Multiple Polls
Hello, i have running without any problem Freeradius 0.93, i have running one poll (Pool1) of IPs, but actualy this is small for my company and i have to work with another poll (Poll2).The pools are not consecutive. Now i have two poolls and i want that freeradius assign IPS of Pool1 or Pool2 acording to the number of users. i do not want asign Pool1 to user 1 y 2 and asing Poll2 to the users 3 y 4. Thank you. I wait that you can help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi Pool
Hello, i need configure freeradius to manage two ranges of IPs, Poll A y B, i need that freeradius assign IPs from pool A and when this is full, start assign from Poll B. I have read the documentaction but i do not known how i must configure it. lredady I have running freeradius version 0.93 with Pool A. Can some boy help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pool with two ranges
Hello, i have freeradius with various pools, but now i need that one Pool have two diffrents ranges. Can i do it with freeradius? ippool main_pool { range-start = X.X.X.128 range-stop = X.X.X.151 netmask = 255.255.255.255 cache-size = 23 session-db = ${raddbdir}/db.main ip-index = ${raddbdir}/db.maindindex override = yes } I need that main_pool have too this range : range-start = X.X.X.200 range-stop = X.X.X.251 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pool with two ranges (Alan DeKok)
Hello Allan DeKok, but failover where, my users are defined like this: nameuser User-Password == "passowrd", Pool- Name := "main_pool" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = 0, Port-Limit = 1, Idle-Timeout = 0, Session-Timeout = 0 main_pool range-start = X.X.X.128 range-stop = X.X.X.151 second_pool range-start = X.X.X.200 range-stop = X.X.X.251 i have tried failover in radius.conf, post-auth { redundant{ main_pool second_pool } } But i must be doing something bad. Thank you - Original Message - >From : [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date : Monday, 17 May, 2004 01:41 PM Sub : Freeradius-Users digest, Vol 1 #3220 - 12 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/fre eradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Re: Reg configuring challenge response (Alan DeKok) >2. Re: Moving away from Safeword (Robert Szelepcsenyi) >3. Re: freeradius with dhcp (ro0ot) >4. Re: Moving away from Safeword (Alan DeKok) >5. About Radius Attributes (Lara Adianto) >6. Freeradius with MySQL and Exec-Program-Wait (Joe Borg) >7. Re: Freeradius with MySQL and Exec-Program-Wait (Paul Hampson) >8. Re: About Radius Attributes (Alan DeKok) >9. pool with two ranges (Juan) > 10. Re: pool with two ranges (Alan DeKok) > 11. RE: Freeradius with MySQL and Exec-Program-Wait (Joe Borg) > 12. Re: Freeradius with MySQL and Exec-Program-Wait (Milver S. Nisay) > > --__--__-- > > Message: 1 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Reg configuring challenge response > Date: Mon, 17 May 2004 05:45:13 -0400 > Reply-To: [EMAIL PROTECTED] > > Barath kumar <[EMAIL PROTECTED]> wrote: > > How to configure the free RADIUS server to send an Challenge response to > > an access request. In other words, what are the configurations to be > > done on the free RADIUS server such that it sends an challenge response > > to an access request. By default, will the free RADIUS server send an > > challenge response ? or any special configurations needs to be done for > > the same. > > The server will send a challenge when the protocol demands it. > e.g. EAP. > > If you don't know what the challenge will be, or why the server > should send a challenge, you probably don't want challenge-response. > > Alan DeKok. > > > > --__--__-- > > Message: 2 > Date: Mon, 17 May 2004 11:48:04 +0200 > From: Robert Szelepcsenyi <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Moving away from Safeword > Reply-To: [EMAIL PROTECTED] > > Hi, > > > Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. > > I did some research some time ago, andif I remember correctly, freeradius support at least one such a system. > > > Robert Szelepcsenyi > > > On Mon, May 17, 2004 at 05:44:05AM -0400, Alan DeKok wrote: > > Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > > > Due to licensing policy of Secure Computing, which forced me to > > > upgrade to deploy a separate machine running just their AAA server, > > > I have decided to move away from their product Safeword Premier > > > Access. I am looking for some replacement for their system of > > > dynamic passwords and tokens. Freeradius supports several systems of > > > dynamic passwords. An ideal solution would be to have some sort of a > > > software token that I could install into a mobile phone or a PDA. Is > > > there such an aption with freeradius? > > > > It's more of a client side issue than a server side. > > > > FreeRADIUS does include an "X9.9" module, which will do DES-based > > challenge/response. It's been tested to work with CRYPTOCard
