Re: how to get linelog() see see packet-types other than access-request
Phil Mayer,
Thanks very much for you help on this!
Jeff
On Wed, May 8, 2013 at 3:42 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 08/05/2013 20:09, Jeff Smith wrote:
Hello,
I've got a freeradius server 2.2.0 configured to process requests, and
now I'd like to add some logging that would look something like this:
Wed May 8 14:53:16 2013 Access-Request for a...@purdue.edu
mailto:a...@purdue.edu from MAC address (Calling-Station-Id)
84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11
I actually have that working, but would like for linelog to also log a
line for packet types access-challenge, access-accept, and
Can't easily be done for Access-Challenge I'm afraid. The server doesn't
pass them through post-auth.
access-reject. My /opt/freeradius/etc/raddb/**modules/linelog has:
The easiest way is to define another instance of the linelog module, and
use Response-Packet-Type in the format of the 2nd module, and call that
in any response sections. If this offends your sensibilities, you can
wrap the two linelog modules in a policy like so:
policy {
mylog.authorize {
linelog1
}
mylog.post-auth {
linelog2
}
}
...then call mylog. This can be useful for other reasons e.g. using
unlang to format attributes before calling the linelog module, and is what
we do.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to get linelog() see see packet-types other than access-request
Hello,
I've got a freeradius server 2.2.0 configured to process requests, and now
I'd like to add some logging that would look something like this:
Wed May 8 14:53:16 2013 Access-Request for a...@purdue.edu from MAC
address (Calling-Station-Id) 84-3a-4b-0c-46-44 NAS lwsn-b143-wism2-11
I actually have that working, but would like for linelog to also log a line
for packet types access-challenge, access-accept, and access-reject. My
/opt/freeradius/etc/raddb/modules/linelog has:
reference = %{%{Packet-Type}:-format}
#
# Followed by a series of log messages.
Access-Request = %t %{Packet-Type} for %{User-Name} from MAC
address (Calling-Station-Id) %{Calling-Station-Id} NAS %{NAS-IDentifier}
Access-Reject = Rejected access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}
Access-Challenge = Sent challenge: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}
Access-Accept = Accepted access: %{User-Name}
Calling-Station-Id=%{Calling-Station-Id} NAS=%{NAS-IDentifier}
That is, slight changes from the examples given.
I've added calls to linelog to the following sections in
sites-enabled/default and sites-enabled/inner-tunnel:
authorize
authenticate
preacct
accounting
post-auth
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: RE: how to get linelog() see see packet-types other than access-request
Argh. Please accept my apologies -- I accidentally sent the previous message before I had finished composing it. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: your mail
Andrew, It appears that the problem is in your perl script: ++[perl] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject You need to fix your script. You can run it by hand with perl -d to see how it behaves, or insert print statements in it, etc., until it works the way it should. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring rlm_counter for gigaword
I'm not sure what rlm_counter is, but the documentation for regular
accounting states:
*snip*
Modify FreeRADIUS Queries
Secondly, modify the accounting queries in sql.conf to make the SQL
database perform the computation that is required to merge the two
values sent as attributes by the NAS into one single 64-bit integer
stored in the database.
All occurences of '%{Acct-Input-Octets}' need to be replaced with:
'%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}'
The same thing needs to be done for '%{Acct-Output-Octets}':
'%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}'
*snip*
Found at http://wiki.freeradius.org/FAQ#Common-problems-and-their-solutions
Also, the database table must be able to hold the larger values.
On 7/17/2012 10:59 PM, jobhunt...@aol.com wrote:
I want to use the Acct-Output-Gigawords attribute along with the
Acct-Output-Octets to keep track of traffic in an rlm_counter that can exceed
the 32-bit integer limitation. It looks like the counter will take only one
count-attribute. How can I use both of these attributes in a single counter?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
On Jun 12, 2012, at 9:06 AM, akkouche wrote: how to put the parameters in which files, to set up the TTLS / PAP ? greetings, way to many options out there. keep reading. use the Default FreeRadius + ldap module, ensure ssh is in order. -j smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Address already in use but server is not running
On May 28, 2012, at 5:29 PM, Michael Aldridge wrote: I recently had to install debian 6.0 on one of my servers after a hard drive crash, and while I had freeradius running before, I can't seem to get it running now. I ran sudo apt-get install freeradius and hit enter to accept the additional packages, and I also installed dialup admin with the intention of getting to it after getting freeradius running, but now I am running into trouble with starting freeradius. The install completed without errors, but running sudo ./freeradius -X produces the following: Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 I can post the full contents of the debug dump, but this appears to be the only point at which an error is encountered. I am quite sure that there is not an instance already running, so I don't know what else could be using the port. Any ideas? ps aux | grep free or ps ax | grep radius check for the process already running. kill -9 PID then start radius in debug mode. /usr/sbin/freeradius -X you probably have one started manually and one from init.d, and they are arguing over port access. -j smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers::solved::
On May 5, 2012, at 5:09 AM, Alan DeKok wrote:
jeff donovan wrote:
I made two changes. and it worked.,.. not sure if it the best syntax, but
it's the first time I got both systems to call back.
authorize {
ldap1
if (notfound) {
ldap2
}
This is OK.
if (reject) {
ldap2
}
This doesn't do anything. If ldap1 rejects the user (which it won't
in the authorize section), then it will *immediately* return reject.
i.e. the if reject line won't be reached.
you are correct. An authorize section would not return reject. i removed it and
things work fine.
authenticate {
Auth-Type LDAP {
ldap1{
reject = 1
ok = return
}
ldap2 {
reject = 1
ok = return
}
}
This is wrong, too. You've forced Auth-Type := LDAP somewhere in
your config.
the config Im using is stock ubuntu,..which has a few default includes.
radiusd.conf specifies;
$INCLUDE ${confdir}/modules/
i have a file in modules called ldap. Located in this file are two ldap servers
entries.
#
ldap ldap1 {
server = ldap1.example.com
basedn = cn=users,dc=ldap1,dc=example.com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
#
edir_account_policy_check = no
#ldap_debug = 0x0028
}
ldap ldap2 {
server = ldap2.example.com
basedn = cn=users,dc=ldap2,dc=example.com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
#
edir_account_policy_check = no
#ldap_debug = 0x0028
}
}
You could instead use set_auth_type in the modules/ldap
configuration. It's recommended to *not* use it, but it's fine here.
Then, just do:
authenticate {
...
ldap1
ldap2
...
}
--- oof okay.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
# pam
unix
ldap1
ldap2
eap
}
Yes Totally works.!
my bad i thought I had to set the AUTH type. similar to some of the other
configs.
If the ldap1 module finds the user, it sets Auth-Type = ldap1.
And the same for ldap2.
This means that there are fewer queries to ldap1 in the authenticate
phase. That's nice.
im into that. thanks for the help. hopefully my stumbles will aid someone in
the future.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple ldap servers
Greetings
I'm new to radius but have been reading.
I have a freeradius server running on ubuntu 11, my users file is an ldap
server which works great. My question is,
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a second
server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the redundant
setup for sql accounting.
so far I tried adding the second ldap server, it's info is read during module
load -- no errors. The problem is,.. only one of the ldap systems contains the
correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either system
returns ok ? currently it will fail even if one LDAP system returns good.
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
redundant {
ldap1
ldap2
}
expiration
logintime
pap
# Autz-Type Status-Server {
#
# }
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
#
# Pluggable Authentication Modules.
# pam
unix
Auth-Type LDAP {
ldap1
ldap2
}
eap
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the updated code from attr_filter
# }
# }
}
Any Assistance would be helpful.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
jeff donovan wrote:
I'm new to radius but have been reading.
That's always positive.
how can i search and alternate LDAP server for user credentials ?
If the first LDAP search fails try the next server in line.
Do you mean fail or notfound? They're different...
true,. i will probably come across both.
I found some documentation-
* http://freeradius.org/radiusd/doc/ldap_howto.txt does not mention a
second server.
*http://freeradius.org/radiusd/doc/configurable_failover explains the
redundant setup for sql accounting.
See also man unlang. It explains this in more detail.
k tnx-more reading :)
so far I tried adding the second ldap server, it's info is read during
module load -- no errors. The problem is,.. only one of the ldap systems
contains the correct info. So one WILL fail and the other will pass.
with that being said,.. How do i configure my server to Pass if either
system returns ok ? currently it will fail even if one LDAP system
returns good.
That's because you're using a redundant block. It treats notfound
as LDAP server is still up, and it doesn't fail over to the next one.
Because there was no failure!
authorize {
...
redundant {
ldap1
ldap2
}
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
thanks for the reply. can i really use if then else ?
with that said, i should be able to apply the same for fail ?
--- ill post more when i adjust my settings and try with the not found. then I
try with fail.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 10:14 AM, Alan DeKok wrote:
snip
authorize {
...
redundant {
ldap1
ldap2
}
Change that to:
ldap1
if (notfound) {
ldap2
}
And it will work.
greetings i read the unlang pages.
I modified my Authorize section, and you are correct, the user is found on
ldap1 or checks the next server.
Now it seems to be sticking on the first reject in the Authenticate section.
here is what I have;
authenticate {
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
I have also tried
Auth-Type LDAP {
ldap1
ldap2
}
in this case if the credentials do not exist on ldap1 everything stops.
here is my debug;
[ldap1] performing user authorization for drfoo
[ldap1] expand: %{Stripped-User-Name} -
[ldap1] ... expanding second conditional
[ldap1] expand: %{User-Name} - drfoo
[ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=drfoo)
[ldap1] expand: cn=users,dc=ldap1,dc=example.com -
cn=users,dc=ldap1,dc=example.com
[ldap1] ldap_get_conn: Checking Id: 0
[ldap1] ldap_get_conn: Got Id: 0
[ldap1] performing search in cn=users,dc=ldap1,dc=example.com, with filter
(uid=drfoo)
[ldap1] object not found
[ldap1] search failed
[ldap1] ldap_release_conn: Release Id: 0
++[ldap1] returns notfound
++? if (notfound)
? Evaluating (notfound) - TRUE
++? if (notfound) - TRUE
++- entering if (notfound) {...}
[ldap2] performing user authorization for drfoo
[ldap2] expand: %{Stripped-User-Name} -
[ldap2] ... expanding second conditional
[ldap2] expand: %{User-Name} - drfoo
[ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=drfoo)
[ldap2] expand: cn=users,dc=ldap2,dc=example.com -
cn=users,dc=ldap2,dc=example.com
[ldap2] ldap_get_conn: Checking Id: 0
[ldap2] ldap_get_conn: Got Id: 0
[ldap2] performing search in cn=users,dc=ldap2,dc=example.com, with filter
(uid=drfoo)
[ldap2] No default NMAS login sequence
[ldap2] looking for check items in directory...
[ldap2] userPassword - Password-With-Header ==
[ldap2] looking for reply items in directory...
[ldap2] Setting Auth-Type = LDAP
[ldap2] user drfoo authorized to use remote access
[ldap2] ldap_release_conn: Release Id: 0
+++[ldap2] returns ok
++- if (notfound) returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Failed to decode Password-With-Header =
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by drfoo with password XxXxXxX
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX to
ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers
On May 4, 2012, at 3:58 PM, Tobias Hachmer wrote:
On 04.05.2012 21:05, jeff donovan wrote:
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap1] login attempt by drfoo with password XxXxXxX
[ldap1] user DN: uid=drfoo,cn=users,dc=ldap2,dc=example.com
[ldap1] (re)connect to ldap1.example.com:389, authentication 1
[ldap1] bind as uid=drfoo,cn=users,dc=ldap2,dc=example.com/XxXxXxX
to ldap1.example.com:389
[ldap1] waiting for bind result ...
