter a go with the attr_rewrite. I like keeping attributes with the user object, rather than spreading usernames around to various other objects. With this implementation, to me, the extra benefit is that I can just add a radiusGroupName attribute = X to each user object. You can also use the ldap-group variable that I showed you before on the user level by defining the groupmembership_attribute. By default its radiusGroupname, so that should already work for you. So either way should work for you, personally, I like having it in the filter as your example showed. I am doing that now in a little different way. I'll write it up someday. BTW, on the attr_rewrite, can I use more advanced regex than just : ? It works and always will work, but it would be more clear in the config file if I could say "([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2}):" or something to that effect... I couldn't get ANY regex to work except the . Does that seem right? Stefan Unfortunately, I don't know too much about attr_rewrite, but I'm sure some others on this list could help with that one. It looks about right to me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
Again, I did want to mention that only CHAP request fail, others go through fine with an Accept. # Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host ##MyIPwasHere##:3457, id=0, length=57 User-Name = "[EMAIL PROTECTED]" CHAP-Password = 0x7e842a573cd6363e06fe53a93a7b8d9e94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/##ClientIPwasHere##/auth-detail-20051219 modcall[authorize]: module "auth_log" returns ok for request 0 I think this is the problem. Try commenting out chap in the authorize section. rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: Looking up realm "##MyDomainWasHere##/" for User-Name = "[EMAIL PROTECTED]/.com" rlm_realm: No such realm "##MyDomainWasHere##/.com" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 156 I'd have to assume this matches line (156) matches your Auth-Type := Accept. However, for some reason its not overriding the Auth-Type := Chap, that was set earlier by the chap section of authorize. modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by "[EMAIL PROTECTED]" with CHAP password rlm_chap: Could not find clear text password for user [EMAIL PROTECTED] modcall[authenticate]: module "chap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [EMAIL PROTECTED]/] (from client ToddHome port 0) Delaying request 0 for 1 seconds Finished request 0 Try commenting out chap in authorize and authenticate and see what happens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Based on what you mention here and what someone else on the list mentioned earlier, I think the reason the secret is ignored is because it is used to encrypt the auth info which is basically non existant in an Auth All situation. Am I getting this correct now? Yep Well, I don't understand the huntgroups and all just yet, I am new to FreeRadius (not to Radius in general, just FreeRadius). So, will this fix my issue where only CHAP request are rejected? I am only having trouble with CHAP request at this time, all other request from allowed clients in the clients.conf file are getting an Accept back just as I want. The huntgroups file is pretty easy to understand. Just read the comments in it. But, now that you mention it. Your Auth-Type := Accept is still working with chap. Perhaps what I told you won't make a difference. Do you have anything in your authorize and authenticate section? Perhaps you ought to just try this. Comment out everything in authorize except for preprocess and files, so it would look like this w/out the comments. authorize { preprocess files } authenticate { } That way the only thing that is touched is the users file. I'd be willing to bet that you have chap listed in authorize right now and its before the files section. So, its hitting the chap section of authorize and doesn't see a chap passwd and fails which causes a reject before it even gets to the files section. Just a guess? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 82
On Mon, 19 Dec 2005, Stefan Adams wrote: Hey, guys! Thanks for the great replies!! I like what you suggested better than what I've come up with in the mean time. I think what I came up with will work, it just seems messy/wrong/inefficient. What do you think? modules { ldap { : filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}}) (radiusGroupName=%{Called-Station-ID}))" : } attr_rewrite getssid { attribute = Called-Station-Id searchin = packet searchfor = ".:" replacewith = "" ignore_case = yes new_attribute = no } } authorize { # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2 preprocess eap getssid ldap } This cuts off the first 17 bytes and then a colon of the Called-Station-ID (My AP transmits a dash separated MAC followed by a colon and then the SSID). Then it uses this rewritten Called-Station-ID and uses that as a filter in the LDAP search. Therefore, if the SSID a user tries to connect to is not listed as an attribute of the user's LDAP object, the user is denied. Does that make sense? That's a pretty neat idea. The benefit of that is if you had multiple ldap instances and wanted to implement fail-over within freeradius. To do it the traditional way, you would need this for fail-over with ldap-group checks if say you had two ldap instances. DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group == "students" DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group == "students" That is so it will check with ldap1 instance first. If that fails, then check ldap2. By doing it your way, you won't need to do that anymore. Instead a redundant block in authorize would get you what you need already since the radiusGroupname inside your search filter takes care of the Ldap-Group check. I wonder if you could use regex matches of Called-Station-ID in the huntgroups file. You'll have to test this out, I doubt it would work, but its another interesting idea. I don't know if huntgroups excepts regex and if it can use things like Called-Station-Id in huntgroups studentsCalled-Station-Id =~ /studentregex/ faculty Called-Station-Id =~ /facultyregex/ Then in users file. DEFAULT Ldap-Group == %{Huntgroup-Name} Or you're way. (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name}))" See doc/configurable_failover and doc/rlm_ldap to see what I'm talking about with the failover. If you have a load balancer in front of that ldap server, you won't need to worry about it. But if you don't and you want to add redundancy, then its something you'll need to think about some day. Freeradius can do the redundancy for you w/out a load balancer or shared IP using configurable failover. Actually in the upcoming 1.1 release it will also do load balancing for you in addition to failover inside your ldap blocks. Hope I'm not too confusing. My point is I like your idea and if its working for you, it doesn't sound like a bad one to me. You might want to try hitting it hard to see if the rewrite slows anything down, but I would bet it doesn't. I'd also make sure to add an eq index to radiusgroupname, since you'll be using that as part of your search filter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization
Let's say I have 2 groups: students and faculty. I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/" I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/" You left out your ldap part? Anyway it should look something like this. groupname_attribute = cn groupmembership_filter = "(&(objectclass=GroupOfNames)(member=%{Ldap-UserDN}))" Of course you'll have to change that to fit with how your directory is structured. Once you've got that part down, then in the users file you could do something like this. DEFAULT Called-Station-ID =~ "/:StudentWLAN$/", Ldap-Group == "students" DEFAULT Called-Station-ID =~ "/:FacultyWLAN$/", Ldap-Group == "faculty" DEFAULT Auth-Type := Reject That would look to see if Called-Station-ID matches that regex. If so, it would look to see if they are in the Ldap-Group of students. Your groupmembership filter and groupname_attribute should look for a group named cn=students and then see if the DN of the user is in it. If not, it would fall through to the Reject statement. Now, there are other things going on outside of ldap that I don't really know about, so a copy/paste of what I wrote might not work. But, it should help lead you in the right direction. I'd give it a shot running in debug mode (radiusd -X) and then you can see the exact queries that are taking place and what is happening. You can then go back and modify those ldap group statements and the users file to fit what you need. Once you've got it started if you need more help, please post debug output and what you would expect vs what you got and we can probably help sort it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth All but only for those in my clients.conf
You want to allow any client that matches what is in the clients.conf file in, correct? The secret in your clients.conf file is used to encrypt and sign packets between the clients and the server. It is not used for authentication. Have you tried adding the IPs to some type of backend? For example, if you used the users file and huntgroups file. In huntgroups. allow Client-IP-Address == 1.1.1.1 allow Client-IP-Address == 1.1.1.2 allow Client-IP-Address == 1.1.1.3 Then in users file DEFAULT Huntgroup-Name == allow, Auth-Type := Accept DEFAULT Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius cannot Authenticate to Windows AD
rlm_ldap: login attempt by "mike" with password "mike123" radius_xlat: '(SamAccountName=mike)' radius_xlat: 'CN=Person,DC=chikka,DC=ph' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.1:389, authentication 0 rlm_ldap: bind as / to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in CN=Person,DC=chikka,DC=ph, with filter (SamAccountName=mike) - LDAPSEARCH RESULT [EMAIL PROTECTED] ~]# ldapsearch -LLL -h 192.168.1.1 -x -b 'dc=domain,dc=com' '(samaccountname=mike)' -D mike -w mike123 dn: CN=mike,CN=Users,DC=domain,DC=com There are two major differences in what you have freeradius configured to do and what your commandline search shows. Is this intended?? Freeradius -bind anonymously -search in CN=Person,DC=chikka,DC=ph Commandline -bind as mike -search in dc=domain,dc=com Unless I missed something and I'm just not getting it, I would give freeradius an identity and password of a user that has read access to the part of the directory your users are in. Then I would change the basedn in freeradius to actually match the basedn of your directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? I believe its your users file, from your previous messages on ldap. I had given you an example of using ldap-group to make sure you hit that check-item you want. That worked, but now your access-accept is cancelling the EAP. Sorry if I confused you, but I was just focusing on the ldap part, didn't even realize there was something else going in inside this. Perhaps you should change it from: DEFAULT Ldap-Group == "515", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject To: DEFAULT Ldap-Group == "515" Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject ?? I have never used EAP, but I belive if you take out the Auth-Type := Accept, the server should pick up on the fact that it needs to do EAP and will continue with that part. Someone else will be able to give more insight on that part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does "forwarding of no reply accounting requests" mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