Re: Freeradius-Users digest, Vol 1 #3220 - 12 msgs
Hello Allan DeKok, but failover where, my users are defined like this: nameuser User-Password == "passowrd", Pool- Name := "main_pool" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = 0, Port-Limit = 1, Idle-Timeout = 0, Session-Timeout = 0 main_pool range-start = X.X.X.128 range-stop = X.X.X.151 second_pool range-start = X.X.X.200 range-stop = X.X.X.251 i have tried failover in radius.conf, post-auth { redundant{ main_pool second_pool } } But i must be doing something bad. Thank you - Original Message - >From : [EMAIL PROTECTED] To : [EMAIL PROTECTED] Date : Monday, 17 May, 2004 01:41 PM Sub : Freeradius-Users digest, Vol 1 #3220 - 12 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/fre eradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Re: Reg configuring challenge response (Alan DeKok) >2. Re: Moving away from Safeword (Robert Szelepcsenyi) >3. Re: freeradius with dhcp (ro0ot) >4. Re: Moving away from Safeword (Alan DeKok) >5. About Radius Attributes (Lara Adianto) >6. Freeradius with MySQL and Exec-Program-Wait (Joe Borg) >7. Re: Freeradius with MySQL and Exec-Program-Wait (Paul Hampson) >8. Re: About Radius Attributes (Alan DeKok) >9. pool with two ranges (Juan) > 10. Re: pool with two ranges (Alan DeKok) > 11. RE: Freeradius with MySQL and Exec-Program-Wait (Joe Borg) > 12. Re: Freeradius with MySQL and Exec-Program-Wait (Milver S. Nisay) > > --__--__-- > > Message: 1 > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Reg configuring challenge response > Date: Mon, 17 May 2004 05:45:13 -0400 > Reply-To: [EMAIL PROTECTED] > > Barath kumar <[EMAIL PROTECTED]> wrote: > > How to configure the free RADIUS server to send an Challenge response to > > an access request. In other words, what are the configurations to be > > done on the free RADIUS server such that it sends an challenge response > > to an access request. By default, will the free RADIUS server send an > > challenge response ? or any special configurations needs to be done for > > the same. > > The server will send a challenge when the protocol demands it. > e.g. EAP. > > If you don't know what the challenge will be, or why the server > should send a challenge, you probably don't want challenge-response. > > Alan DeKok. > > > > --__--__-- > > Message: 2 > Date: Mon, 17 May 2004 11:48:04 +0200 > From: Robert Szelepcsenyi <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Moving away from Safeword > Reply-To: [EMAIL PROTECTED] > > Hi, > > > Sorry, I was not precise enough in my query. I am looking for a system of *synchronous* dynamic passwords, which use tokens with an internal counter without any chalenge. The password has to be entered before a call is made (either VPN or dialup), so there is no opportunity to recieve a chalnge and act upon it. Moreover, X9.9 is insecure. > > I did some research some time ago, andif I remember correctly, freeradius support at least one such a system. > > > Robert Szelepcsenyi > > > On Mon, May 17, 2004 at 05:44:05AM -0400, Alan DeKok wrote: > > Robert Szelepcsenyi <[EMAIL PROTECTED]> wrote: > > > Due to licensing policy of Secure Computing, which forced me to > > > upgrade to deploy a separate machine running just their AAA server, > > > I have decided to move away from their product Safeword Premier > > > Access. I am looking for some replacement for their system of > > > dynamic passwords and tokens. Freeradius supports several systems of > > > dynamic passwords. An ideal solution would be to have some sort of a > > > software token that I could install into a mobile phone or a PDA. Is > > > there such an aption with freeradius? > > > > It's more of a client side issue than a server side. > > > > FreeRADIUS does include an "X9.9" module, which will do DES-based > > challenge/response. It's been tested to work with CRYPTOCard
RE: MutiPool
Hello can someboy help me, i have tried with failover but i must be doing something but. >Hello, >i need configure freeradius to manage two ranges >of >IPs, Poll A y B, i need that freeradius assign IPs >from >pool A and when this is full, start assign from> >Poll B. >I have read the documentaction but i do not known >how i >must configure it. lredady I have running >freeradius >version 0.93 with Pool A. >Can some boy help me? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over