[ldap1] Bind failed with invalid credentials
++[ldap1] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
OK, so what happened here? The ldap bind has failed! That's not the failure
message that the user you want to authenticate has wrong credentials.
Be sure you configured the ldap modules correctly or send the whole radiusd
-X debug output.
greetings
sorry
i snipped the bottom off , I didn't think it relevant since nothing happened
after it tried to auth on ldap1.
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - drfoo
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 158 to 10.135.1.15 port 65478
Waking up in 4.9 seconds.
Cleaning up request 2 ID 158 with timestamp +22
Ready to process requests.
and that is correct. The user does not exist on LDAP1, his records are on
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ). I
need it to step to ldap2
I thought the result code was reject so under authentication if result of
ldap1 = reject try ldap2.
Auth-Type LDAP {
ldap1
if (reject) {
ldap2
}
}
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple ldap servers::solved::
On May 4, 2012, at 7:40 PM, jeff donovan wrote:
snip
and that is correct. The user does not exist on LDAP1, his records are on
LDAP2, which it finds, but it trys to auth against ldap1 ( which will fail ).
I need it to step to ldap2
greetings
I made two changes. and it worked.,.. not sure if it the best syntax, but it's
the first time I got both systems to call back.
authorize {
ldap1
if (notfound) {
ldap2
}
if (reject) {
ldap2
}
authenticate {
Auth-Type LDAP {
ldap1{
reject = 1
ok = return
}
ldap2 {
reject = 1
ok = return
}
}
works very well.
thanks for your assistance
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
On Apr 16, 2012, at 11:51 AM, pessimist wrote:
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by ABC with CHAP password
[chap] Using clear text password 123 for user ABC authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - ABC
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
greetings,
your output looks similar to mine. I recently setup a bunch of mac computers
using 802.1x with hp/3com switches.
try connecting with flat file username and password, bypass sql for now. verify
radius works at with md5/leap, else set switch to eap and pass tickets.
-j
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT
This does help greatly, thanks Phil.
On Oct 15, 2011, at 4:41 AM, Phil Mayers wrote:
On 10/14/2011 10:43 PM, subcon wrote:
I've searched for this sort of posting, but found issues unrelated that
responded to my search string, so I decided to post it here.
OK, currently I have Radius authenticating LDAP users via PAP. Works great.
Imagine I want to store x509 certificate data (specifically a client
certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
a user/pass, to take the DN of the cert and match it to some attribute which
contains said DN and cert-data.
Ok. It's been a while since I looked at this, but IIRC there is some special
search/attribute syntax support in (some) LDAP servers for X.509 certs in the
DIT.
The ultimate goal of all of this is to allow the continued use of LDAP and
store the certificates (to be compared against) in the tree and not on some
filesystem basis.
Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but
only as a secondary fall-back (e.g: customer doesn't have client cert
installed on machine, but has a user and password).
Is this possible? Does this make sense to you? Let me know if I need to
re-explain anything.
I think it should be possible.
First, ensure you're running the most recent version of FreeRADIUS. When
you've done that, you will have two options:
1. You can examing the TLS-Client-Cert-Subject variable in a FreeRADIUS
unlang policy, and possibly use this to query your LDAP server via LDAP xlat.
For example:
authorize {
...
eap
if (TLS-Client-Cert-Subject) {
# we've done enough EAP-TLS to know the client cert
update request {
Tmp-String-0 :=
%{ldap:ldap:///basedn?cn?sub?certsubject=%{TLS-Client-Cert-Subject}};
}
if (Tmp-String-0) {
# cert was found in LDAP
ok
}
else {
reject
}
}
]
However, I'm not certain the TLS-* attributes (see sites-available/default in
a recent version of the server) are available in the authorize section - I
have a feeling they are only present in post-auth, by which time it's too
late to reject them, so...
2. Use the verify config of the tls module under eap, and use an
external script to perform the check against LDAP. For example:
eap {
tls {
verify {
client = /path/to/script %{TLS-Client-Cert-Filename}
}
}
}
...then your script can use the (temporary) file given in the 1st argument to
query against LDAP.
Hope this helps.
Cheers,
Phil
Thank you,
subcon
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-EAP-TLS-Lookup-Client-Cert-From-LDAP-DIT-tp4904006p4904006.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT
On Oct 15, 2011, at 12:41 PM, Alan DeKok wrote: subcon wrote: Imagine I want to store x509 certificate data (specifically a client certificate) in an attribute in LDAP (perhaps as a binary attribute, etc). That's outside of the scope of FreeRADIUS. Obviously. I had not actually said the word FreeRADIUS nor RADIUS at that time yet. I would like FreeRADIUS, should it be passed a client certificate INSTEAD of a user/pass, to take the DN of the cert and match it to some attribute which contains said DN and cert-data. That's possible. See raddb/sites-available/default in recent releases. Look for the TLS-* comments in the post-auth section. The ultimate goal of all of this is to allow the continued use of LDAP and store the certificates (to be compared against) in the tree and not on some filesystem basis. That's thinking about it wrong. You don't compare certificates. You verify certificates against a CA. You check certificates against a revocation list. Lets assume I do. I never said this was going to be by the book. Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but only as a secondary fall-back (e.g: customer doesn't have client cert installed on machine, but has a user and password). For what kind of system? Wireless, or wired? This is for authentication for systems that already use Radius for these things (currently works via PAP - LDAP). These are Linux servers people log into via one or more protocols, and do not involve wireless APs or anything like that. Is this possible? Does this make sense to you? Let me know if I need to re-explain anything. You need to correct your thinking and your vocabulary. Certificates don't work the way you seem to think. Certificates will work the way I tell them to. I have done things similar (without involving Radius) for some unusual systems I work on. I this case, perhaps I should have referred to them as pseudo-certificates, wherein its just a REALLY long password that is presented from the client-end via file instead of being entered like a normal password. I really liked Phil Mayers reply, gave me a few good ideas on where to start. Thanks to you both J Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius process crash receiving answers from Microsoft NPS Server
Stop the freeradius process and then run freeradius in debug mode Do: /etc/init,d/freeradius stop and then freeradius -Xx Freeradius will now be in debug mode in the FOREGROUND (not daemon/background) Attempt your authentication from MS Radius Observe the log output from your foreground session. Reply to this thread with output (copy/paste). We can then analyze the freeradius-specific output and possibly discern your problem(s) . Thanks On Nov 12, 2011, at 1:35 PM, IT Support wrote: Good afternoon I'm a newbie with freeradius and I'm trying to configure a radius proxy server that makes to a server microsoft radius nps. I have a Enterasys C3 switch that sends auth requests to my Freeradius. If the request is for auth a MAC the FR auth locally, but if the request is for auth a windows user (EAP) the FR resend the request to the Microsoft NPS radius server. I use Debian 6.0 and the debian package of FR (version is 2.1.10). The problem is that when the Microsoft RADIUS server returns an accept packet, the freeradius server process dies. But if the answer is reject, the process works properly. When the process dies, only appears in the syslog the following line: November 11 16:20:35 debian-radius kernel: [2380.591594] freeradius [1749]: segfault at 3934c708 b76fd497 ip sp error 4 in libfreeradius b5ae4970-radius-2.1.10.so [+1 b76ec000 E000] Can anyone help me? Sorry for my poor English. Best greetings Toni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there a definitive config guide for installing 1.1.7 on Solaris 10
On Tue, 2010-07-13 at 09:49 +0200, Alan DeKok wrote: Update the Solaris dynamic linker path to include the path where the modules were installed. It's some magic Solaris command, and I forget which one... The solaris command to use to add new locations for the loader is crle(1). Carefully reading the manual page is a good idea. He can use ldd(1) to see which libraries can't be found, as in: ldd /path/to/freeradius Can also use something like: truss -fae -vall /path/to/freeradius to see exactly where and why it's dumping core. Jeff -- Jeff Smith jeff.m.sm...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect static ip sometimes
I'm using CentOS 5.4 and freeradius1.3 with a mysql backend with a redback se800 access device. Nearly everything has been working great, but I have a problem periodically, where DSL modems will receive the wrong static IP. It appears that if a customer power cycles their DSL modem, the modem comes back up before the redback has realized the previous session has ended , but instead of just failing, freeradius is giving another static IP (like the next free one it finds in same static range). Do I need to configure simultaneous use and if so how do I get it to check the redback (I couldn't find any mibs for that model) or is this maybe a problem with freeradius1.3 that could be fixed by upgrading to freeradius2??? Any advice would be appreciated! Thanks, Jeff - Msg sent via MCC Webmail - http://www.molalla.net/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: SSL error error on Start Up, Compile question
I am trying to install FreeRadius 2.1.8, on my initial package build I ran into
issues with lintian
Running Ubuntu with 2.6.24-27-server kernel
dpkg-buildpackage -d -b -uc ( I had to use the -d option as I received
dependency errors)
...
dh_installman
dh_lintian
/bin/bash: dh_lintian: command not found
make[1]: *** [binary-common] Error 127
make[1]: Leaving directory `/usr/local/freeradius'
make: *** [binary-arch] Error 2
dpkg-buildpackage: failure: debian/rules binary gave error exit status 2
I modified the /usr/local/freeradius/debian/rules and removed the dh_lintian
reference
under the tree Binary Common IS dh_lintian REQUIRED for freeradius to
compile and
operate correctly
I recompiled my debian package with no errors then installed freeradius I need
to use
radius with my backend LDAP Database, we are configuring 802.1X for all of our
LAN
switches.
dpkg -i freeradius-common_2.1.8+git_all.deb
dpkg -i libfreeradius2_2.1.8+git_i386.deb
dpkg -i freeradius_2.1.8+git_i386.deb
dpkg -i freeradius-ldap_2.1.8+git_i386.deb
dpkg -i freeradius-dialupadmin_2.1.8+git_all.deb
then when I start freeradius I get an error for rlm_eap and SSL this is when it
is Instantiating the eap-tls Module.
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/freeradius/eap.conf[17]: Instantiation failed for module eap
/etc/freeradius/sites-enabled/inner-tunnel[223]: Failed to find module eap.
/etc/freeradius/sites-enabled/inner-tunnel[176]: Errors parsing authenticate
section.
under my certs directory I do not have a server.pem certificate (how do I
generate it? )
ls /etc/freeradius/certs/demoCA/index.txt.dpkg-bak serial.dpkg-bak
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/freeradius/certs/server.pem
certificate_file = /etc/freeradius/certs/server.pem
CA_file = /etc/freeradius/certs/ca.pem
private_key_password = whatever
dh_file = /etc/freeradius/certs/dh
random_file = /etc/freeradius/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/freeradius/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
any assistance with this is greatly appreciated.
Thank You
Jeff Stout
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free NAS ?