Thank you, I got it and already tried that attribute. The behaviour is a bit better, but does not really lead to the desired result, as the client gets an: Incoming RADIUS packet did not have correct Message-Authenticator - dropped Well, at least you've got the ldap part working. The message-authenticator shouldn't have anything to do with ldap. It has to do with the packet between the radius server and the nas. Seems ok, but unfortunately on the other side, the result is not that good. Alan proposed eapol_test recently for testing of such connections(thank you, very usefull) and this tool shows me: ... Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=0 length=38 Attribute 64 (?Unknown?) length=6 Attribute 65 (?Unknown?) length=6 Attribute 81 (?Unknown?) length=6 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.15 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet EAPOL: startWhen --> 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE I can't help on this part. I'd start a new thread with that error, so the subject line might draw some attention from someone that can. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
I changed the users file as you recommended, the ldap.attrmap contains the additional line: checkItem User-Category primaryGroupID Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX . rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values Did you get the second email I sent. I don't believe you can use that check item from ldap in the users file. Try the ldap-group options I sent over in the last email. That should work for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkitems
Maybe my last question was unclear this morning. Therefore I would like to rephrase it: Checkitems may be defined via ldap.attrmap e.g. like: checkItem User-Category primaryGroupID Those items, retrieved from an ldapserver and thus not part of the request: Are they supposed to be accessible by following modules? In a case like this in radiusd.conf: authorize { ldap { notfound = return } files } Should the files module have access to to a check item User-Category ? Thanks I'm not sure, I've never tried that before, but I don't believe you can. I think you'd need to use xlat for that. Grep for xlat in doc/rlm_ldap. You could certainly use that ldap attribute as an Ldap-Group item, if you are going to be keying off of it a lot. in radiusd.conf groupmembership_attribute = "primaryGroupID" Then in the users file DEFAULT Ldap-Group != "xxx", Auth-Type := Reject or something like that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
## HOST/lnxad.tde002.sitest.net User-Category != 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net User-Category == 515 Fall-Through = No, HOST/lnxad.tde002.sitest.net Auth-Type := Reject ## If this is your users file, its incorrect. Notice the placement of commas. The check-items should be on one line seperated by commas. The reply items should be over multiple lines seperated by a comma, except for the last line. HOST/lnxad.tde002.sitest.net, User-Category != 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, User-Category == 515 Fall-Through = no HOST/lnxad.tde002.sitest.net, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap behavior: authorize v.s. authenticate
From reading debug logs, am I correct in concluding that rlm_ldap's behavior: - when processing authorize{ } is to bind to the LDAP as the provided administrative DN and search for the DN of the user in the Access-Request packet - when processing authenticate{ } is to, if successful during authorize, then re-bind to the LDAP using the provided username and password and return Access-Accept only if the bind-as-the-user succeeds? Correct, as the default behavior? Sounds right to me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_mysql on FreeBSD 5.4 - Segmentation fault at startup
I'm running it fine right now on freebsd 5.4. I installed everything from ports. I first installed mysql server from ports. I'm runnning mysql-server-4.1.14 cd /usr/ports/databases/mysql41-server/ make install clean (I didn't specifiy any unique make options)_ cd /usr/ports/net/freeradius make install clean (select mysql) $uname -a FreeBSD radsql1.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 On Thu, 8 Dec 2005, Matthew Horoschun wrote: Hi All, I'm having trouble getting FreeRadius (CVS) working with MySQL 5.0.15 on FreeBSD 5.4. I have been testing successfully with PostgreSQL up until now. Running under gdb: ... rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): failed after re-connect rlm_sql (sql): Error retrieving group list rlm_sql (sql): Error processing groups; rejecting user rlm_sql (sql): Released sql socket id: 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 100524)] 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 227 if (instance->mutex) (gdb) bt #0 0x08059635 in safe_unlock (instance=0x0) at modcall.c:227 #1 0x0805971c in call_modsingle (component=1, sp=0x8139140, request=0x806f800, default_result=6) at modcall.c:258 #2 0x08059dc6 in modcall (component=1, c=0x8139140, request=0x806f800) at modcall.c:590 #3 0x0805979f in call_one (component=1, p=0x8139140, request=0x806f800, priority=0xbfbfd1e0, result=0xbfbfd1e4) at modcall.c:287 #4 0x08059896 in call_modgroup (component=1, g=0x8135ec0, request=0x806f800, default_result=6) at modcall.c:342 #5 0x08059d3b in modcall (component=1, c=0x8135ec0, request=0x806f800) at modcall.c:575 #6 0x0805876c in indexed_modcall (comp=1, idx=0, request=0x806f800) at modules.c:428 #7 0x08059271 in module_authorize (autz_type=0, request=0x806f800) at modules.c:936 #8 0x0804d412 in rad_authenticate (request=0x806f800) at auth.c:548 #9 0x0805e00a in rad_respond (request=0x806f800, fun=0x804d25c ) at request_process.c:451 #10 0x0805fbad in thread_pool_addrequest (request=0x806f800, fun=0x804d25c ) at threads.c:901 #11 0x0805be34 in main (argc=2, argv=0xbfbfebfc) at radiusd.c:668 I noticed that people have had somewhat similar problems (http://lists.cistron.nl/pipermail/freeradius-users/2005-September/047030.html), but I'm not sure that this is the same thing. Matthew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Free Radius and Squid
AFAIK - NO - it is way to simple to work like that. Squid is only a cache. You could redirect an user to a login site with your firewall script, after he logs in, you could redirect him to squid ( at least his http traffic ). But again AFAIK there is no radius client module for squid. Nor it is planned in a way you want it. Regards, Edvin -Original Message- Hello, I'm very new to free raduis and would like to know if it will run with squid proxy server. If so how would this work? What I am looking to do is to allow users to access the internet via the transparent squid proxy for limited time sessions. Eg. a user who wishes to use the system would be greeted by a web page asking for a code. The code (which they would get from the system admin) would grant them access for 1 hour. Can this be done using FreeRadius and Squid? Sean. Actually, I have tested squid using a radius plugin before to talk to freeradius. It worked for me then, but we never used it and it was also years ago. http://www.squid-cache.org/related-software.html There are a few radius modules in there, you might want to give one shot. The second one seems to still be active. I don't know about a time limit however and I don't really know much about squid to help. This wifi entry talks about using authentication with squid, it might help you. http://wiki.squid-cache.org/faq/authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, FreeRadius, and Schema
Well, most of our email accounts are in a different organizational unit, and they use posixAccount (so based off of uid). However, our radius organizational unit is separate ... and I'm now using type "account" with cn's. You're saying this is ok? Its probably fine. The only reason I was complaining about indexing is because in the organizational unit that managed the email accounts uses the cn value for full name so I was indexing the full name without being needed. That's ok. Your just indexing with eq anyway, correct? If you were doing substring indexes as well it would be a little more load, but I usually err on the side of having too much indexed. But we run pretty good sized ldap servers anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring a proxied and local authentication
I did configure one radius server (A) to proxy incoming requests to an other radius server (B, this later one using pam). First question: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it... preproxy_users will do this for you. How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ? Not sure on that one, will have to defer to someone else. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator
On Wed, 30 Nov 2005, Alhagie Puye wrote: Ok, So I played around some more with the settings. Actually "group" and "groupofnames" are not correct attributes for user. It is supposed to be "memberof". So I changed line in ldap.attrmap to look like: replyItem Class memberof Now I'm getting replyItems but the data looks like garbage. I want it to return the group name. You are returning CN as the class in your radius packet. Class = CN Class is not a string, its an octet so what you are seeing 434e is really CN. You must be returning something like memberof: CN=somegroup,ou=someou,... It seems like rlm_ldap is stripping anything after that = sign. You should check the bugs db and see if you can find something like this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in configurable failover?