Hello, i have read configurable_failover for three times but i can not do that freeradius failover with ippool. I have two pools that i want to use then for all my users. I need that freradius start to asign IPs from the second Pool whe the first is full. I do not known what i must read to do it. Can somebody help me? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3304 - 13 msgs
Hello Kostas, where can i find rlm_ipool revision 1.3.. with 1.3 i will can work with two differents pools? Thank you > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius- users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. MD4 fix for bigendian systems in 1.0.0-pre1 (Paul Hampson) >2. Re: Fail-Over (Kostas Kalevras) >3. Re: FreeRADIUS 1.0.0-pre1 released (Damjan) >4. Calculating Remaining Time for Session-Timeout (Rick Smith) 5. >Re: Calculating Remaining Time for Session-Timeout (Keith Yoder) 6. >Re: Calculating Remaining Time for Session-Timeout (Kostas >Kalevras) 7. Re: Help adding users >(Fr=?iso-8859-1?Q?=E9d=E9ric_EVRARD?=) 8. RE: Calculating Remaining >Time for Session-Timeout (Rick Smith) 9. Re: Calculating Remaining >Time for Session-Timeout (Keith Yoder) > 10. Re: LDAP Authentication (MS Windows AD) ([EMAIL PROTECTED]) > 11. Re: Help in using EAP (Fr=?iso-8859-1?Q? =E9d=E9ric_EVRARD?=) 12. > Re: Help with Counter module (Jean-Marie GUILLEMOT) 13. Re: Latest > freeradius and NPTL fail (Michael Griego) > > --__--__-- > > Message: 1 > Date: Tue, 1 Jun 2004 21:00:52 +1000 > To: [EMAIL PROTECTED] > Subject: MD4 fix for bigendian systems in 1.0.0-pre1 > From: [EMAIL PROTECTED] (Paul Hampson) > Reply-To: [EMAIL PROTECTED] > > Sorry, I just discovered a problem that didn't show up > on initial testing. Luckily it showed up on my PPC machine. > > If you're building on a big-endian machine, compilation will > fail on md4.c due to missing definition of htole32. Or at > least it does on Linux. > > Here's the patch, already comitted to CVS and will be in -pre2. > > Index: md4.c > === > RCS file: /source/radiusd/src/lib/md4.c,v retrieving revision 1.5 diff > -r1.5 md4.c 36a37,39 > * Add htole32 define from > http://www.squid-cache.org/mail-archive/squid- dev/200307/0130.html > > * (The bswap32 definition in the patch.) > *This is only used on > BIG_ENDIAN systems, so we can always swap the bits. 68a72,77 > #define > htole32(x) \ > (uint32_t)x) & 0xff00) >> 24) | \ > > uint32_t)x) & 0x00ff) >> 8) | \ > uint32_t)x) & > 0xff00) << 8) | \ > uint32_t)x) & 0x00ff) << 24)) > > > I'm test-building it now, but I'm confident it'll work. The only risk > is if we're clashing with an existing definition... > > -- > Paul "TBBle" Hampson, on an alternate email client. > > > --__--__-- > > Message: 2 > Date: Tue, 1 Jun 2004 14:26:40 +0300 (EEST) > From: Kostas Kalevras <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Fail-Over > Reply-To: [EMAIL PROTECTED] > > On Mon, 31 May 2004, Alan DeKok wrote: > > > "Juan" <[EMAIL PROTECTED]> wrote: > > > i have read configurable_failover for three times but i can not do > > > that freeradius failover with ippool. I have two pools that i want > > > to use then for all my users. I need that freradius start to asign > > > IPs from the second Pool whe the first is full. I do not known > > > what i must read to do it. > > > > It looks like it's a problem with the IP pool module... > > Try using the latest version of the ippool module (revision 1.31). > That one should work. > > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf > > > --__--__-- > > Message: 3 > Date: Tue, 1 Jun 2004 13:39:13 +0200 > From: Damjan <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: FreeRADIUS 1.0.0-pre1 released > Reply-To: [EMAIL PROTECTED] > > > > 3. Is there a way to put the rlm_ modules in /usr/lib/freeradius > > > whil= > e > > > the main libraries stay in {prefix}/lib? &
failover ippool 1.3