On 05/06/2010 01:27 PM, John McDonnell wrote: On May 6th, 2010 at 1:09 PM, Randal Carpenter wrote: Try openfiler, at http://www.openfiler.com/, it emulates both SAN and NAS equipment. On Thu, May 6, 2010 at 5:56 AM, VU VAN HUNGvanhung2...@gmail.com wrote: Hi all, I just wonder that are there any open source software that have same functionalities like Network Access Server ? Because I see that there's Asterisk, which 's like a PBX. Best, Hung, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html There's always FreeNAS as well... http://freenas.org/freenas Wrong NAS - those ones are Network Attached Storage, not Network Access Server. Dang TLA overload. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modifying FreeRADIUS queries [from the wiki]
I apologize if this is a trivial question, but I cannot find an explanation
regarding my specific question.
I have seen the following entry in the wiki regarding taking into account
Gigawords:
*snip*
Modify FreeRADIUS Queries
Secondly, modify the accounting queries in sql.conf to make the SQL database perform the computation that is required to merge the
two values sent as attributes by the NAS into one single 64-bit integer stored in the database.
All occurrences of '%{Acct-Input-Octets}' need to be replaced with:
'%{Acct-Input-Gigawords:-0}' 32 | '%{Acct-Input-Octets:-0}'
The same thing needs to be done for '%{Acct-Output-Octets}':
'%{Acct-Output-Gigawords:-0}' 32 | '%{Acct-Output-Octets:-0}'
*snip*
I understand the left shifting of the Gigawords value and the subsequent 'or'-ing of the Acct-Input-Octets value to produce one
64-bit value. The part that confuses me is the repeated occurrence of the ':-0' at the end of each variable. What is the purpose
of this? I have seen it on other pages used with other variable substitutions. I have also seen the above Gigawords entry done
without the ':-0' [only once though]. I would rather understand the purpose behind the entry rather than blindly copying it.
If there is a wiki page or FAQ entry that I have missed regarding this syntax,
I would love to know about it.
Thanks for the input.
-Jeff Wark
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Ok, I figured I goofed something up. Been looking at this so long, I am making big mistakes. -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 15, 2010 3:15 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote: I am using cistron compat to accommodate my userfile inputted by rodopi I'd really suggest using the FreeRADIUS features. Ask rodopi to fix their product. I have tried adding the ! and : symbol in the above line (makes no difference) Uh... I tried random things and they didn't work. That's not the way to solve the problem. See man users for *documentation* on how it works. Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example dialuptestPassword = secret Realm = foo.net, Auth-Type = Reject That is wrong on a number of points. I think you're really not clear on how the users file works. Read the documentation for it, and then go back and read my earlier message. The line above does NOT match my message. Therefore, it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Ok good news I got it to work..New day less tired and man what an idiot I was. I have a question though. Freeradius can look at more than one user file, what is the syntax to allow this to read another, and where do I place the entry for it I am wanting to do this so I can convert to complete realm names for the users, but since so many users with different realms The process is going to take awhile, so I need for the program to see both entries so there will be a match till the process is completed I I would place them in the same file then they would be overwritten Thanks And Thanks so much for the help on the realm issue Jeff -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, February 15, 2010 3:15 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote: I am using cistron compat to accommodate my userfile inputted by rodopi I'd really suggest using the FreeRADIUS features. Ask rodopi to fix their product. I have tried adding the ! and : symbol in the above line (makes no difference) Uh... I tried random things and they didn't work. That's not the way to solve the problem. See man users for *documentation* on how it works. Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example dialuptestPassword = secret Realm = foo.net, Auth-Type = Reject That is wrong on a number of points. I think you're really not clear on how the users file works. Read the documentation for it, and then go back and read my earlier message. The line above does NOT match my message. Therefore, it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 14, 2010 2:43 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another Jeff A wrote: I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) Are all users valid on all realms? If so, why? Say bi...@foo.net mailto:bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. Then you need a rule specifically for that user. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. You can still access the Realm attribute in the users file: bob Realm != foo.net, Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
I strip the realm off cause backend billing that creates the users file is rodopi, and All users from that have no realm just the username -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 6:32 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 6:18 PM, Jeff A je...@globalco.net wrote: Because I was never sure how to keep em off the other realm. They should all be stuck on realm I put em on I assume you want it for all users, instead of just one user? It'd be a lot easier if you don't strip the realm. Any particular reason why you do that? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject Jeff -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Sunday, February 14, 2010 9:04 AM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Sun, Feb 14, 2010 at 8:23 PM, Jeff A je...@globalco.net wrote: I strip the realm off cause backend billing that creates the users file is rodopi, and So how would you know which user is supposed to be in which realm if the backend doesn't supply that? If it were me, I'd modify the billing program to create users with realm. Also, I'd use database backend to store users. But hey, ultimately it's your choice. If you're fine with editing user file then Alan's example should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Having problems getting access reject to work, seems like no matter what I try it lets this test user on in every realm I am using cistron compat to accommodate my userfile inputted by rodopi dialuptest Password = secret Framed-Protocol = PPP, Service-Type = Framed-User, Session-Timeout = 14400, Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip 0.0.0.0/24, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, Port-Limit = 1, Realm = foo.net, Auth-Type = Reject I have tried adding the ! and : symbol in the above line (makes no difference) Still can login on all three realms Also have tried the realm item as a check item, quote, and no options with same results If a check item its placed on same line as username etc but still no go as below example dialuptest Password = secret Realm = foo.net, Auth-Type = Reject Jeff -Original Message- From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Chris Sent: Sunday, February 14, 2010 12:33 PM To: FreeRadius users mailing list Subject: Re: Allowing user from one realm but not another On Feb 14, 2010, at 6:11 AM, Jeff A wrote: Your idea is best. I think I will modify, but for a work around till I get a chance to get everything turned around. I will use Alan's example.. My question is this Can his example contain more than one realm to reject between the quotes? bob Realm != foo.net, Auth-Type := Reject That's not the realm you're rejecting, but the one you're accepting, rejecting access if the username is bob and the realm is not equal to foo.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allowing user from one realm but not another
Heres my issue and no idea exactly how to do this. Trying to figure it out is making me more confused. 1st I use the usersfile for authentation I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) When users login from one of the realms from my two upstream providers they login as one of these realms Then freeradius will strip the realm and auth the user My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others Say bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. But as I said I have no idea on what to do to set this up.. I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how.. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Yes that would work not not sure how to implement this. I have been trying to find a written example of someone who has done this On the search engines but all I have accomplished is making myself confused From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Saturday, February 13, 2010 11:11 AM To: freeradius-users@lists.freeradius.org Subject: Re: Allowing user from one realm but not another Assuming there are not duplicate names, can't you jus rewrite his auth request so its always the realm you want? Billy.* = Billy.beg _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Sat Feb 13 09:52:33 2010 Subject: Allowing user from one realm but not another Heres my issue and no idea exactly how to do this. Trying to figure it out is making me more confused. 1st I use the usersfile for authentation I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) When users login from one of the realms from my two upstream providers they login as one of these realms Then freeradius will strip the realm and auth the user My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others Say bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. But as I said I have no idea on what to do to set this up.. I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how.. Jeff This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
So far no luck, but I will keep looking. From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Saturday, February 13, 2010 11:32 AM To: freeradius-users@lists.freeradius.org Subject: Re: Allowing user from one realm but not another LOL, easy to do with FR. I was just getting the hang of it when I was pulled off to another project. Check out the operators and unlang. Maybe there are some examples within the users file with similar replacement operations. _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Sent: Sat Feb 13 10:17:42 2010 Subject: RE: Allowing user from one realm but not another Yes that would work not not sure how to implement this. I have been trying to find a written example of someone who has done this On the search engines but all I have accomplished is making myself confused From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Saturday, February 13, 2010 11:11 AM To: freeradius-users@lists.freeradius.org Subject: Re: Allowing user from one realm but not another Assuming there are not duplicate names, can't you jus rewrite his auth request so its always the realm you want? Billy.* = Billy.beg _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Sat Feb 13 09:52:33 2010 Subject: Allowing user from one realm but not another Heres my issue and no idea exactly how to do this. Trying to figure it out is making me more confused. 1st I use the usersfile for authentation I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) When users login from one of the realms from my two upstream providers they login as one of these realms Then freeradius will strip the realm and auth the user My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others Say bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. But as I said I have no idea on what to do to set this up.. I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how.. Jeff This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allowing user from one realm but not another
Ok, from what I see that won’t work.. If I rewrite a username in preproxy Ie(bi...@foo.net) to bi...@beg.net then in proxy username is authed cause radius only looks at username with stripped realm I need to watch for billy to login and if he uses any other realm besides bi...@beg.net then reject him before he even gets to the Being authed by server, cause my server strips realm off and only sees the username Rewriting the realm on the auth request for this user would allow him login no matter what I think best approach would be to watch for any username named billy and if his realm does not match realm he is allowed from then Reject access before he is sent for authentation and the realm has been stripped as it is suppose to be Maybe I am wrong here do not know, but here is why I am trying to do this. Jeff From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Jeff A Sent: Saturday, February 13, 2010 1:54 PM To: 'FreeRadius users mailing list' Subject: RE: Allowing user from one realm but not another So far no luck, but I will keep looking. From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Saturday, February 13, 2010 11:32 AM To: freeradius-users@lists.freeradius.org Subject: Re: Allowing user from one realm but not another LOL, easy to do with FR. I was just getting the hang of it when I was pulled off to another project. Check out the operators and unlang. Maybe there are some examples within the users file with similar replacement operations. _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Sent: Sat Feb 13 10:17:42 2010 Subject: RE: Allowing user from one realm but not another Yes that would work not not sure how to implement this. I have been trying to find a written example of someone who has done this On the search engines but all I have accomplished is making myself confused From: freeradius-users-bounces+jeffa=globalco@lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Saturday, February 13, 2010 11:11 AM To: freeradius-users@lists.freeradius.org Subject: Re: Allowing user from one realm but not another Assuming there are not duplicate names, can't you jus rewrite his auth request so its always the realm you want? Billy.* = Billy.beg _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Sat Feb 13 09:52:33 2010 Subject: Allowing user from one realm but not another Heres my issue and no idea exactly how to do this. Trying to figure it out is making me more confused. 1st I use the usersfile for authentation I have three different realms users can login with For examples they are (foo.net, bar.net, beg.net) When users login from one of the realms from my two upstream providers they login as one of these realms Then freeradius will strip the realm and auth the user My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others Say bi...@foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm. This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy.. But as I said I have no idea on what to do to set this up.. I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how.. Jeff This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified
Logging Error Messages in SQL
All, We are running Freeradius 2.1.7, some of our clients aren't properly configured, and we sometimes see errors like this in /var/log/radius.log: Mon Nov 2 16:23:04 2009 : Error: TLS Alert read:fatal:unknown CA Mon Nov 2 16:23:04 2009 : Error: TLS_accept:failed in SSLv3 read client certificate A Mon Nov 2 16:23:04 2009 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Mon Nov 2 16:23:04 2009 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. What I would like to be able to do is log part of this message in our database, so if the user seeks help about not being able to get access, our helpdesk just need to query the database rather than needing to ask us to look through the log file for any additional information. I haven't been able to find any info about this, does anyone have any ideas? Cheers, -Jeff -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Vista PEAP troubleshooting
I appreciate all of the help and I am sorry if I was way off base with this. I am doing a fresh os install and will grab the latest FR. J Hawk -Original Message- From: freeradius-users-bounces+jeff.hawkins=accraply@lists.freeradius.org [mailto:freeradius-users-bounces+jeff.hawkins=accraply@lists.freerad ius.org] On Behalf Of Alan DeKok Sent: Friday, September 11, 2009 12:58 PM To: FreeRadius users mailing list Subject: Re: Vista PEAP troubleshooting John Dennis wrote: Most people do not realize there is a lot of useful documentation in FreeRADIUS, they just don't know where to look for it. Quite a bit of it is in /etc/raddb in the configuration files and examples). i.e. ignore the documentation that comes with the server, and instead follow a *third-party* web site that is *years* out of date. Why? I've never been able to figure it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization. - resolved.