Norbert Wegener <[EMAIL PROTECTED]> wrote: authenticate { #ldap1 group { ldap1 { You can't use anonymous groups in the "authenticate" section. You have to explicitely use "Auth-Type", and give it a name. This is because only ONE auth-type is run from that section. So if you had an anonymous group, it would never get run, because you could never reference it by name. Alan DeKok. Say you had two ldap instances. authorize { redundant { ldap1 ldap2 } } authenticate { ldap1 ldap2 } Say you had 4 ldap instances. Two for dial users and two for isdn users. They point to the same servers, but with different configurations. authorize { Autz-Type dial { redundant { ldap_dial1 ldap_dial2 } } Autz-Type isdn { redundant { ldap_isdn1 ldap_isdn2 } } } authenticate { Auth-Type dial { ldap_dial1 ldap_dial2 } Auth-Type adsl { ldap_isdn1 ldap_isdn2 } } In that case, you would need to declare these somewhere, such as the users file. DEFAULT NAS-Port-Type == Async, Autz-Type := dial, Auth-Type := dial DEFAULT NAS-Port-Type == ISDN, Autz-Type := isdn, Auth-Type := isdn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
Radiusd.conf: filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))" This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory. I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit. 1) Do I need groupname_attribute to get this to work? 2) What about groupmembership_filter and groupmembership_attribute? My ldap.attrmap looks like this: replyItem Class groupofnames replyItem Class group I think the above is correct. Can some shed some light on this? Is group and groupofnames something that is an attribute of a user? When freeradius searches for reply items it is searching for attributes of that user. eg: dn: cn=someuser,... group: somegroup Should then add Class = somegroup to the reply items. If you want to make reply items attached to a group, rather than in individual, you will need to set the User-Profile attribute. For example, dn: cn=somegroup,ou=groups,... group: somegroup Then in the users file. DEFAULT Ldap-Group == somegroup, User-Profile := "cn=somegroup,ou=groups,..." You may be able to do this dynamically using xlat or something like huntgroups too. If you want an example, send us an example of a user and group from AD in ldif format and an example of a radius packet that you would expect in the reply and I'll see if I can come up with an idea for ya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP, FreeRadius, and Schema
Hi all, I was wondering what everyone uses for an account objectClass? Right now I'm using "Person", which makes the dn: cn=,ou=Radius,dc=mydomain,dc=net However, indexing the cn would index the CN of other OU's as well ... .. I'm just wondering what people use. I know "Account" could also be used. I extend my schema with RADIUS-LDAPv3.schema and use the radiusprofile objectclass. However, mine is old and uses uid instead of cn, which is in that file. You certainly could create your own objectclass or modify the one that is there. I think you should stick with cn, since that is what freeradius knows and you already use it. It will make maintanence and upgrades much easier. However, back to your problem. I don't see what the issue is with indexing cn. If you are ever going to do searches on other OU's for a cn attribute, you would probably hope that its indexed. The performance hit you will take for indexing that attribute is probably not even close to the performance gain you will get having cn indexed for searches. This is especially true with the newest versions of openldap (2.3). Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication. Thanks, If the packet is merely containing plaintext username and password, then you can probably just use rlm_ldap against AD and hit it directly. Just need to setup a user with read access to the directory to do the initial bind with and search of the user for authorization. Then the user will be authenticated by doing a bind against AD with the username/password in the packet. BTW - I use freeradius w/ ldap for cisco VPN concentrators as well, although its openldap instead of AD. To pass back the class attribute, you must modify ldap.attrmap and specify the reply item of Class to match what you call it in the directory. eg: replyItem Class radiusClass Then in the directory, you have dn: cn=someuser,... ... radiusClass: "OU=myvpngroup;" So, for AD, you'll need to extend the schema and add an attribute for this. Or if you already have something that you can use, just modify ldap.attrmap to know what it is. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: php account stats
On Thu, 17 Nov 2005, Jean Gaudreau wrote: I'm looking for a script in php that can produce some stats from MySQL. Anyone ? What kind of stats? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Pool-Name" check item causes Access-Reject
Following the docs, I have the files db.ipindex and db.ippol set up, and the main_pool is configured in radiusd.conf. user 'gerret' is the gunea pig with the following radcheck table entries: | 1354 | gerret | User-Password | == | testpw | | 1491 | gerret | Pool-Name | == | main_pool | Try setting the operator on Pool-name to := instead of ==. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using two SQL servers
what do you think if we try to use a Perl module inside of the autorize section?!?!. I want the Perl module to decide between my two sql servers depending of the incoming realm, I think this can be a possible way to take. If you have any idea please let me know. Thanks!! That should work too. However, you can do this with Autz-Type, I am currently doing it right now, but using ldap instead of sql. Comment out your Autz-Type entries in your users file and try this. Actually, comment out all your entries if you're not on a production system. DEFAULT Realm == "wireless", Autz-Type := SQL1 DEFAULT Realm == "dhcp", Autz-Type := SQL2 Notice that the check item Realm == is first, then Autz-Type. Make sure your sql1.conf and sql2.conf files look like this at the top. sql1.conf sql sql1 { ... } sql2.conf sql sql2 { ... } Then give it a shot. If that does not work, try change it to add Auth-Type to the end. DEFAULT Realm == "dhcp", Autz-Type := SQL2, Auth-Type := Local If neither of those work for you, please post your debug again. Also, make sure to reply to all, so your replies go back to the list, not just me. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using two SQL servers
when a radius client ask my freeradius, if the Realm is "" I want to autorize him with the first SQL server and if the Realm is "" with the second one. I already have two diferent sql configuration files, sql1.conf and sql2.conf, with instance name SQL1 and SQL2. I had been trying to do exactly what the Autz-Type Doc says, but I had no luck with it. I don't know what to do... Thanks So, what have you tried? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: memory leaks with rlm_perl? (FreeRADIUS bug #221)
I really appreciate that the FreeRADIUS developers actually take their time to do end user support on this list. I am impressed by the work you all do. Getting two(!) working solutions to a problem in a couple of hours during the weekend, is a level of support that I think you can't buy from any commercial company at any price. It makes me wish that I had something to give back. At least I'll have an example for all the bosses that express their concern about "unsupported" open source solutions.. Thanks again. I agree with you 100% on this. Our company pays extra for so-called "support" on many of the commercial products we use. However, I've found that the community that supports freeradius on this mailling list is much more valuable than any of our paid support on commercial software. The support here on the list comes from people that actually USE the product in a PRODUCTION network. This is something you can't always get from a commercial product. You definately can give back by documenting anything you think might help and sending it to the list. Or perhaps you can stay on the list and see if you can help anyone with similar issues to what you've experienced. I'm in the same boat as you, and trying to give back by occassionally responding to threads here and sending in some documentation whenever I get the time to write some up. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Thanks for the advice. Didn't get a change to get good numbers for you today, but here is at least something. I took a look at our records for today and we have about 70,000 entries, with only 1500 of them without a stop yet. I can't get a good estimate at packets right now because I'm not sure how many updates we receive. But if I were to take a guess and say there is 1 update per user session (very rough guess), then that puts us at about 210,000 packets in 24 hours with 1 start, 1 update, and 1 stop. That makes our average about 2.5/second. Now, there are probably at least a few more than 1 update, so that number could be a bit higher. Also, our usage definately has big peaks during certain times of the day. But, I'd guess that we don't hit much more than 20-30/second during those peaks. I've found that the performance problem goes away when I test with interim accounting records instead of start records. I haven't figured out why start records generate such a performance hit. Any ideas? That seems odd to me. I don't have any ideas on that, looking at the queries in sql.conf it seems to me that the accounting start should be faster since it begins with just a plain insert vs the update starting with an update that contains a where clause. Do you have a my.cnf file tuning that db? I can't explain update vs insert, but it could help with performance. Did you tweak sql.conf or radiusd.conf either? Perhaps you could try adjusting the num_sql_socks and connection_failure_retry_delay numbers in sql.conf and the thread pool section of radiusd.conf. Also, you can do many other things to help especially turning off radutmp. I'd also comment out any other modules that aren't used. Actually read tuning_guide in the doc dir, there are some good comments there. Also, remember that the sql performance is going to be primarily dependant on your configuration vs freeradius in general. For example, the CPU, disk speed, ram, etc.. will have more of an influence than anything else. We're currently looking at radrelay. That sounds like a good idea. Its been working great for us. However, in the CVS head they now have sqlrelay which I'd definately considering taking a look at. It does the same thing as radrelay, but sends over sql queries to your db instead of radius packets. Might be nice to not have to worry about an additional process (radiusd) on your sql servers. I'll test it out one of these days if I ever get some spare time. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi Dusty, Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Can you comment on the accounting record rate that you're achieving? We're currently testing FreeRadius and I'm seeing a performance ceiling of about 200 accounting records per second. Matthew. I will have to take a look tomorrow to see what kind of data is coming in. But, I will let you know the architecture I am using, in case it interests you. Our billing system pulls from our accounting database periodically, so we don't need real-time information on all our accounting records. We have three main radius servers. We setup each of the radius servers to log all accounting to a detail file and we then use radrelay to push the data to our sql servers. This makes the accounting part of our AAA much quicker between the NAS and the radius server. The radius server just has to log it to a file and move on, so the accounting response comes very quickly. This is especially apparent during high loads as we don't need to wait for an sql resource to come available. The sql servers are two mysql 4.1 servers on freebsd 5.4. They are running in a multi-master setup. The two servers share an IP with CARP, which is built into freebsd. CARP will setup one server as the master and that server will answer all ARP requests for that IP. If the interface goes down (or if carp is shutdown by script/manual invervention), then the other machine will automatically take over that IP and then become the master sql server. The whole point of this setup is for reliability of our data rather than availability of the sql server. If one of the sql servers goes down, the other will take over the master role. When the dead server comes back up, it will assume the slave role and will update itself to be current with the master or we can manually update it if we wish. If both sql servers go down, or a small transition time between switching masters, or perhaps the radius load is just too high to accept all the requests we are getting, then the detail file on the radius servers will begin to grow. When the radius accounting server comes back up or the packets coming in slow down to an rate lower than the sql server can accept it, radrelay will then catch up the accounting server. We do occassionally see times where there was too much data coming in at once and the accounting server will post warnings to the log file and the detail files will begin to grow. However, its never been more than a few minutes and radrelay quickly catches the servers back up to date when the rates return to a lower level. Our authentication structure is quite different as we are looking more for availability. But in the accounting world, we can afford to delay the records if needed. I'll take a look at the data coming in tomorrow and let you know what kind of numbers we are seeing. If you'd like I can also send you any information you'd like about CARP or our mysql setup. I've also tested using another method which we chose not to implement. With this method I setup the accounting in a configurable-failover scenario. First we would send the accounting data directly to the sql server. If that failed, then the data would be populated into the detail file to quickly return an accounting response and radrelay would pick it up and deliver to the accounting server when it can. This worked quite well, but we chose to go with just radrelay instead. By doing just radrelay we could make the radius accounting server open up a large number of connections to itself vs spreading out the connection pool among our main radius servers. Hope that is helpful. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attributes to a post proxy request
I have a case where I use Freeradius for proxy auth/acct to home servers. Before the answer goes back to the Nas I need to add some attributes and now looking for the best way of doing this. You can do this with the rlm_attr_filter. Read the attrs file and man rlm_attr_filter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD anyone?
Hi, im running freeradius 1.0.5 + postgres 8.0.3 on a dual xeon, gentoo 2005.1, all is working ok, but i have another server with the same hardware specs that i recently "upgraded" from gentoo to freebsd 5.3, the server was running apache + postgres and, wow , great diference, better performance, so postgres definitely liked freebsd, what about freeradius?, i have read on the website that it is developed on debian but it compiles on freebsd, what is your experience with freebsd , good?, bad? , any gotchas?. Should i migrate to freebsd or stay with gentoo?, my personal preference is bsd, but im worried of any obscure future that only works on linux api's ,etc Been using freeradius on freebsd exclusively for several years now. Started with freeradius .8 on freebsd 4.6 I think. Now, I'm running freeradius 1.0.5 on freebsd 5.4. We handle about 75,000 logins per day between 3 servers and are using openldap as a backend, which stores about 400,000 users. We use radrelay to push all the accounting into a mysql db. Its been working perfectly, no issues ever with freeradius or freebsd (can't say the same for harddrives and motherboards though - so you should build redundancy into your architecture). I'm going to write up our architecture one of these days and I'll submit a copy to freeradius, but I'm re-designing everything right now to keep recent, add more redundancy, and simply things. So I've been too busy. There is an old document of the original system I put in, in the doc folder called ldap_howto.txt. Anyway, I'd suggest installing freeradius from the freebsd ports tree since they've got the most recent version in there right now. The ports are just so easy to maintain. However, I do have it running on a few machines compiled from source before the ports tree was updated. Anyway, I'm on the list and read it often, so if you've got freebsd specific questions, feel free to ask. -Dusty Doris BTW this is fun to look at. Below is the last of our old systems, that I haven't replaced yet. Will be doing so in the next few weeks, though. I don't think I've ever touched them more than a few times and only to make config changes. They're just proxy radius servers and only get about 1000-2000 logins per day from some old systems and proxy everything over to our 3 real servers, but I still like the stats. [EMAIL PROTECTED]:~] # radiusd -v radiusd: FreeRADIUS Version 0.8.1, for host i386-unknown-freebsd4.7, built on Mar 26 2003 at 14:36:24 [EMAIL PROTECTED]:~] # w 1:03AM up 932 days, 15:06, 1 user, load averages: 0.00, 0.00, 0.00 [EMAIL PROTECTED]:~] # uname -sr FreeBSD 4.8-RELEASE [EMAIL PROTECTED]:~] # radiusd -v radiusd: FreeRADIUS Version 0.8.1, for host i386-unknown-freebsd4.8, built on May 13 2003 at 13:06:20 [EMAIL PROTECTED]:~] # uname -sr FreeBSD 4.8-RELEASE [EMAIL PROTECTED]:~] # w 1:08AM up 903 days, 17:49, 1 user, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root p0 172.20.1.209 1:08AM - w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with static IP
On Tue, 1 Nov 2005, Daniel Torres wrote: Hi, First of all excuse my englis it is not very well, i wanted to know if somebody has been able to set a freeradius server to assign static IP or if it is possible to assign static IP with freeradius1.0.5. Thanks for the information. Yes, I do it. I return Framed-IP-Address and Framed-IP-Netmask back to the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject reply
On Wed, 26 Oct 2005, hannibal wrote: hi, everyone, i got these logs: -- modcall: group authorize returns reject for request 37 Delaying request 37 for 1 seconds Finished request 37 // why finished request, but not send reply to client?? It delays the reject for the amount of time you specify in radiusd.conf in reject_delay = 1 Going to the next request Thread 6 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 1 to 127.0.0.1:32874 // Sending this message, i think is because of process time out. Cleaning up request 37 ID 1 with timestamp 435cf28f It did send the reject, after the 1 second delay. Read the documentation above that line, it explains why you may want to do that. If you don't like it though, you can change that number to 0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco and No NAS-Port seen (checkrad)
On Tue, 25 Oct 2005, Miguel wrote: Hi, im having problems implementing simultaneous-use on a cisco AS5400, is the same problem addresses in this thread http://lists.cistron.nl/pipermail/freeradius-users/2005-March/041894.html Ok, i know what the problem is, but how can i instruct the cisco that it must send the NAS-Port attribute?, is this even posible? thanks I think in conf t you can define the radius attribute with something like radius-server attribute nas-port format X with X being dependant on the type of connections I don't know if this will force it, but perhaps the default type is something that doesn't apply to your type of connection. For PPPoA we use format d, which gives you the slot/mod/port vpi/vci. But there are a few other options, just give it a ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to proxy accounting
I want to make an option not to proxy accounting but log locally. What option can I take? Should I make a preproxy code for this function? In proxy.conf, you define where to send the accounting packets. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is rlm_perl a viable solution for production environments yet?