Hello Kostas, ia have installed freeradius 1.0, ia have tried to configure failover with ippool, to asign IPs from two Pools. I have configure the users: userUser-Password == "password", Pool- Name := "PoolA" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Compression = 0, Port-Limit = 1, Idle-Timeout = 0, Session-Timeout = 0 in radius.conf: ippool PoolA { range-start = x.x.x.33 range-stop = x.x.x.51 netmask = 255.255.255.255 cache-size = 24 session-db = ${raddbdir}/db.ippoolA ip-index = ${raddbdir}/db.ipindexA override = no } ippool PoolB { range-start = x.x.x.80 range-stop = x.x.x.89 netmask = 255.255.255.255 cache-size = 10 session-db = ${raddbdir}/db.ippoolB ip-index = ${raddbdir}/db.ipindexB override = no } Somebody in the list say me that when a Pool y full the ippool module return noop, but i don not known how to write this. If saomebody could explain me it? Than you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two-Step LDAP authentication?
Hi everybody! I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device), but my fellows from Security Department think that we should have a two-step authentication: 1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es 2. A compare request, searching a specific objectclass in the LDAP tree. So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es. deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius server, so I can write the basedn I want. But how can do the step 2? Thank you and sorry for my english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with expand result of exec-program
Hi everybody!! I've got a strange problem with expand the result of the execution of a program. This is my config data: -- dictionary --- ATTRIBUTE mi-resultado-script 3003integer - exec -- exec { wait = yes shell_escape = yes output = yes } --- sites-available/default -- mi-resultado-script = "%{exec:/aplicaciones/radius/bin/radius_ath.sh}" But during the execution: Executing /aplicaciones/radius/bin/radius_ath.sh Exec-Program output: Exec-Program: returned: 1 result 1 expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -> The result of the program is "1" but the value of the expression is not expanded, and the attribute "mi-resultado-script" has always zero value. Could you help me with this? Thank you very much. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with expand result of exec-program
Thank you Alan. I get this error now: expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -> 1 ERROR: Failed parsing value "1 " for attribute mi-resultado-script: Unknown value 1 for attribute mi-resultado-script We can see a space after value 1. I've write in my script the line echo 1 only to be sure, but this space appear again. Could you help me with this? Thanks again. > Date: Thu, 23 Sep 2010 13:19:54 +0200 > From: al...@deployingradius.com > To: freeradius-users@lists.freeradius.org > Subject: Re: Problem with expand result of exec-program > > Juan Rodríguez wrote: > > Hi everybody!! > > Executing /aplicaciones/radius/bin/radius_ath.sh > > Exec-Program output: > > The program printed nothing. > > > Exec-Program: returned: 1 > > result 1 > > expand: %{exec:/aplicaciones/radius/bin/radius_ath.sh} -> > > > > The result of the program is "1" but the value of the expression is not > > expanded, and the attribute "mi-resultado-script" has always zero value. > > > > Could you help me with this? > > Fix your program so that it prints something to the output. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loadbalancing and failover using different servers
Hi everybody, I want to implement a RADIUS load-balancing and failover scenario using FreeRadius and Cisco ACS. The idea I have in mind is to have these two servers answering to RADIUS requests in a round-robin fashion and should one of them for some reason go down, the other one would take care of answering to the RADIUS requests. Have any of you implemented such an scenario, using FreeRadius together with another RADIUS server from a different vendor? If so, what are the main problems you found doing this (incompatibility, high-maintenance costs, effort, etc)? I'd be very glad to hear from you as to why such an scenario make/doesn't make sense. Regards Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Loadbalancing and failover using different servers
> Juan Perez wrote: > > I want to implement a RADIUS load-balancing and failover scenario using > > FreeRadius and Cisco ACS. The idea I have in mind is to have these two > > servers answering to RADIUS requests in a round-robin fashion and should > > one of them for some reason go down, the other one would take care of > > answering to the RADIUS requests. > > You will need a load balancer in front of the two servers. > > > Have any of you implemented such an scenario, using FreeRadius together > > with another RADIUS server from a different vendor? If so, what are the > > main problems you found doing this (incompatibility, high-maintenance > > costs, effort, etc)? > > > > I'd