The two things I have changed to get it working are:
in users:
DEFAULT Auth-Type := LDAP
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Fall-Through = 1
and added on the switch:
aaa authorization exec default group radius local
aaa authorization network default group radius local
Next - ldapgroupfilter.
I have a group of users called "radiususers" - and the following in
radiusd.conf:
groupname_attribute = cn
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
and in users:
DEFAULT LDAP-Group == radiususers
Service-Type = Administrative-User
But any ldap user can sill login regardless of group membership.
Where am I screwing up?
Thanks,
-Jeff
Ivan Kalik wrote:
19:23:13: RADIUS: no appropriate authorization type for user.
I am all but certain this is a self-inflicted wound.
It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Jefferson K Davis
Technology Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
USA
661.392.2110 ext 120
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap groupmembership_filter - resolved.
Ok. it's working. I found it "helpful" to use the correct base dn
when searching for group membership.
Ya gotta love self-inflicted wounds...
Jeff Davis wrote:
The two things I have changed to get it working are:
in users:
DEFAULT Auth-Type := LDAP
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Fall-Through = 1
and added on the switch:
aaa authorization exec default group radius local
aaa authorization network default group radius local
Next - ldapgroupfilter.
I have a group of users called "radiususers" - and the following in
radiusd.conf:
groupname_attribute = cn
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
and in users:
DEFAULT LDAP-Group == radiususers
Service-Type = Administrative-User
But any ldap user can sill login regardless of group membership.
Where am I screwing up?
Thanks,
-Jeff
Ivan Kalik wrote:
19:23:13: RADIUS: no appropriate authorization type for user.
I am all but certain this is a self-inflicted wound.
It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Jefferson K Davis
Technology Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
USA
661.392.2110 ext 120
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Jefferson K Davis
Technology Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
USA
661.392.2110 ext 120
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
Alan DeKok wrote: Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? Yes As far as the radius server is concerned everything is find. I would agree that the problem is likely on the switch(es). Just not sure what's missing/extra that's hosing it up. Here's the relevent stuff from the switch. aaa new-model aaa authentication password-prompt PASS: aaa authentication username-prompt USER: aaa authentication login default group radius local aaa authentication login localauth local aaa authentication dot1x default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius snip radius-server host 10.100.0.15 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server timeout 10 radius-server key myk3y users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
Also getting the following on the switch log: 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): send AV service=shell 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): send AV cmd* 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): found list "default" 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): Method=radius (radius) 19:23:13: RADIUS: no appropriate authorization type for user. I am all but certain this is a self-inflicted wound. At least those are easier to fix once their nature is known. I currently have no attributes in my openldap tree populated... will eventually add a group filter when I get this authotization piece working. Could the problem be ldap-related or switch or ??? I'm stumped. I can't imagine no one has dealt with this before. Alan DeKok wrote: Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Cisco switch and authorization.
Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP-Address override NAS pool?
I now want to assign a few users different, static IPs using this: testuser Service-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. -- Hi James I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Cheers, Jeff, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restricting dialup users to certain client definitions only
Hi Todd, I am using FR MySQL and have the following in my radgroupcheck table to limit my dialup customers from connecting to my dsl aggregators. I have created different Groups (dialup dsl for simplicity). In the dialup group I have rule that reads: ID: xxx GroupName: dialup Attribute: NAS-IP-Address OP: !~ Value: (xxx.xxx.xxx.4|xxx.xxx.xxx.2) This prevents any user in FR with a group of dialup from connecting to a NAS device with an IP of xxx.xxx.xxx.4 or .2 Hope this gives you an idea on where to limit your customers. Cheers, Jeff. -Original Message- From: freeradius-users-bounces+listacct=genhex@lists.freeradius.org [mailto:freeradius-users-bounces+listacct=genhex@lists.freeradius.org] On Behalf Of Paul Bartell Sent: Friday, December 19, 2008 1:26 PM To: FreeRadius users mailing list Subject: Re: Restricting dialup users to certain client definitions only You would use the Calling-Station-ID or Called-Station-ID checks in the groupcheck table. On Fri, Dec 19, 2008 at 9:48 AM, Todd R. tjrl...@lightwavetech.com wrote: In a nutshell here is what I need to do, the long story is after the short version if you are interested. Short version## I want to restrict dialup users or a group of dialup users living within my MySQL tables to certain clients or list of clients. So when a user who is only allowed access when coming from clients 1 and 2 dials in and the request comes from client 3 he is denied access. I already do this with the crappy Windows based radius solution we have been stuck on for years, surely I can accomplish the same with FR. Any help in a language which a total FR novice can understand would be appreciated. ##end short version Long Version### I have read the docs, the archives, the readmes, the examples etc. So far, I can't get a good handle on how to accomplish the following so I am again asking for some guidance from the list. Here is my situation and what I need to accomplish, any help in getting this done would be most appreciated. I don't mind doing the footwork, research etc. to build a solution that will work but please keep in mind that I am a total FR Newb and need this in dufus language :) For the last 8 years or so we have been using a dreaded windows based Radius solution that we just couldn't get away from due to how much code we have written around this horrible solution. Finally, it's time to just do it and deal with the pain. What we have right now is several dialup wholesale networks/carriers/aggregators who proxy the radius request to us, we then decide to accept or deny the dialup user based on many things but of course username/pass etc.. One of the things we use to determine if they get access or not is which client they came from meaning which of our wholesale dialup network's radius server (client) sent us the request. So, in short I need to accomplish the same thing on FR. Let's say I have 5 clients, their short names and IPs configured in my FR clients file. I need to somehow decide within FR when the request comes in from client #1 that this user (in Mysql table) is allowed to have access to that dialup network. So: Joeuser from client1 = OK (allow user) Joeuser from client2 = Not OK (deny user) I am guessing I should do something with groups within the SQL tables such as assign joeuser to dialgroup1 which is then somehow allowed from client1 or for that fact clients 1, 3 and 5 but not allowed to client2. I researched huntgroups but can't find much documentation on that, not sure if that's were I need to go or?? Regards, Todd R. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS vs Aradial RADIUS
Hi Aldo, Posting this type of question to a support mailing list will generally result in some sort of all out war on why X and Y are different and why Y is better than X to do the same thing. A solution that involves radius will come with certain business model decisions that need to be considered. Along with most paid products from vendor X there is a certain expectation of support to the consumer for questions that can be found in the help files. Vendor X knows that they will need to house support staff to answer these questions and bury that cost in the upfront cost of the yearly maintenance fee at %x per year. You will get many promises and guarantees that will give you recourse if the solution does not meet your expectations or requirements (as long as it was agreed that product X will do what you ask) Products like FreeRadius are designed for companies and/or individuals that know the specific needs and requirements of their business model and how open source products fill that need. Companies that implement this type of solution will have individuals (usually) that have experience running open source software solutions and the difficulties that presented. Here too is a cost to the company, but it is a softer cost as they will most likely not need to hire a new administrator but leverage the existing skills present within their organization (such as the individuals on this list). The best course of action would be to determine your business needs from product X, the level of comfort you are looking for from a vendor/oss solution and a realistic determination of the in house skill at running product X. Once you have this criteria determined you can make an educated business decision on product X and why you would choose a specific vendor/producer of this product. That vendor/producer will be able to support you through the life cycle of the product and your satisfaction level will be met. Just my two cents... Jeff. --- Hello guys, I am a little bit scared how hard can be to deploy the FreeRADIUS, I found this in the internet: (aradial.com) this guys claim to have a very convenient and professional AAA server with a convenient price, does anybody here have experience with that aradial radius server? What would be the Pros and Cons of purchase it instead of have the FreeRADIUS one? Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postauth sql logging
Hi all, I have just recently migrated from 1.1.7 to 2.0.5. In 1.1.7 I had the postauth sql logging turned on to log successful and failed auth attempts. I not able to find where I would add it in 2.0.5 to enable this feature. I see the sql statement in the dialup.conf config file but I am unsure on how to invoke the sql query. Any pointers would be great. Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm question
Hi there, I have a question about prefix realms and stripping them. I have a provider that allows roaming dialup for our customers. They require the username to be in a format of idm/something/username. I get the whole idm/something/username delivered to me as the authentication. I have tried using the IPASS prefix to remove the idm/something, but it just returns the realm of idm and I am still left with stripped-user-name of something/username, I have also tried just adding a realm of idm/something to the proxy.conf and it didn't work. I am currently running freeradius 2.0.5 with a SQL (mysql) back end. Can I strip the idm/something/ somehow? Thanks, Jeff. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.0.3 - radtest utility
Hi, Been using Freeradius for 5+ years now and I'd just like to say it's great software, many thanks to Alan et al for all their hard work ! I'm currently investigating moving from RHEL4 / Postgresql 8.1 / FR 1.1.6 to Centos5.1 / Postgresql 8.3 / FR 2.0.3 - fell down a couple of holes (config wise) but I think I've got everything working OK now. I've found that the radtest client in FR 2.0.3 isn't displaying the Accept / Reject message any more. However NTRadPing against the same server works OK. Is this me or a feature ? Many Thanks, -- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 the mirrors of my eyes are always focused in surprise, my mouth is covered by a smile Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help w/ pam radius
Just thought I would reply to my own thread since I figured it out and probably others can benefit from it yes yes yes the variations in distro's PAM implementation will kill you that was all it was so beware -- knowing your PAM system on your machines is crucial if you don't want to do a lot of head scratching. #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Haven't figured this error out yet... Wed Dec 19 15:50:05 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE _CERT option to allow ...but least I can auth SSH with RADIUS so I am a happy camper. - Original Message - From: Jeff Fishbaugh To: Jeff Fishbaugh ; freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 5:49 PM Subject: Re: Help w/ pam radius Seems like I am getting closer possibly, but I see an error in radius.log -- could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow. Basically, I go to login to my pam_radius host, user exists in local password file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session immediately exits and I see the below in radius.log. If I use a login not in the local password file, but it is in RADIUS/LDAP then I get an access denied and no mention of the below error. I am not even starting TLS so why is it even complaining about it??? I am also curious what this means -- rlm_exec: Wait=yes but no output defined. Did you mean output=none? Appreciate any help. Thanks! Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Dec 18 19:32:48 2007 : Info: Ready to process requests. Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow - Original Message - From: Jeff Fishbaugh To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 2:13 PM Subject: Help w/ pam radius Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help w/ pam radius
Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help w/ pam radius
Seems like I am getting closer possibly, but I see an error in radius.log -- could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow. Basically, I go to login to my pam_radius host, user exists in local password file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session immediately exits and I see the below in radius.log. If I use a login not in the local password file, but it is in RADIUS/LDAP then I get an access denied and no mention of the below error. I am not even starting TLS so why is it even complaining about it??? I am also curious what this means -- rlm_exec: Wait=yes but no output defined. Did you mean output=none? Appreciate any help. Thanks! Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Dec 18 19:32:48 2007 : Info: Ready to process requests. Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow - Original Message - From: Jeff Fishbaugh To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 2:13 PM Subject: Help w/ pam radius Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm question
Hi all, Sorry if this question has been answered (I did search the archives and google to no avail): I have subscribers that connect with 2 realms as the prefix. How do I strip both and just authenticate locally? IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 will always be present followed by either realm2 or realm3 (no others). Thanks, Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuration issue - unknown client
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Dan O'Reilly
Sent: August 13, 2007 6:58 PM
To: FreeRadius users mailing list
Cc: FreeRadius users mailing list
Subject: Re: Configuration issue - unknown client
My /etc/raddb/clients.conf:
client 192.168.0.11 {
secret = foobar
}
Here's the output from radiusd -X:
danolaptop freeradius-1.1.7 # /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
Have you tried moving your config files to /usr/local/etc/raddb/ as that
is where freeradius is looking for them, not in /etc/raddb/*
Jeff.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting connect speeds
I need to log connect speeds from users
At any rate things working fine from our own carrier globalpops to capture
these on the start packet
but Yournetplus for some reason it doesn't work.