I'm considering writing some Perl for use with the rlm_perl module, but before I do I need to know whether the module is ready for use in a production environment. Has anyone had any experience (both positive and negative) with rlm_perl, performance wise, that they could share with me to help my decision? I am using rlm_perl in production right now. Its been working flawlessly for me. I'm using it with freeradius 1.0.2. I guess I should add what I'm doing with it. I'm using it to hand out IP addresses to PPPoA ADSL connections from a mysql database. We have about 30,000 DSL modems that get a dynamic IP out of a pool and about 8,000 that get a static IP. We get about 1-2 radius requests per second. I'll document it one of these days and then post it to the list. I just haven't had time yet to do it. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is rlm_perl a viable solution for production environments yet?
On Mon, 17 Oct 2005, Tim O'Donovan wrote: Hi, I'm considering writing some Perl for use with the rlm_perl module, but before I do I need to know whether the module is ready for use in a production environment. Has anyone had any experience (both positive and negative) with rlm_perl, performance wise, that they could share with me to help my decision? I am using rlm_perl in production right now. Its been working flawlessly for me. I'm using it with freeradius 1.0.2. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Ldap, and static IPs for users.
I have a huntgroup for the dial-up that allows me to differentiate between the dial and dsl based on the radiusGroupName without any problems. But now i need to be able to let a DSL user with a static ip be able to log in via dial-up and pull a dynamic ip. Is this possible and how do i do it (or for that matter, what docs might even point me in the right direction) i'm not seeing much on this in my searches. Did you ever get help on this? If not, do all your dsl users get static ips? If so, here is a quick idea. Not sure if this would work, as in not sure if the variable will carry over, so you'll have to test it. In your radiusd.conf file, under the ldap section, perhaps you could put this. dictionary_mapping = ${raddbdir}/%{Huntgroup-Name}-ldap.attrmap Then copy ldap.attrmap to dialup-ldap.attrmap and dsl128-ldap.attrmap In dialup attrmap, comment out the radiusFramedIPAddress and radiusFramedIPNetmask parts. That will make radius not add those reply values to your users that login from the dialup nas. If only some of your dsl users get static IPs and the rest get dynamic, then I'll have to think a bit more about this one. I'm sure there will be a way to do it, you could always call an external program or use rlm_perl to build some login into it to do this for you. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging question
Currently I'm using the mysql logging functions of FreeRADIUS and I'm logging two different things: Dial-up customers that log in with just their username (username) DSL Customers that log in with user at domain ([EMAIL PROTECTED]) I'm wondering, how would I get it so that both log the same way, that is, just username, not the suffix @itol.com. Any advice would be great! Are these the same users? For example bob is the same as [EMAIL PROTECTED] Is that the only domain you serve? If so, use the hints file to automatically change the username for you. This was recommended by Alan a few days ago for a similar question on the list. in hints DEFAULT User-Name !~ ".*@" User-Name := "[EMAIL PROTECTED]" That will rewrite bob to [EMAIL PROTECTED], if its doesn't contain an @. Then they could do either. However, if you plan on supporting more domains in the future, then I'd start getting them used to @domain now because it will be even more of a struggle if you need to make them start using it later. Plus with an @domain on the username you leave yourself open to more options with realms, proxying, etc.. I am close to finally converting everyone to use realms as our services and domains using radius have grown quite a bit. Having realms makes it a lot easier for us, especially that we now have a dozen ISPs running over our lines. Its been a struggle, especially getting marketing/customer service to let me do it. However, if you don't need realms and probably never will, that config entry will do exactly you need. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
Infusino, Michael - ADP Dataphile wrote: I am using radius to authenticate access from VPN. Would anyone now how to record the IP address the user is assigned after they log in. Michael How does a little dynamic dns strike you? Make sure to actualy read below and attached scripts and setup a DNS key. --radiusd.conf- modules section exec ddns_update { wait = no program = "/usr/local/sbin/radius-dns-update.sh" input_pairs = request packet_type = Accounting-Request shell_escape = yes } end modules instantiate section--- ddns_update ---end section Interesting idea. I like it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances
Hello there. This is probably a stupid question, but how do I run multiple instances of radiusd on the same machine, listening on different ports? I have two configuration directories: /usr/local/etc/raddb /usr/local/etc/raddb2 which specify ports 1812 and 1813 respectively, so I thought I'd be able to issue the following commands: 1812 is for authentication and 1813 for accounting. So, if you used the port configuration in radiusd.conf and set raddb to 1812, it will automatically use 1813 for accounting. radiusd -d /usr/local/etc/raddb radiusd -d /usr/local/etc/raddb2 That is the correct way to do that part. This doesn't seem to work however, as the second command seems to have no effect, ie. I see the first radiusd process running but never the second. Can anyone help please? Probably because you are trying to set port = 1813 on raddb2, which would make it listen to 1813 and 1814 - but 1813 is already taken on raddb. Easiest way to do it is to set raddb with port = 1812 and raddb2 with port = 1645 (1645 and 1646 are the old traditional radius ports. Those are pretty safe to use since a lot of people still run radius on those ports - you'll probably still see it commented out in /etc/services) -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SQL 2000 interface
Thanks. Went to http://www.freeradius.org/development.html#cvs. Made assumption I need to download CVS. Went there and downloaded it. Came back and executed the command listed on http://www.freeradius.org/development.html#cvs: cvs -d :pserver:[EMAIL PROTECTED]:/source login I entered the password anoncvs and was taken back to the system prompt. Half way there, now enter the second command listed on that page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing freeradius ports
On Thu, 13 Oct 2005, jean wrote: Hi All, I am running freeradius 1.0.5, it seems to start with no errors and listens on the default ports 1812 1813, should I be able to telnet to these ports to check if it accepts connections on them? No, telnet uses tcp. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SQL 2000 interface
All, Please help with instructions on how to "download the CVS ver of freeradius" mentioned below. I'm new to Linux. I know how to tar, configure, and make. Don't know how to CVS. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: build snapshot on freebsd 5.4-release
Hi, Anyone ever tried building current snapshot from cvs on freebsd 5.4- release? Tried searching from the archive and seems like this wasn't resolved yet. Anyone? I did it successfully a few weeks ago. I'll give it a shot again next week if I have time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
Just wondering if you've had any luck? I just installed freeradius 1.0.5 from the ports tree (it was finally updated) on a freebsd 5.4 jail and its starting up for me. I've got to run to a meeting now, but I will be testing it later with actual data. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I like to run FR on a VPS (virtual private server) using one of the following OS: - FreeBSD 4.9 (jail) - FreeBSD 5.2 (jail) - Fedora 2 (virtuozza) - Redhat AS3 (virtuozza) - Redhat 9.0 (virtuozza) - CentOS 4.0 (virtuozza) Thanks! Gunther I think they all would work fine. I myself prefer freebsd, specificall 5.4. I am running it on standalone freebsd5.4 servers in production and in the process of setting a few up in jails in my lab. I really like the jails in freebsd, they are so easy to use. If you need any tips with it, email me off-list. I've got a couple jails setup right now running openldap. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What's Up Gold and Freeradius
Good morning Mr. DeKok: Thank you for your reply. Could you please tell me what i need to do to correct this issue? Which file do i have to fix? clients.conf is where you put the shared secret for the client to use. So, either fix the shared secret there to match your client, or change the client to match the secret listed there. - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Monday, October 03, 2005 6:29 PM Subject: Re: What's Up Gold and Freeradius "Linda Pagillo" <[EMAIL PROTECTED]> wrote: Mon Oct 3 10:22:44 2005 : Auth: Login incorrect: = [TEST/L\200\212\3101\215\277&\320\350\345\373\351\201\031\215] (from = client old port 0) The shared secret on the RADIUS client is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