be very glad to hear from you as to why such an scenario > > make/doesn't make sense. > > I don't see why you would put two different servers into one > load-balance pool. And even worse, pairing a horrible server with a > great one! > > Alan DeKok. > Hi Alan, Ok, it is actually two scenarios, one with the load-balancer, and another one with the failover, but I'm more interested in the failover part. You don't have to convince me of FreeRadius being the best RADIUS server around, that I know already but the idea behind pairing FreeRadius with a horrible server is as follows. Let's suppose that I have two servers running the latest and shiniest version of FreeRadius and for some reason there is a bug in FreeRadius that causes the server to crash when a specially crafted RADIUS packet is received. Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets. If I have two servers from different vendors, I could thus hopefully guarantee that at least the horrible server would continue working while an attack targeted at FreeRadius is going on. The horrible server doesn't need to be necessarily a Cisco ACS, any other horrible server would do it (Microsoft IAS, Steel-Belted, etc). So, does it make sense now or is the idea too stupid to be even considered? Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Dropping conflicting packet due to unfinished request
Hi! I'm running freeradius 1.0.1, for authentication and accounting under Fedora Core 2. This radius receives about 5 or 6 new calls per minute using a simple authentiaction method, using MySQL as backend for registering the calls. Every day I'm seeing this error logs on my radius.log file: Mon Apr 4 12:15:58 2005 : Error: Dropping conflicting packet from client XXX:1645 - ID: 103 due to unfinished request 221 30 Mon Apr 4 12:16:03 2005 : Error: Dropping conflicting packet from client XXX:1645 - ID: 103 due to unfinished request 221 30 Mon Apr 4 12:16:08 2005 : Error: Dropping conflicting packet from client XXX:1645 - ID: 103 due to unfinished request 221 30 Mon Apr 4 12:16:14 2005 : Error: Dropping conflicting packet from client XXX:1645 - ID: 103 due to unfinished request 221 30 They are not many, but about 3 series like these appear every day. I couldn't find many info on this error on the net... I've seen a couple of threads that mention it can be due to the radius taking too much time to authenticate while using scripts, but I'm not using any script, just simple authentication accepting everything... I got this on /etc/raddb/users: DEFAULT Auth-Type := Accept Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = 0 I tried increasing max_request_time to 60 (it was on 30) and max_requests to 6400 (I've got 25 clients) on radiusd.conf, but that didn't solve it... What factors can be causing this error?? Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
On Apr 4, 2005 10:14 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Mon Apr 4 12:15:58 2005 : Error: Dropping conflicting packet from > > client XXX:1645 - ID: 103 due to unfinished request 221 > > Your database is too slow, or your NAS is too fast. mmhhh, database seems ok, I'm not having performance issues with it... also, another issue that worries me is that if I change my authentication method on /etc/raddb/users so as to be the following: DEFAULT Auth-Type := Accept Exec-Program-Wait = "/usr/local/php4/bin/php /path/to/script.php", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = 0 and script.php is just: I start receiving the following similar errors: Thu Apr 7 19:05:43 2005 : Error: Discarding duplicate request from client XXX:1645 - ID: 139 due to unfinished request 73857 Thu Apr 7 19:05:53 2005 : Error: Discarding duplicate request from client XXX:1645 - ID: 139 due to unfinished request 73857 Thu Apr 7 19:06:36 2005 : Error: WARNING: Unresponsive child (id 1467612080) for request 73857 what may be happening?? It can't take long to execute that!!! should I run the radius in debug mode? is this suitable in production? any ideas?? thanks again, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Alan DeKok wrote: also, another issue that worries me is that if I change my authentication method on /etc/raddb/users so as to be the following: Ah... That's a bug in the "run external program" code. It's fixed in the latest CVS snapshot. oh!!! well, I think it's a bit good news then :P For running external programs, "-f" is good enough. ok Maybe we should back-port some fixes, and release 1.0.3. 