I see this info in the update accounting packet so i thought I would modify the
update query but It gives errors
anyone know why this is wrong.. it stops right at the AscendDataRate ='26400'
for example then nothing after
Trying to gather the Ascend-Data-Rate and USR-Connect-Speed
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscenDataRate = '%{Ascend-Xmit-Rate}' \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '24000' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:24 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:37 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
Mon Jul 16 11:23:42 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200' USRConnectSpeed = '' WHERE
AcctSess' at line 1
_
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:06:28 -0400
Subject: Re: mysql accounting connect speeds
And the errors are?
Ivan Kalik
Kalik Informatika ISP
Dana 16/7/2007, Jeff [EMAIL PROTECTED] piše:
I need to log connect speeds from users
At any rate things working fine from our own carrier globalpops to capture
these on the start packet
but Yournetplus for some reason it doesn't work.
I see this info in the update accounting packet so i thought I would modify
the update query but It gives errors
anyone know why this is wrong.. it stops right at the AscendDataRate ='26400'
for example then nothing after
Trying to gather the Ascend-Data-Rate and USR-Connect-Speed
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscenDataRate = '%{Ascend-Xmit-Rate}' \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting connect speeds
Yes, and the AscendDataRate too.
I get the inserts fine on the start packet and the data goes right in as
suppose too.
all works fine this way for our GlobalPOPS and all data shows up and into sql
using this line in the start
---
accounting_start_query = INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AscendDataRate, USRConnectSpeed,
AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '',
'0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
'%{Acct-Delay-Time}', '%{Ascend-Xmit-Rate}', '%{USR-Connect-Speed}', '0')
---
data goes right into mysql tables
But YNP for some reason most miss the start, so I thought maybe I could grab
them on the update query cause i see one or the other on in update packet, for
ynp so then i would have what i need, but as i stated this errors out with the
error i mentioned below trying to do this
Jeff
_
From: Hugh Messenger [mailto:[EMAIL PROTECTED]
To: 'FreeRadius users mailing list' [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:40:53 -0400
Subject: RE: mysql accounting connect speeds
Jeff said:
USRConnectSpeed = '%{USR-Connect-Speed}' \
Did you actually add a USRConnectSpeed column to the radacct table? There
isn't one by default.
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
ok heres what i have now
accounting_update_query = UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
AscendDataRate = '%{Ascend-Data-Rate}', \
USRConnectSpeed = '%{USR-Connect-Speed}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'
an heres the new error
Mon Jul 16 12:49:19 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:35 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:40 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line 1
Mon Jul 16 12:49:59 2007 : Error: rlm_sql (sql): Couldn't update SQL accounting
ALIVE record - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'AscendDataRate = '19200', USRConnectSpeed = '' WHERE
AcctSes' at line
_
From: Dennis Skinner [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 11:59:34 -0400
Subject: Re: mysql accounting connect speeds
Jeff wrote:
Mon Jul 16 11:23:22 2007 : Error: rlm_sql (sql): Couldn't update SQL
accounting ALIVE record - You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 'AscendDataRate = '24000' USRConnectSpeed =
'' WHERE AcctSess' at line 1
You need a comma between data items:
'AscendDataRate = '24000', USRConnectSpeed ='' WHERE AcctSess'
^^^
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting connect speeds
its not i do not understand its just these stupid bi-focals i have a hard time
seeing.
I overlooked that, sorry for being a blind idiot
_
From: Dennis Skinner [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Mon, 16 Jul 2007 13:54:02 -0400
Subject: Re: mysql accounting connect speeds
Jeff wrote:
AcctOutputOctets = '%{Acct-Output-Octets}' \
Need comma on live above. This is a MySQL issue, not a FR issue.
Please read the MySQL docs if you don't understand how to create a valid
query.
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filter Issues
Actually the best answer for me if I were alittle stronger in mysql to create the import query would be a script that I could run to convert the users and import them into the radius database when our billing software adds removes locks accounts, then dealing with the filters, etc. That way billing program creates file, query imports to sql, radius operates through the sql end and not users file I have seen the one in the source, users2mysql just not sure its actually the correct format to import usersfor what i need. I was thinking del all imported items when a new users file is ready for import then repopulate with the import query the new. Then auths, etc would be handled through the sql end where the control is alot easier and appears more effective And I could be running things as freeradius is designed to run. Thus my stuff adapts to the workiing model, instead of me trying to change a working model to mine. _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sat, 30 Jun 2007 01:26:22 -0400 Subject: Re: Ascend-Data-Filter Issues Jeff wrote: My software issues the Ascend-Data-Filter as such to the users file As you've noted before. The answer won't change. I have noticed to get the Ascend-Data-Filter to read th other filters to the next line it needs the += or its stops on the 1st one. The documentation describes this behavior, and explains it. Which is out of context with other radius servers I am dealing with Different products. Different behaviors. If this is a problem, please call Ford, and ask them why their cars don't look the same as GM's cars. Is it possible to get freeradius to read each line and keep the syntax as the = instead of += Sure. Patch the source code. That's why source is included. If I could do as such as the format as my other servers would help me trmendously. I actually though the standard was = instead of += There is no standard for the users file. None. FreeRADIUS (and Cistron before it) have been doing it this way for nearly 10 years now. Any software that can't produce users file entries for FreeRADIUS is broken. The manufacturers have chosen to not support the most popular and widely used RADIUS server on the planet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data-Filter Issues
I have an issue My software issues the Ascend-Data-Filter as such to the users file Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, I have noticed to get the Ascend-Data-Filter to read th other filters to the next line it needs the += or its stops on the 1st one. IE I have to do this with freeradius to read each line Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Which is out of context with other radius servers I am dealing with Is it possible to get freeradius to read each line and keep the syntax as the = instead of += If I could do as such as the format as my other servers would help me trmendously. I actually though the standard was = instead of += - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filter Issues
suppose we could, but it does grow. Be nice if one could have the file include another file for defaults and call that file from the users file _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 17:36:57 -0400 Subject: Re: Ascend-Data-Filter Issues Are those filters different for every user? If they are the same (or there are just a few conbinations) make DEFAULT entry with them and don't put them in every users configuration. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, Jeff [EMAIL PROTECTED] piše: I have an issue My software issues the Ascend-Data-Filter as such to the users file Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, I have noticed to get the Ascend-Data-Filter to read th other filters to the next line it needs the += or its stops on the 1st one. IE I have to do this with freeradius to read each line Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Which is out of context with other radius servers I am dealing with Is it possible to get freeradius to read each line and keep the syntax as the = instead of += If I could do as such as the format as my other servers would help me trmendously. I actually though the standard was = instead of += - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filter Issues
I have never used that, where is the documentation on setting the up, ie using filters, etc _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 19:29:10 -0400 Subject: Re: Ascend-Data-Filter Issues No need. You can create groups with rlm_password, make DEFAULT entry for each group and add appropriate filters to users in those groups. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, Jeff [EMAIL PROTECTED] piše: suppose we could, but it does grow. Be nice if one could have the file include another file for defaults and call that file from the users file _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 17:36:57 -0400 Subject: Re: Ascend-Data-Filter Issues Are those filters different for every user? If they are the same (or there are just a few conbinations) make DEFAULT entry with them and don't put them in every users configuration. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, Jeff [EMAIL PROTECTED] piĹĄe: I have an issue My software issues the Ascend-Data-Filter as such to the users file Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, I have noticed to get the Ascend-Data-Filter to read th other filters to the next line it needs the += or its stops on the 1st one. IE I have to do this with freeradius to read each line Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Which is out of context with other radius servers I am dealing with Is it possible to get freeradius to read each line and keep the syntax as the = instead of += If I could do as such as the format as my other servers would help me trmendously. I actually though the standard was = instead of += - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ascend-Data-Filter Issues
Never mind I found it, let my fingers do the walking _ From: Jeff [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 20:37:25 -0400 Subject: Re: Ascend-Data-Filter Issues I have never used that, where is the documentation on setting the up, ie using filters, etc _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 19:29:10 -0400 Subject: Re: Ascend-Data-Filter Issues No need. You can create groups with rlm_password, make DEFAULT entry for each group and add appropriate filters to users in those groups. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, Jeff [EMAIL PROTECTED] piše: suppose we could, but it does grow. Be nice if one could have the file include another file for defaults and call that file from the users file _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Fri, 29 Jun 2007 17:36:57 -0400 Subject: Re: Ascend-Data-Filter Issues Are those filters different for every user? If they are the same (or there are just a few conbinations) make DEFAULT entry with them and don't put them in every users configuration. Ivan Kalik Kalik Informatika ISP Dana 29/6/2007, Jeff [EMAIL PROTECTED] piĹĄe: I have an issue My software issues the Ascend-Data-Filter as such to the users file Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in forward dstip a.a.a.a/32, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward, I have noticed to get the Ascend-Data-Filter to read th other filters to the next line it needs the += or its stops on the 1st one. IE I have to do this with freeradius to read each line Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in forward dstip a.a.a.a/32, Ascend-Data-Filter += ip in drop tcp dstport = 25, Ascend-Data-Filter += ip in forward, Which is out of context with other radius servers I am dealing with Is it possible to get freeradius to read each line and keep the syntax as the = instead of += If I could do as such as the format as my other servers would help me trmendously. I actually though the standard was = instead of += - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hints File and Users file and I am lost
First let me say I have worked on this for a day, read pretty much all i can
find, docs etc, and am getting more confused as I go, so its time to step back
and ask for some help om what I am doing wrong.
I am trying to get a default profile to work
I can't put on in the users file cause the billling program auto creates a
file, and its the culprit
that won't input the ascend-data-filter in the correct format.