a few thing would be nice to know to maybe localize the problem further: Are you running FreeBSD 5.4-Release or 5.4-Stable? Which MySQL version are you running and do you have compiled it with native threads or with linuxthreads? I installed freebsd 5.4-release and then updated the source about one week ago with the following: cvsup standard-supfile (tag=RELENG_5_4) cd /usr/src make buildworld make buildkernel KERNCONF=mykernel (didn't change much in the kernel) -added options SMP -added device CARP -removed all cpu accept I686_CPU -changed ident make installkernel KERNCONF=mykernel reboot mergemaster -p make installworld mergemaster reboot I installed everything except freeradius from ports with all the defaults (eg: make install clean) # pkg_info -Ea bash-3.0.16_1 cvsup-without-gui-16.1h_2 gdbm-1.8.3_1 gettext-0.14.5 gmake-3.80_2 libiconv-1.9.2_1 libltdl-1.5.20 libtool-1.3.5_2 libtool-1.5.20 mysql-client-4.1.14 mysql-server-4.1.14 openssh-portable-4.2.0.0,1 perl-5.8.6_2 # uname -a FreeBSD radsql1.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 Installed freeradius last from source simply doing ./configure --prefix=/usr/local/freeradius105. My radiusd.conf is very stripped down. Basically this machines only purpose is to do radius accounting to mysql, so almost everything is commented out or blank (such as users). However, I did test authentication with it briefly with an out of the box configuration only modifying sql.conf username/password and uncommenting all instances of sql in radiusd.conf. Hope that is helpful. If you have any more questions, fire away. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - FreeBSD - Segmentation fault
On Mon, 3 Oct 2005, Alan DeKok wrote: "Christian Meutes" <[EMAIL PROTECTED]> wrote: are there any new findings in context to the problem with FreeRADIUS(rlm_sql_mysql?) > 1.0.4 under FreeBSD? I have just tested it with FreeBSD5.4-Release and FreeRADIUS out of the ports and the problem still exists: I don't have access to a FreeBSD box, so I can't track down the problem. I did have access to one for a while, and found a bug which is fixed in 1.0.5. That *should* have fixed the problem, but it appears to still be there. Alan DeKok. Just an FYI. I just put into production late last night, two freeradius 1.0.5 servers running on freebsd 5.4, which are using rlm_mysql. They are setup only as accounting servers. I have all my other radius servers sending the accounting data over to them. I have not seen any issues in my testing in the lab or today in production with these machines. I will be setting up another instance of it in our lab next week to mirror production, so if I run into any problems I'll let you all know and maybe I can get Alan or whomever temporary access to that machine to check it out. But so far, I just haven't seen any problems. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can i tell which version of freeradius i'm running?
radiusd -v check the radiusd manpage for more info on startup flags On Thu, 29 Sep 2005, Linda Pagillo wrote: Linda Pagillo Director of Technical Services N2 The Net, LLC [EMAIL PROTECTED] 931-372-9179 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and groups
Hello there, I have a small problem. And I read the documentation. And I can't find what's wrong. I have a corporate LDAP with users and group. Each group is a "groupOfUniqueNames", with "uniquemember". In the user defintion, no group definition is set. I need to authenticate members of a certain groups, and not of another ... Every doc I read mention that you have to create an attribute "per user" ... Any other way ? I chose to do groups per user with radiusgroupname attribute, which is in the ldap_howto. However, you don't have to do it that way. Try reading radiusd.conf in the ldap section under the default groupmembership_filter. Or reading doc/rlm_ldap. If you are trying that and not having success, then post your debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
and I still get segfaults. ( I have built freeradius 1.0.5 from source / FreeBSD 5.4-RELEASE-p6 ) Just in case this helps at all, here is my pkg_info and uname -a. # pkg_info bash-3.0.16_1 The GNU Project's Bourne Again SHell cvsup-without-gui-16.1h_2 General network file distribution system optimized for CVS gdbm-1.8.3_1The GNU database manager gettext-0.14.5 GNU gettext package gmake-3.80_2GNU version of 'make' utility libiconv-1.9.2_1A character set conversion library libltdl-1.5.20 System independent dlopen wrapper libtool-1.3.5_2 Generic shared library support script (1.3) libtool-1.5.20 Generic shared library support script (1.5) mysql-client-4.1.14 Multithreaded SQL database (client) mysql-server-4.1.14 Multithreaded SQL database (server) openssh-portable-4.2.0.0,1 The portable version of OpenBSD's OpenSSH perl-5.8.6_2Practical Extraction and Report Language # uname -a FreeBSD radacctm.lab.soc.int 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #0: Tue Sep 27 14:14:11 EDT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/carp i386 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
It sounds strange because the unmodified radiusd.conf does not have authentication, authorization or accounting enabled for sql. I followed your instructions, and rlm_sql_mysql is not started because it has not enabled in radiusd.conf. You're correct. I copied files I thought were an original, but had already been modified. How is your working radiusd.conf looks like in the following sections : - - authorize - - authenticate - - preacct - - accounting - - session This time I did copy the original files over to raddb dir. I then modified sql.conf and changed the username/password to match my user. I then opened radiusd.conf and uncommented every instance of sql. Then I fired it up and it started fine and made the 5 sql connections. No need for me to post the configs because they are exactly the same as out of the box, except that I uncommented sql in authorize, accounting, session, and post-auth. I have no idea what could be wrong at this point. What version of mysql are you running? Can you start mysql and query it from the command line? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
It sounds strange because the unmodified radiusd.conf does not have authentication, authorization or accounting enabled for sql. I followed your instructions, and rlm_sql_mysql is not started because it has not enabled in radiusd.conf. Hmmm, maybe I didn't copy the right files over. I'll do it again. and post my configs as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
That's a perfect example of something that you'd find in testing, but might end up spending all night fighting if you just go and make the change. On Wed, 28 Sep 2005, Paolo Rotela wrote: One thing I came across when upgrading from 0.9.3 to 1.0.5 is that the "default" allowed characters for sql queries changed. I used [ and ] in my usernames, so the results after upgrade whas that my accounting reccords where set with the mime-equivalent of [ and ]. I had to add these characters as allowed ones in sql.conf - Original Message - From: "Linda Pagillo" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 3:01 PM Subject: Re: Questions about upgrading Freeradius Thanks Dusty, i know you were just kidding with me and that's cool :) I'm just having a bad day hehe. So what i would have to do is set up freeradius 0.9.3 on a different system and then upgrade it as a test and if everything goes well i should do it on my production system? - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 12:50 PM Subject: Re: Questions about upgrading Freeradius I was just giving you a hard time. Its a little longer of a process, but it will definately save you a lot of time and more importantly a lot of stress if you do run into issues. BTW - I am in the process of replacing all our radius servers here too. So far, I've had no issues with configurations moving between .9 or .93 and 1.0.5. My setup is pretty simple here though. Good Luck with the upgrade. -Dusty Doris On Wed, 28 Sep 2005, Linda Pagillo wrote: > I wish you had my job too because i'm about fed up with this crap.. Anyway, > thanks for the reply, i'll do it. > - Original Message - > From: "Dusty Doris" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" > Sent: Wednesday, September 28, 2005 11:48 AM > Subject: Re: Questions about upgrading Freeradius > > >> You consider that much work? I wish I had your job! >> >> :) >> >> On Wed, 28 Sep 2005, Linda Pagillo wrote: >> >>> Thanks for your reply. Is it really this much work to do a simple > upgrade? >>> Is there a shortcut? >>> - Original Message - >>> From: "Dusty Doris" <[EMAIL PROTECTED]> >>> To: "FreeRadius users mailing list" > >>> Sent: Wednesday, September 28, 2005 9:58 AM >>> Subject: Re: Questions about upgrading Freeradius >>> >>> >>>> On Wed, 28 Sep 2005, Linda Pagillo wrote: >>>> >>>>> Hi everyone: >>>>> >>>>> I have been using Freeradius v.0.9.3 for over a year and i wish to >>>>> upgrade to the latest version. Can anyone give me detailed > instructions >>>>> on how to do this? I use Freeradius in a prodcution enviroment and >>>>> i >>>>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just >>>>> do a >>>>> ./configure, make and make install like i did the first time? If yes, >>>>> won't that overwrite all of my current config files? Thanks! >>>>> >>>> >>>> First, I would recommend setting up a lab machine (you can do it on > your >>>> workstation if you need to) to test that your configs work correctly > with >>>> the new version. Its probably backward compatible, but I wouldn't just >>>> blindly upgrade on production and hope for the best. >>>> >>>> Then you could compile freeradius with --prefix. This will put all >>>> configurations, binaries, etc.. into a certain directory. For example: >>>> >>>> ./configure --prefix=/usr/local/freeradius1.0.5 >>>> make >>>> make install >>>> >>>> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change >>>> your files to make it work like it did in testing. Shutdown the > current >>>> radius version and start up the new one with >>>> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If > so, >>>> modify your startup scripts to point to the new version instead of the >>>> old. >>>> >>>> >>>> - >>>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>>> >>> >>> - >>> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >>> >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