So I can't create a default profile in the users file
I use a users txt file for users to auth thats imported by our billing program
This works great, etc and users auth, etc aok all works and is in production
The issue came up when the ascend data filter would not work
well it turns out the billing program sends the info wrong it just
not chageable at the billing software
Ascend-Data-Filter = ip in forward tcp est, --- note no + as +=
And of course without the += when its sent out to the nas its only seeing the
1st line and doesn't read the rest
of the filters
The issue is its importing the ascend data filter attribute incorrectly and
theirs no way to change it
at the rodopi billing end
I won't get into details of that for its just not possible to get that to
happen
So I need to come up with a way add that info at the radius level
I have played with the hints file but i am not sure thats my answer, and for
some reason its not even appearing to see it ie the preprocess is uncommented
in radiusd.conf authorize section and in accounting section
Heres the example
Heres whats happening on a user with what i have been trying
First I have two realms
example
realm sakeoftest.net {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
realm sakeoftest2.net {
type = radius
authhost = LOCAL
accthost = LOCAL
nostrip
---
Heres the hints file entry
DEFAULT Suffix == , Strip-User-Name = No
Hint = test,
Framed-Protocol = PPP,
Service-Type = Framed-User,
Session-Timeout = 14400,
Ascend-Data-Filter += ip in forward tcp est,
Ascend-Data-Filter += ip in forward dstip *.*.*.*/32,
Ascend-Data-Filter += ip in forward dstip *.*.*.*/32,
Ascend-Data-Filter += ip in forward dstip *.*.*.*/32,
Ascend-Data-Filter += ip in forward dstip *.*.*.*/32,
Ascend-Data-Filter += ip in drop tcp dstport = 25,
Ascend-Data-Filter += ip in forward,
Port-Limit = 1
---
Heres the entry for the users.txt file
joetest
Hint = test,
Fall-Through = no
Any ideas anyone Please!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hints File and Users file and I am lost
could i do a attr_rewrite to fix the ascend being written long and place it in ost process section? _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Thu, 28 Jun 2007 03:03:30 -0400 Subject: Re: Hints File and Users file and I am lost Jeff wrote: I am trying to get a default profile to work I can't put on in the users file cause the billling program auto creates a file, and its the culprit Then post-process the file to fix it. ... well it turns out the billing program sends the info wrong it just not chageable at the billing software Ascend-Data-Filter = ip in forward tcp est, --- note no + as += And of course without the += when its sent out to the nas its only seeing the 1st line and doesn't read the rest of the filters ... So I need to come up with a way add that info at the radius level You can't. You have to re-write the file. I have played with the hints file but i am not sure thats my answer, It's not. Heres the hints file entry The hints file re-writes the *request*. This is documented. The Ascend-Data-Filters go into the *reply*. Heres the entry for the users.txt file joe test Hint = test, Fall-Through = no That is *not* the correct format for a users file entry. See man users, and read the examples in the users file for how to use Hint correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hints File and Users file and I am lost
gotcha thanks _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Thu, 28 Jun 2007 08:50:45 -0400 Subject: Re: Hints File and Users file and I am lost Jeff wrote: could i do a attr_rewrite to fix the ascend being written long and place it in ost process section? No. Fix the files written by your billing software to be correct, OR create entries yourself that follow the documented format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hints File and Users file and (One More Pr oblem?)
I have a fast question I created this in the users file and reloaded config as instructed using radtest i tryed a login request, the default group wasn't added to login using radius -X is showing nothing accept see below what I have for default users file at the top - DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, Session-Timeout = 18000, Ascend-Data-Filter += ip in forward tcp est, Ascend-Data-Filter += ip in forward dstip *.*.*.*/32, -removed ip addreesses for being posted here Ascend-Data-Filter += ip in forward dstip *.*.*.*/32, -removed ip addreesses for being posted here Ascend-Data-Filter += ip in forward dstip *.*.*.*/32, -removed ip addreesses for being posted here Ascend-Data-Filter += ip in forward dstip *.*.*.*/32, -removed ip addreesses for being posted here Ascend-Data-Filter += ip in drop tcp dstport = 25, -removed ip addreesses for being posted here Ascend-Data-Filter += ip in forward, Port-Limit = 1 - Test User in users file testuser Password = justatest Fall-Through = Yes - Heres all that is posted back and as i said using radiusd -x only shows this much also stopping at Nas-Port radius:/home/jeffa # radtest [EMAIL PROTECTED] justatest localhost testing123 Sending Access-Request of id 29 to 70.62.12.98 port 1645 User-Name = [EMAIL PROTECTED] User-Password = justatest NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Accept packet from host localhost:1645, id=29, length=20 _ From: Jeff [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Thu, 28 Jun 2007 09:22:27 -0400 Subject: Re: Hints File and Users file and I am lost gotcha thanks _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Thu, 28 Jun 2007 08:50:45 -0400 Subject: Re: Hints File and Users file and I am lost Jeff wrote: could i do a attr_rewrite to fix the ascend being written long and place it in ost process section? No. Fix the files written by your billing software to be correct, OR create entries yourself that follow the documented format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleanup Radacct table (Need Help)
Seems like everyday from one upstream provider we use I get accouting record start and for some reason i get no stop packet on customers. I also use same radius with YourNetPlus and I am not seeing this issue with them. So it leads me to believe its something between I and GlobalPOPS. My question is mysql programming knowledge is not that strong does anyone know of a query I could run every so often that would cleanup the raddact table of records as such. For example I would like to clear all records with start time greater than 5 hours old from the time the query runs with no stop time. I have session tme out of 4 hours so there is not much chance that a user is still connected. At least that way my users online listing, etc won't be cluttered with old users on, and possibly be blocking a user access due to it thinking they are still connected. I know globalpops is going to tell me this is latency on our network and not theirs. But if that was the case I would see several happen from the yournetplus network also. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Probelms importing usage to rodopi
Importing Accounting Detail to Rodopi 5.4 As anyone implememnted this and willing to share their configuration. I am having issues with what i come up with. First I have Freeradius only creating one detail file with no date extension, etc. Next I have a cron job run every 12 hours, I like everything to be about every 10 minutes but thats a not the story I went this long to watch for a bug, and plenty are crawling around anyway. The cron moves the acccounting file to /home/rodopi/radius changes owner and group to rodopi and permissions to 666 Next I have rodoppi inport usage about every 12 hours, which i figure its time frame should be off, and not miss a detail import where he cron moves the files to the /home/rodopi/radius and overwrite a detail file thus missing data anyway Rodopi ftps in grabs the file renames the old one as it should to old_detail* I go into rodopi and I am not seeing any imported usage for customers I go look for. My guess some are probably making it in, but I am seeing none. Wither a usage was imported with a stop, my guess as one of them or something just isn't right elsewhere. Now any suggestions, on what may be happeing or has someone else come up with a better idea that this they would like to share to import the usage data? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate accounting
I just installed freeradius Am using with Globalpops I am getting some duplicate accounting start on logins Not all the time but on occasions. I have had GP check their end they are only seeing the one coming from the nas but say this issue maybe on my end not responding fast enough, and their radius sends another The accounting records are of same seesionid, etc Is their any setting for this to make things better, any suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Primary, Secondary, Radrelay, Mysql Problem
I am doing the following and have an issue Issue is on the primary I get duplicate entry on accounting in mysql for a user I don't use this accounting for nothing but users online listing, I have to use accounting from the detail file for that. Ok heres the expanation I use radrelay so each radius accounting will be in sync (I need detail file for accounting) the billing package we have won't read the sql data. Primary Server (Freeradius 1.16) I have radrelay configured to push accounting detail to the secondary freeradius server I also have mysql setup on that server with accounting going into it to be able to see users online for that server Secondary Server (Freeradius 1.16) I have radrelay configured to push accounting detail to the primary freeradius server I also have mysql setup on that server with accounting going into it to be able to see users online for that server Heres what happens On the secondary server in mysql radacct table i get on entry for start and stop on a client, as it should be showing i user online On Primary Server, I get a duplicate entry for start and duplicate entry for stop and thus also show the user online twice. I am not sure what to do. Bascially what i was tyring to have here is A primary and secondary radius, with the detail file combined and in sync for purpose of the reasons. 1. To input on detail file into the billing program 2. To make sure it was showing users logged on. I didn't setup radsqlrelay didn't think that was necesaary, and mabe I am going about this wrong. ANy suggestions? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeeradius 1.16 and Radrelay Not updating
I finally got it working last night. I had to download 1.16 and complie it that way. Then things started working. For some reason using the version installed through yast something was amiss apparently. The same fix worked on both servers using OpenSuse 10.2 From: Stefan Winter [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Tue, 19 Jun 2007 02:34:23 -0400 Subject: Re: Freeeradius 1.16 and Radrelay Not updating seconds runs through its hoop, but never processes anything like it had nothing to do Do you mean: the server never gets anything? Then maybe radrelay is blocked on an intermediate firewall? If the packets get lost en-route, you have to look there... In any case, actually *sending* us the *debug output* instead of your verbal description of it helps a lot more. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.:+352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeeradius 1.16 and Radrelay Not updating
I have Freeradius installed on two opensuse 10.2 servers Running Freeradius 1.16 I am running radrelay on the two too keep the detail files in sync (New Setup) The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't transferring with one another I am at a loss at what is wrong. I have tried several radrelay command line options with all giving me the same result heres my radrelay start commands --- Primary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Secondary-Radius detail-combined --- Secondary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Primary-Radius detail-combined --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeeradius 1.16 and Radrelay Not updating
I tried running both in debug, and basically only thing happening is the info is going into the combined file on the server that took the request but radrelay running in the debug mode on that same server about ever 50 seconds runs through its hoop, but never processes anything like it had nothing to do I have it pointed to where the combined file lives, etc ie example below but again its like when radrelay does its thing nothing happens but it counting through the threads 0-9 I believe it was. Nothing about grabbing the info that was just placed in the combined file work, etc Heres my latest command running the radrelay the starts represent the secret I dubbed out here(I am trying the direct approach to help rules out probelms reading something, ie secret files etc. The .53 server below is the server that i want to receive the updates for accouting I also have have tried sending results from accounting to this server with the same setup, and get the same results as I stated above. I have read the heck out of the radrelay documentation. Call me stupid, I know this 50 year old dude is missing something. radrelay -a /var/log/radius/radacct/ -r 74.218.65.153 -s detail-combined _ From: Alan DeKok [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Mon, 18 Jun 2007 11:03:28 -0400 Subject: Re: Freeeradius 1.16 and Radrelay Not updating Jeff wrote: ... The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't transferring with one another What *are* they doing? You can run the radrelay *and* server in debugging mode, to see what is going on. If you're not doing that, you're not reading the documentation, and you won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeeradius 1.16 and Radrelay Not updating
I have Freeradius installed on two opensuse 10.2 servers Running Freeradius 1.16 I am running radrelay on the two too keep the detail files in sync (New Setup) The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't syncing with one another heres my radrelay start commands --- Primary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Secondary-Radius detail-combined --- Secondary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Primary-Radius detail-combined --- In the clients.conf on each server is an entry with secret pointing to the server in question.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeeradius 1.16 and Radrelay Not updating
I have Freeradius installed on two opensuse 10.2 servers Running Freeradius 1.16 I am running radrelay on the two too keep the detail files in sync (New Setup) The combined detail work file is created on the two servers and each appear to write to it ok. But they aren't syncing with one another heres my radrelay start commands --- Primary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Secondary-Radius detail-combined --- Secondary radrelay -a /var/log/radius/radacct/ -d /etc/raddb -n Primary-Radius detail-combined --- In the clients.conf on each server is an entry with secret pointing to the server in question. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a secondary
Ok new issue thats eluding me I uninstalled version 1. then installed version 2 anyway. i resetup the configs and made sure my services file is 1645 radius and 1646 for acct as before anyway when i do a auth with ntradping all connects aok when i do anykind of an accouting request, stop start update i get error 10054 which i read may mean check the port which it apperas i am set aok unless i am missing something NEXT Nothing is going into the radacct dir for detail file either or is it being created Also when i do a /etc/init.d/freeradius start or restart everything is aok when i do a /etc/init.d/freeradius reload I see in the radius log that its saying there is errors in the radius config Anyway anyone have any ideas? _ From: Peter Nixon [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sun, 10 Jun 2007 19:43:58 -0400 Subject: Re: Freeradius as a secondary On Sun 10 Jun 2007, Jeff wrote: I am using the version installed through software update on opensuse You may wish to use my updated packages at: http://software.opensuse.org/download/network:/aaa/ Just add is as a software repository in YaST. (ie. http://software.opensuse.org/download/network:/aaa/openSUSE_10.2/) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a secondary
ok I like that solution Which prompts two questions. 1. Question not wriring to sql locally, how can I tell when users are connected and disconnect from the secondary 2. Where is the best howto doc on the radrelay module. Thanks _ From: Peter Nixon [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sun, 10 Jun 2007 08:36:29 -0400 Subject: Re: Freeradius as a secondary On Sat 09 Jun 2007, Jeff wrote: I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? Since freeradius is not being used as a primary too I am at a stump on this one. An easy way to handle this that doesn't involve database clustering is to have your secondary radius accounting server not write accounting data to sql, but rather to relay all packets it receives back to the primary using radrelay. If they primary is down, the packets should be queued, and delivered when it comes back up. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a secondary
I am using the version installed through software update on opensuse
Its 1. something but not sure exactly
radrelay is installed
tested but i its creating the work file,etc no errors but nothing showing up at
primary when doing a test
as to proxy to realm in proxy section
You are saying I could setup to proxy the accounting back to the primary radius
and not use radrelay?