No need to install .9.3. I'd just install 1.0.5 on another system (or to the same system, but in a different directory with --prefix) and then modify all the config files so it has the setup you currently use on .9. Then make sure it works. I doubt it, but perhaps you'll find that some configuration you have in radiusd.conf in .9 isn't compatible with 1.0.5 and you need to find a new way to declare the same functionality. Or maybe you need to use some switch to configure to enable a module you are using, that was previously auto-detected. I predict you'll find that its a smooth transition, but its just good practice to test it all out before you go and modify your production system. On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks Dusty, i know you were just kidding with me and that's cool :) I'm just having a bad day hehe. So what i would have to do is set up freeradius 0.9.3 on a different system and then upgrade it as a test and if everything goes well i should do it on my production system? - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 12:50 PM Subject: Re: Questions about upgrading Freeradius I was just giving you a hard time. Its a little longer of a process, but it will definately save you a lot of time and more importantly a lot of stress if you do run into issues. BTW - I am in the process of replacing all our radius servers here too. So far, I've had no issues with configurations moving between .9 or .93 and 1.0.5. My setup is pretty simple here though. Good Luck with the upgrade. -Dusty Doris On Wed, 28 Sep 2005, Linda Pagillo wrote: I wish you had my job too because i'm about fed up with this crap.. Anyway, thanks for the reply, i'll do it. - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 11:48 AM Subject: Re: Questions about upgrading Freeradius You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
I was just giving you a hard time. Its a little longer of a process, but it will definately save you a lot of time and more importantly a lot of stress if you do run into issues. BTW - I am in the process of replacing all our radius servers here too. So far, I've had no issues with configurations moving between .9 or .93 and 1.0.5. My setup is pretty simple here though. Good Luck with the upgrade. -Dusty Doris On Wed, 28 Sep 2005, Linda Pagillo wrote: I wish you had my job too because i'm about fed up with this crap.. Anyway, thanks for the reply, i'll do it. - Original Message ----- From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 11:48 AM Subject: Re: Questions about upgrading Freeradius You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about upgrading Freeradius
On Wed, 28 Sep 2005, Linda Pagillo wrote: Hi everyone: I have been using Freeradius v.0.9.3 for over a year and i wish to upgrade to the latest version. Can anyone give me detailed instructions on how to do this? I use Freeradius in a prodcution enviroment and i can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a ./configure, make and make install like i did the first time? If yes, won't that overwrite all of my current config files? Thanks! First, I would recommend setting up a lab machine (you can do it on your workstation if you need to) to test that your configs work correctly with the new version. Its probably backward compatible, but I wouldn't just blindly upgrade on production and hope for the best. Then you could compile freeradius with --prefix. This will put all configurations, binaries, etc.. into a certain directory. For example: ./configure --prefix=/usr/local/freeradius1.0.5 make make install When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change your files to make it work like it did in testing. Shutdown the current radius version and start up the new one with /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, modify your startup scripts to point to the new version instead of the old. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
Could someone show me how to process an access-accept via rlm_perl? The example in the script example.pl still causes an access-reject nomater what I try. That isn't enough information, except to tell you to return a proper value such as RLM_MODULE_OK. Please post debug output. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Forgot to follow-up. I moved all my configurations out and loaded up all the original unmodified files in my raddb dir. I only modified sql.conf and changed the username/password to the sql table. Everything else was left as is - out of the box. It all worked fine. Freeradius started up using the mysql module and I was able to send accounting packets and auth packets to it. Have you enabled rlm_sql_mysql in radiusd.conf and sql.conf ? How your config files look like ? If rlm_sql_mysql is not enabled, freeradius daemon works without problem for me. - - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, September 27, 2005 12:44 PM Subject: Re: Bus error - core dumped on freeradius 1.0.5 I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn't happen on other platforms, so I suspect it's an issue specific to FreeBSD 4.x. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQzmKjSQekFb/3FIhEQIkxwCeJQFEu1qYBV3ttdru/1pVj/axGusAnjLk xjHBg+h+EwPoEvsAroNz+n3W =Eb35 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Yep. FreeBSD 5.4-RELEASE-p7 /usr/local/freeradius105/sbin/radiusd -v radiusd: FreeRADIUS Version 1.0.5, for host , built on Sep 27 2005 at 11:31:35 clip from startup and handling a packet. The config file is very stripped down right now. I'll fire one up later today with the default setup to see if that works too. - rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Listening on accounting *:1813 Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1:54936, id=90, length=32 User-Name = "test" Acct-Status-Type = Start Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute NAS-IP-Address was not found in request, uni que ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, un ique ID MAY be inconsistent rlm_acct_unique: Hashing 'User-Name = "test"' rlm_acct_unique: Acct-Unique-Session-ID = "c62495cf388d0bb3". modcall[preacct]: module "acct_unique" returns ok for request 0 modcall[preacct]: module "files" returns noop for request 0 modcall: group preacct returns ok for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm , NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSession Time, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctO utputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', 'c62 495cf388d0bb3', 'test', '', '', '', '', '2005-09-27 14:33:54', '0', '0', '', '', '', '0', '0', '', '', '', '', '', '', '', '0')' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module "sql" returns ok for request 0 modcall: group accounting returns ok for request 0 Sending Accounting-Response of id 90 to 127.0.0.1:54936 Finished request 0 Going to the next request --- Walking the entire request list --- Cleaning up request 0 ID 90 with timestamp 43399092 Nothing to do. Sleeping until we see a request. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you enabled rlm_sql_mysql in radiusd.conf and sql.conf ? How your config files look like ? If rlm_sql_mysql is not enabled, freeradius daemon works without problem for me. - - Original Message - From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, September 27, 2005 12:44 PM Subject: Re: Bus error - core dumped on freeradius 1.0.5 I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn&
Re: Bus error - core dumped on freeradius 1.0.5
I just installed freeradius 1.0.5 on freebsd 5.4 and I am not having problems with rlm_sql_mysql. I just started it up and used it for testing an accounting packet. I haven't tried authentication, but I don't think that should matter. How did you build it? Since the port is still on 1.0.4, I'm assuming it was from source? Here is what I did. First I installed mysql. I use the port in /usr/ports/databases/mysql41-server. Then I installed freeradius from /usr/ports/net/freeradius first to get all the dependancies. These include libtool, gmake, gdbm, libltdl. Then I did a make deinstall on that port and build freeradius from source using only ./configure --prefix. On Tue, 27 Sep 2005, Richard Cotrina wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 segmentation fault when rlm_sql_mysql is enabled (bug 271), happens both in FreeBSD 4.X and FreeBSD 5.X. - - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, September 27, 2005 12:08 AM Subject: Re: Bus error - core dumped on freeradius 1.0.5 "Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? For MySQL, perhaps. Or, find out what's causing the problem in FreeBSD 4.x, and fix it. It doesn't happen on other platforms, so I suspect it's an issue specific to FreeBSD 4.x. Alan DeKok. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) iQA/AwUBQzl9qyQekFb/3FIhEQKgzwCg+3Jo9bcaimtcDoPlVKv+nsDM914AnRda BGC7la0ap0NZH0M3Vq8pig7V =OAoc -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple LDAPS