The below to realms
heres what i have now on the secondary
realm globalco.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
#
realm go-globalusa.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
_
From: Arran Cudbard-Bell [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Sun, 10 Jun 2007 11:05:25 -0400
Subject: Re: Freeradius as a secondary
Jeff wrote:
ok I like that solution
Which prompts two questions.
1. Question not wriring to sql locally, how can I tell when users are
connected and disconnect from the secondary
2. Where is the best howto doc on the radrelay module.
Thanks
Yeah agreed much better idea.
hmm do you *have* to use radrelay though ? . Can't you just use
proxy-to-realm in the accounting section ?
in cvs pre 2 that would be
update config {
Proxy-To-Realm = realm
}
update request {
Realm = realm
}
prior to cvs pre 2
you could have something like
DEFAULT Proxy-To-Realm := realm
in accounting users.
You'd just need to set up a realm with your primary server in.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a secondary
Yes I did its added..
Mybe its just the fact I am using the ntradping to test with and not throwing
enough attributes for it to start logging correctly on the primary
maybe if I wait till someone actually its it again from a real client it will
give me accurate results
_
From: Arran Cudbard-Bell [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Sun, 10 Jun 2007 14:17:25 -0400
Subject: Re: Freeradius as a secondary
Jeff wrote:
I am using the version installed through software update on opensuse
Its 1. something but not sure exactly
radrelay is installed
tested but i its creating the work file,etc no errors but nothing
showing up at primary when doing a test
Have you added the secondary server as an authorised client on the
primary ?
as to proxy to realm in proxy section
You are saying I could setup to proxy the accounting back to the
primary radius and not use radrelay?
The below to realms
heres what i have now on the secondary
realm globalco.net {
type = radius
authhost = LOCAL
accthost = LOCAL
}
#
realm go-globalusa.net {
type = radius
authhost = LOCAL
accthost = LOCAL
}
Ok so your acct host would be the address of your primary radius server.
You'd also need to add your secondary server as an authorised client on
your primary, and setup a shared secret between them.
You'd then add this line to accounting users
DEFAULT Proxy-To-Realm := globalco
Peters solution is probably more what you looking for though, and like
he said it does have the advantage of being able to que up accounting
packets if your primary goes down, so no data is lost.
Just proxying means you only have to worry about one process, and it's
slightly neater.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql question
I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? I am at a stump on this one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql question
sorry my fault _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sat, 09 Jun 2007 13:55:17 -0400 Subject: Re: sql question Please start your own thread. Don't hijack others. Use the same database for storing accounting data for both servers. If you store data from one server in one place and data from the other server in another ... Ivan Kalik Kalik Informatika ISP Dana 9/6/2007, Jeff [EMAIL PROTECTED] piše: I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? I am at a stump on this one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius as a secondary
I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? Since freeradius is not being used as a primary too I am at a stump on this one.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a secondary
VOPRadius does use sql it puts its accounting records directly into our billing package rodopi I see what you are getting at is Basically both use the same sql and sync up their records _ From: Arran Cudbard-Bell [mailto:[EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sat, 09 Jun 2007 15:09:36 -0400 Subject: Re: Freeradius as a secondary Jeff wrote: I am using Freeradius as a Secondary Radius. The issue is sometimes not always but 98% of the time A user when they connect to the secondary (freeradius) and connect accounting packet start and then when they disconnect no accounting packet stop gets to the secondary Reason its going to the primary radius (VOPRAdius) Thus the problem being the secondary thinks they are still connected. The nas's are not onn site these are from level3 networks Does anyone know what to do for this? Since freeradius is not being used as a primary too I am at a stump on this one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The issue can only be NAS side, accounting packets are completely disconnected from one another, the only thing they share is a session ID (included in the packets) , which FreeRADIUS uses to correlate the start stop and interim update packets. If VopRADIUS can use SQL as an accounting database , you could point them both at a single database instance. Theres no reason why stop, start and interim packets couldn't go to different RADIUS servers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users2mysql Problem
I had made a mistake when importing my users file. Is there a way to purge the user data from mysql and it clears all their info from all the tables without reinstalling the database? Jeff- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users2mysql Problem Issue 2
k, that did it but the issue is when importing entrys are going into the raccheck and usergroup but nothing in the radreply hence none of the user attributes associated are being imported but is see no errors when after the script ran running back through what it outputted. _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Thu, 07 Jun 2007 08:41:37 -0400 Subject: Re: users2mysql Problem run this SQL command from mysql prompt: DELETE FROM radcheck,usergroup,... whatever table you have written to It will delete data but not reset the indexes. But wouldn't it be wise to learn a little bit about SQL before embarking on something like this? Ivan Kalik Kalik Informatika ISP Dana 7/6/2007, Jeff [EMAIL PROTECTED] piše: I had made a mistake when importing my users file. Is there a way to purge the user data from mysql and it clears all their info from all the tables without reinstalling the database? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Users Online Listing Issues
Just so yoo know these are from another radius server. Virtual isp in specific coming from globalpops If fom anohter radius server makes a difference in whats happening. also i see stop and start packets in detail file, and when looking at the radacct table I see all the accounting info but the acctstoptime and total for that session. But its like the user dropped off and it didn't create or get that the user was gone. jeff _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Wed, 06 Jun 2007 06:02:45 -0400 Subject: Re: Help Users Online Listing Issues run radiusd -X and see if these crop up when you recieve accounting update request. If your NAS is sending them as Start, not Update packets you will need to fix it on the NAS. Ivan Kalik Kaliik Informatika ISP Dana 6/6/2007, Jeff [EMAIL PROTECTED] piše: to be quite honest not even sure. What must I check to be certain? One thing I do no, the user is offline now, and they still are there in as online same entrys _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Tue, 05 Jun 2007 21:45:47 -0400 Subject: Re: Help Users Online Listing Issues These are suspiciously spaced exactly at 15 minutes. Are you inserting accounting updates into radacct table? Ivan Kalik Kalik Informatika ISP Dana 6/6/2007, Jeff [EMAIL PROTECTED] piĹĄe: I just got Freeradius up and running I have am having the users online showing user on several times (note below) This is from users online from the query to the radacct table in mysql jldevore 6/5/2007 7:19:55 PM jldevore 6/5/2007 7:19:40 PM jldevore 6/5/2007 7:19:25 PM jldevore 6/5/2007 7:19:10 PM jldevore 6/5/2007 7:18:55 PM This is the Radwho command at appx the same time Login Name What TTY When From Location jldevore jldevore PPP 999 Tue 19:17 209.247.2 4.253.116.100 Anyone got any idea why I am getting this? I am stumped. P.S this is a new install Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help Users Online Listing Issues
to be quite honest not even sure. What must I check to be certain? One thing I do no, the user is offline now, and they still are there in as online same entrys _ From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Tue, 05 Jun 2007 21:45:47 -0400 Subject: Re: Help Users Online Listing Issues These are suspiciously spaced exactly at 15 minutes. Are you inserting accounting updates into radacct table? Ivan Kalik Kalik Informatika ISP Dana 6/6/2007, Jeff [EMAIL PROTECTED] piše: I just got Freeradius up and running I have am having the users online showing user on several times (note below) This is from users online from the query to the radacct table in mysql jldevore 6/5/2007 7:19:55 PM jldevore 6/5/2007 7:19:40 PM jldevore 6/5/2007 7:19:25 PM jldevore 6/5/2007 7:19:10 PM jldevore 6/5/2007 7:18:55 PM This is the Radwho command at appx the same time Login Name What TTY When From Location jldevore jldevore PPP 999 Tue 19:17 209.247.2 4.253.116.100 Anyone got any idea why I am getting this? I am stumped. P.S this is a new install Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: won't work on large users file
That was it, thanks the := --- I have another question. I am trying to get the script posted in the faq page at www.freeradius.org to update users file as a cron job For some reason none of this is working under opensuse operating system Any Suggestions It doesn't like the find users -nt .last-reload the part -nt From: [EMAIL PROTECTED] To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED] Sent: Sat, 02 Jun 2007 17:03:37 -0400 Subject: Re: won't work on large users file What doesn't work? Can you post radiusd -X output for the test user. In 1.1.6 you should use Cleartext-Password as attribute and := as operator. If those reply items are the same for all the users you can put them in a single DEFAULT entry and not in every user config. You already have such entries for Framed-User and PPP in original users file. Ivan Kalik Kalik Informatika ISP Dana 2/6/2007, Jeff [EMAIL PROTECTED] piše: Has any one had this issue? Large users file appx 900 users with each users template as follows I don't know if its a corrupt line some where or not but the file is auto generated by Rodopi so i would think its not that heres what the users template is.. # 2353731881 -- First User testuser Password = testpw Framed-Protocol = PPP, Service-Type = Framed-User, Session-Timeout = 14400, Port-Limit = 1, Ascend-Data-Filter = ip in forward tcp est, Ascend-Data-Filter = ip in forward dstip 74.218.65.132/32, Ascend-Data-Filter = ip in forward dstip 74.218.65.133/32, Ascend-Data-Filter = ip in forward dstip 204.13.240.3/32, Ascend-Data-Filter = ip in forward dstip 204.13.240.3/32, Ascend-Data-Filter = ip in drop tcp dstport = 25, Ascend-Data-Filter = ip in forward - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Rodopi
Does anyone have a Radiusd.conf they would share? I am trying to get Rodopi's users file it creates to work with freeradius As you knw its in a different format as username Password = password Anyway its a backup radius solution of site, and I don't want it to have to use mssql Trying to be as simple as possible Any help would be appreciated Thanks All From: Elie Hani [mailto:[EMAIL PROTECTED] To: 'FreeRadius users mailing list' [mailto:[EMAIL PROTECTED] Sent: Fri, 01 Jun 2007 05:43:36 -0400 Subject: RE: Backing up freeradius Thanks a lot, it works fine now. Elie Hani -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, June 01, 2007 10:47 AM To: FreeRadius users mailing list Subject: Re: Backing up freeradius On Fri 01 Jun 2007, Peter Nixon wrote: On Fri 01 Jun 2007, Elie Hani wrote: Hi; I have freeradius configured on Fedora Core 6, I tried to configure a backup script where I can copy /etc/raddb folder to another server with the same version and the same operating system. When it's done, the command service radiusd start did not work, But radiusd -x worked and the server is well functioning. What could be the problem? permissions... My server synchronisation script looks like: rsync -a /etc/raddb [EMAIL PROTECTED]:/etc --delete ssh [EMAIL PROTECTED] /etc/init.d/freeradius stop ssh [EMAIL PROTECTED] /etc/init.d/freeradius start I run it AFTER I have already verified that the config works on the localhost, and I use ssh keys so that it doesnt ask for the password for each line... If you have different ssl certs on each machine then you will need to modify the rsync line.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Domain name ( website) registration expired ?