Hi, I was wondering if there's a way to look for users in differents LDAP trees and/or servers depending of the suffix (@something) in the login. If it's possible could someone show me the config ? Thanks in advance. Sure. First you need to define two ldap configs in radiusd.conf. Instead of just having ldap {, you define ldap and then a name for each instance and include all the config entries under it. ldap ldap1 { server basedn ... } ldap ldap2 { ... } Then in the authorize section you do this. authorize { Autz-Type ldap1 { ldap1 } Autz-Type ldap2 { ldap2 } } Then in authenticate, you do authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldap2 { ldap2 } } Now, in the users file you can specify which to use based on the realm. Make sure you enable the suffix module to use suffix for realms. DEFAULT Realm == "somerealm.com", Autz-Type := ldap1, Auth-Type := ldap1 DEFAULT Realm == "otherrealm.com", Autz-Type := ldap2, Auth-Type := ldap2 DEFAULT Auth-Type := Reject The users file is parsed top to bottom. In this instance say a username comes over as [EMAIL PROTECTED] It will match on the first line and will then use your settings in ldap1 for authorization and authentication. By default you will not fall-through to any other rules. A user comes in with [EMAIL PROTECTED], it will not match the first and will fall through to the second line. There it will match and use ldap2. A user comes in with [EMAIL PROTECTED], it will not match the first two and hit the last rule, which will reject the user. Of course you could do something else at this point and maybe make it hit a different type of authentication for other realms if you'd like. You can read more in doc/Autz-Type. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless authentication
We have a customer oriented wireless network and we are trying to build a central authentication system for it, so that we can add and easily control customer radios from one location. What types of authentication should we be using? What should be avoided? Any experiences to share? I would use a backend such as mysql or ldap. Either would work great for something like this. Additionally, would we be able to route traffic to a captive page if the customer is placed on hold or doesn't have an account yet? I suppose that more of a microtik list question, but I'm just asking in case anyone knows. I use the Cisco SSG/SESM solution. The SSG is setup as the next hop for the customers. It then figures out whether that IP address has been authorized yet. If not, it redirects all traffic to the SESM server. The SESM server is merely a web front-end that displays information such as how long you've been active, what services you are subscribed to, and whether or not you need to login. If you need to login it presents a login page for you and then sends your username/password to a radius server for authentication. When you are authorized and authenticated, it can then redirect you back to the page you originally requested if you want and that IP now has an open connection to the Internet. This solution is based on IP address, so that removes the ability to use APs that provide NAT. You need to set them up as a bridge so each user can pull a different IP. However, all authentication is centralized, which makes it easy to administer. I've also looked at other solutions, where the the AP would run NAT/PAT and then have its own SESM type of login page for the users that are connected to it. You can configure those to talk RADIUS, so you can still centralize user management. The downside of that is that you have more smart devices out in the field to troubleshoot and you need to punch a bunch of holes in your firewalls to allow radius traffic from each device. I personally prefer a centralized system. I know there are a lot of less expensive solutions out there as well, I'm sure someone on the list has other ideas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
On Tue, 9 Aug 2005, kevin wrote: > What? So, should I change the ldap attribute values with "+=" ??? > Any other way? > Yep, it works. I did a test, with this DN only one filter-id was returned. dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com objectClass: radiusprofile userPassword:: ZHVzdHl0ZXN0 radiusGroupName: dial radiusGroupName: adsl uid: dustytest radiusFilterId: filter1 radiusFilterId: filter2 Received response ID 210, code 2, length = 59 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-Protocol = PPP Service-Type = Framed-User Filter-Id = "filter1" With this dn, both were returned (note there were no quotes in it - that didn't work) dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com objectClass: radiusprofile userPassword:: ZHVzdHl0ZXN0 radiusGroupName: dial radiusGroupName: adsl uid: dustytest radiusFilterId: += filter1 radiusFilterId: += filter2 Received response ID 214, code 2, length = 68 Framed-Routing = None Framed-IP-Netmask = 255.255.255.0 Framed-Protocol = PPP Service-Type = Framed-User Filter-Id = "filter1" Filter-Id = "filter2" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
I think so, let me see if I can find a test machine around here and try it. I might need that some day too. On Tue, 9 Aug 2005, kevin wrote: > What? So, should I change the ldap attribute values with "+=" ??? > Any other way? > > kevin > > Dusty Doris wrote: > > Hi > > How can I return multiple ldap attributes which have a same name? > For example, I want to get the 'Filter-ID' list from ldap. > Any idea? > > Kevin > > > I believe you have to put them in ldap with the += value in it. > > For example, > > radiusFilterId: "+= something" > radiusFilterId: "+= somethingelse" > > I can't remember the exact syntax, perhaps someone else can help. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to return multiple attributes from ldap?
> Hi > > How can I return multiple ldap attributes which have a same name? > For example, I want to get the 'Filter-ID' list from ldap. > Any idea? > > Kevin I believe you have to put them in ldap with the += value in it. For example, radiusFilterId: "+= something" radiusFilterId: "+= somethingelse" I can't remember the exact syntax, perhaps someone else can help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
> server (running on another machine). I have the vpn talking successfully to > freeradius, but I cannot get the onward connection to the LDAP to work. I > have validated that the server running freeradius is able to talk to the > ldap by using ldapsearch. > > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 > rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 > rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't > contact LDAP server > rlm_ldap: (re)connection attempt failed > This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap basedn assignment
> The above problem line should be: > rlm_ldap: bind as uid=username, ou=People, > dc=university,dc=edu,c=us/test123 to > openldap.university.edu:1744 > However, it is taking the userdn from the ad server which > gave the first authorize ok. What I need is for it to > attempt to authenticate with the appropriate userdn > depending on which server it is authenticating to. So it > would use the userdn from AD authenticating to the AD server > and the openldap userdn when authenticating to the openldap > server. > I see what is happening, that's a tough one. You are passing both authorization modules since the username is the same for your search filter. Then it tries to bind with the first DN that passed the authorization, but that is the incorrect DN since you want to use the openldap version of that user. The easiest method to work around this right away, is if there is something coming in the packet that will tell you whether this should be an AD or openldap user. If that's the case, then you can make a rule specifying which Autz type and Auth type to use. For example. Say all AD users come from nas-ip of 1.1.1.1 and all openldap users come from nas-ip of 1.1.1.2. In users file. DEFAULT NAS-IP-Address == 1.1.1.1, Autz-Type := ldap1, Auth-Type := ldap2 DEFAULT NAS-IP-Address == 1.1.1.2, Autz-Type := ldap2, Auth-Type := ldap2 DEFAULT Auth-Type := Reject That would get you what you want. Note that it doesn't have to be nas-ip, you can go off any radius attribute that is consistantly in those auth requests. However, if there is nothing identifying whether it should be an AD lookup vs an openldap lookup, then its going to be harder. ( I think - although I don't know the internals, so a developer could answer this better). The overlap of the names makes it hard. Are these actually different users, with the same RDN or are they the same user that exists in both AD and openldap? I'd have to think about this a bit based on your answer to see if I can think of anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
On Wed, 3 Aug 2005, Hamid Salim wrote: > On Wed, 3 Aug 2005, Hamid Salim wrote: > > > radutmp: check_with_nas = yes > > radutmp: perm = 384 > > radutmp: callerid = yes > > Module: Instantiated radutmp (radutmp) > > Listening on authentication *:1812 > > Listening on accounting *:1813 > > Listening on proxy *:1814 > > Ready to process requests. > > > Dusty's response: > You need to figure out why your NAS is not sending radius packets to the > radius server. > > Check your network connections, your firewall rules, etc.. > > My question: > i am not using NAS (as i understand) also i am not using Radius > accounting. I am trying to use FreeRadius solely for authentication. > what is check_with_nas = yes used for? do i need to change this??? I was using NAS in the generic sense. You are using a radius client that should be sending radius authentication to the radius server. However, either its not sending that auth to the server, or its being blocked by a firewall, or it can't route to it do to your network setup. That's all I'm getting at. Regardless of accounting or not, you aren't seeing radius packets hit your radius server. That's where the problem is. Check_with_nas has nothing to do with it. A tcpdump on the radius server could tell you if perhaps you are sending packets from your radius client to port 1645 of the server, but you have radius setup to listen on port 1812 on the server. Other than that, the problem is somewhere on your network or in a firewall rule. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html