Can anyone else get to http://www.freeradius.org ? I'm getting redirected to a domain name registration of some ISP. Seems like the domain names registration has expired ??? Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different source NAS for Differnet privilege Level
I am using freeradius rev 1.1.0 I have everything running great I am using AAA authorization on different Network Devices, Cisco Routers, Cisco Switches, Foundry Switches, Juniper FW's. I have setup VSA's to respond to the user to set their privilege level upon successful authentication, then the authorization portion actually sets the privilege level I need to have different privilege levels based upon which NAS they are coming from, eg... Connecting while on the Corporate Network privilege level = 8, same user Connecting thru IPass out of the office privilege level = 5. Any assistance with this would be greatly appreciated. Thank you in advance for your help Jeff Stout CCT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can we use RSA-Token to Freeradius?
If I'm not mistaken you can also use a pamd mod to accomplish this Jeff Stout Alan DeKok wrote: kevin [EMAIL PROTECTED] wrote: Does freeradius support RSA-Token? No. But it shouldn't be too hard to leverage their command-line tool. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning a vlan-id after successful authentication
First, this information is well documented both by ProCurve and in RFC3580. That said the AV pairs you're looking for are as follows: Tunnel-Medium-Type = 802 Tunnel-Private-Group-ID = 123 (the VLAN) Tunnel-Type = VLAN Jeff Original Message Subject: assigning a vlan-id after successful authenticationFrom: Sven Juergensen [EMAIL PROTECTED]Date: Fri, November 11, 2005 8:48 pmTo: freeradius-users@lists.freeradius.orghello people,how does the above mentioned work? i amnot quite sure where to start. is itembedded in the 'Reply-Message' or doesit have to do with the tunnel-types?i'm trying to supply a vlan-id to anhp2626 with mac-based authentication.couldn't find this in the faq orrelevant conf-files either - what ami missing?thanks alot in advance,sven- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning a vlan-id after successful authentication
The 2626 supports1 VLAN per port.I'm not sureexactly howthe2626deals with multiple supplicants... but I would bet (based on passed experience on other switches)... the 2626 ignores all 802.1x (EAP Starts) from any subsequent endpoints afterthe first successful authentication (untilthe portsees link-down or an EAP logoff form the original supplicant). Whatever provisioning (VLANs in your case) is based on the first endpoints authentication/authorization all other endpoints will share the same level of access as the first (authenticated supplicant). Jeff Original Message Subject: RE: assigning a vlan-id after successful authenticationFrom: "Seferovic Edvin" [EMAIL PROTECTED]Date: Sun, November 13, 2005 2:35 pmTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.org Sure but that ain't working.. at least not on my switches and don't ask me why... I usually have 2-3 computers on one port ( but computers have the same VLANID in RADIUS ), so might that be the problem? Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Sonntag, 13. November 2005 21:58To: FreeRadius users mailing listSubject: RE: assigning a vlan-id after successful authentication First, this information is well documented both by ProCurve and in RFC3580. That said the AV pairs you're looking for are as follows: Tunnel-Medium-Type = 802 Tunnel-Private-Group-ID = 123 (the VLAN) Tunnel-Type = VLAN Jeff Original Message Subject: assigning a vlan-id after successful authenticationFrom: Sven Juergensen [EMAIL PROTECTED]Date: Fri, November 11, 2005 8:48 pmTo: freeradius-users@lists.freeradius.orghello people,how does the above mentioned work? i amnot quite sure where to start. is itembedded in the 'Reply-Message' or doesit have to do with the tunnel-types?i'm trying to supply a vlan-id to anhp2626 with mac-based authentication.couldn't find this in the faq orrelevant conf-files either - what ami missing?thanks alot in advance,sven- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Alex, Features such as 'bandwidth and port blocking" (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant" (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator" (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider. jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 9:10 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.orgNow im totally lost...Can u give me an example what 802.1x does?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AlanDeKokSent: Wednesday, November 02, 2005 11:04 AMTo: FreeRadius users mailing listSubject: Re: 802.1x "Alex M" [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlledvia 802.1x?No.Alan DeKok.- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
I have no experience with the opensouce efforts you mention below... Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 11:19 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.org Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Wednesday, November 02, 2005 1:08 PMTo: FreeRadius users mailing listSubject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of "pitching"specific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 10:04 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Wednesday, November 02, 2005 11:53 AMTo: FreeRadius users mailing listSubject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking" (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant" (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator" (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 9:10 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.orgNow im totally lost...Can u give me an example what 802.1x does?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AlanDeKokSent: Wednesday, November 02, 2005 11:04 AMTo: FreeRadius users mailing listSubject: Re: 802.1x "Alex M" [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlledvia 802.1x?No.Alan DeKok.- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about a custom freeradius configuration
Hi, Our wireless network currently authenticates and authorizes users via freeradius 0.8.1 with a custom module that talks to custom authentication and authorization servers. I'm upgrading the server side to freeradius 1.0.4. At the same time, the people who run the wireless network are switching to using EAP-PEAP with MS-CHAP v2. I'm fairly new to freeradius, but I have been spending a lot of time reading this list, the documents, the O'Reilly book, and experimenting with the server. So far I've been able to do PEAP authentications to the server via the users file. The custom authentication module I referred to in the first paragraph basically re-implemented MS-CHAP v2 and talked to the custom servers on the back end. It would not be easy to wedge into the rlm_eap code. Instead, I'd like to find a solution that makes the fewest possible (if any) modifications to stock freeradius, so we can track releases more closely. I would like to continue using the custom authentication and authorization servers. My thinking on this so far is that I might be able to use the Exec-Program-Wait atribute and/or the rlm_perl modules to call out to the custom servers, which have command-line interfaces. Ideally, I'd be able to do something like this: 1) In the authorization phase, call out to the custom authorization server and ask a question like Is this user who claims to be ``joe'' authorized to use the wireless service? I can get back a yes/no answer and send an Access-Reject with an explanation, or continue on if they are authorized. (I don't think Exec-Program-Wait can help here since I understand it only gets called after the user is authenticated. I could make this check after and only if mschap returns success, though.) 2) In the authorization phase, also call out to the custom authentication server to get pack the NT-Password and add that to the value pairs in the check list in the request packet, so that when EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is available. I have been having a hard time getting my mind around the complexity of RADIUS and freeradius. It may be that I'm taking a completely wrong-headed approach here. If anyone on this list has any thoughts on how this could be done best, I'd appreciate hearing your ideas. Thanks in advance! Jeff -- Jeff Smith Security Analyst - ITaP Identity Access Management Purdue University W. Lafayette IN 47907-1408 Phone: 765-496-8285 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC Info
Hello all, I am using freeRadius as a proxy server for requests, however instead of proxying with [EMAIL PROTECTED], I am using: DEFAULT User-Name =~ 12357.*, Proxy-To-Realm := Realm with a regular expression for the start of the username (there will be several of these lines). Can anyone advise me if (and where) the ability to do this is actually in the Radius RFC, and therefore must be supported by other Radius servers, or if it is an extra feature of freeRadius? Any info on this would be gratefully recieved, Regards, -Jeff Fern - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate/Attributes based on NAS-IP-Address
Hi Nick, I've modified FreeRadius to retrieve NAS specific reply items from a (Postgresql) table as I have three different NAS h/w that users can connect using - they have different IP pools. Is this similar to what you want to do ? Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of N White Sent: 07 June 2005 22:29 To: FreeRadius users mailing list Subject: Authenticate/Attributes based on NAS-IP-Address Using MySQL as a backend, is there any way to configure Authentication and Attribute (replies), based on the NAS-IP-Address sent to the FreeRADIUS server? Allow requests from NAS1 to authenticate and have certain attributes for users in that group and then allow requests from NAS2 to authenticate and have different attributes. Would there be anyway to allow a user to be a part of both groups? Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying without a realm
Hello all, I have got an Airespace wireless lan system that allows multiple WLANs to be created and appear as completely seperate networks. The system allows radius authentication via multiple servers, but it does not allow specifying certain WLANs to certain servers. To determin which WLAN has been connected to, airespace passes an attribute along with the username (MAC Address), it does not pass any realm information. Does anyone know if it is possible to configure freeradius to proxy out all incoming radius requests but convert the attribute to an actual realm? To provide a bit more background detail, we have a Tatara AAA system which is connected to a HLR (the HLR actually does the authentication, Tatara just acts as a proxy to it). I need to create two seperate WLANs which, when presented to Tatara for authentication, one will appear as a home connection and the other as a roaming connection - hence the need for specific realms. Freeradius would be proxying all requests to the same Tatara system (but needs to add realm information). Any help or advise would be gratefully recieved. Regards, -Jeff Fern - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Win32 Binary Distribution?
Is there any reason no one has yet made available FreeRADIUS Win32 binaries for Distribution? I have built 1.0.2 with Cygwin and have put together a basic install wrapper. I have done some investigation with respect to distribution of the required Cygwin binaries... and could find no obvious reason these could not be included with the package as long as the source was available upon request. With a little guidance I'm sure this could be made available to freely download, I am willing to host. Any thoughts or objections? Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS Win32 Binary Distribution?
The Site and the binaries are still well under construction... but both appear to function at first glance ;) I've done some successful testing with radclient.exe... I expect in the next few days I will test further against some real gear with various eap-types. If you are interested in trying a win32 version of FreeRADIUS please feel free to visit http://www.bootstick.com/freeradius. Any and all feedback is welcome... be kind I'm new at this. Thanks, Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Saturday, March 19, 2005 7:50 PM To: freeradius-users@lists.freeradius.org Subject: Re: FreeRADIUS Win32 Binary Distribution? Jeff Reilly [EMAIL PROTECTED] wrote: Is there any reason no one has yet made available FreeRADIUS Win32 binaries for Distribution? No one has built them, I guess. I do some testing under Interix, but I'm not sure if those binaries will work on a plain XP system. With a little guidance I'm sure this could be made available to freely download, I am willing to host. Sure. Build them. put them on a web page, and we'll point to them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