1.1.0 is still a ways off, due to various craziness. that would be great! is this just an idea, or you've decided it? if so, any idea on aprox. realesa date for 1.0.3? :) thanks again! Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Dustin Doris wrote: If its suitable to change the authentication method to test a php script, then its definately suitable to run in debug mode. I run in debug mode in production whenever there is an issue. If you're fast in killing the pid and starting in debug mode, then you won't lose any auth's. great What does top show you? load is fine, it's usually around 0.99 or 1.0, sometimes it goes a bit more than that it's a dual Xeon 2.4Ghz with 4GB of RAM, being used about 3.5GB of RAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Alan DeKok wrote: if so, any idea on aprox. realesa date for 1.0.3? :) Some time in the future. I really need to execute an external script I have another radius running freeradius-0.9.3 on other server which is executing external scripts, so I guess the bug wasn't present on previous versions would it be to crazy to downgrade? or should I use latest from CVS? is it stable for production? thanks again, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius version and rlm_exec
Hi! On a previous thread, some weeks ago, I said I was having problems when using Exec-Program-Wait on my users file, that it apparently made my radius have timeouts when authenticating, and I was told there was a bug on it, and that it was fixed on CVS. I'm about to upgrade that radius server, so I want to know: I downloaded the latest CVS snapshot (freeradius-snapshot-20050421). Should I use this snapshot in production, or is it better to use 1.0.2 patching it with the fix? If I should use a patched 1.0.2, what would be the best way to patch it? Just replace the "src/modules/rlm_exec/rlm_exec.c" file from 1.0.2 with the one from the snapshot and compile?? Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
character encoding after upgrade
Hi again.. First thanks to Alan, and sorry if my previous question had been already asked Now, I downloaded the 1.0.x branch from CVS, compiled it and configured it exactly like I had the 1.0.1 running with mysql for accounting. Killed the 1.0.1 and started the new one, and the braces characters on usernames started being encoded or something, instead of appearing "[" it appeared "=5B" and instead of "]" it appeared "=5D". The problem seems exactly the same as in: http://lists.cistron.nl/pipermail/freeradius-users/2005-January/039766.html The same, the problem is only at database level, logs appear ok. Now, it's not a database problem, since it's exactly the same mysql server I used with 1.0.1, using the same database. Moreover, after I saw this problem, I killed the new radiusd, and started the 1.0.1 again, and braces started being inserted ok. Should I add these characters to safe-characters in sql.conf?? If this is the case, why did this beheaviour change between 1.0.1 and current CVS? Thanks again, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
replicating accounting logs to remote radius server
Hi! I using freeradius for authentication and accounting. I´m going to use some new realms, where incomming calls with those realms, apart from being logged on my radius, will have to be replicated to another radius server. I made some tests with proxying with a test radius server, and everything went fine, but I want to check if what I did is right, or if is there a better approach or something I may be missing... on my /etc/raddb/users file I got: DEFAULT Auth-Type := Accept Exec-Program-Wait = "/path/to/script", Service-Type = Framed-User, Framed-Protocol = PPP, Fall-Through = 0 I added on /etc/raddb/radiusd.conf: proxy_requests = yes On /etc/raddb/proxy.conf under ¨proxy server¨ section I setted: default_fallback = yes and at then on that file I got (supposing the realm is myRealm): realm myRealm { type= radius authhost= radius.domain.tld:1600 accthost= radius.domain.tld:1601 secret = secretKey nostrip } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } so any call with the myRealm realm will be authenticated and logged at radius.domain.tld, appart from being logged on my radius server, and any other call without that realm will be treated locally using de DEFAULT entry on my users file. Is this fine? I guess I could also use: realm myRealm { type= radius authhost= LOCAL accthost= radius.domain.tld:1601 secret = secretKey nostrip } so as to authenticate locally with the DEFAULT entry on my users file and replicating the accounting logs on the remote radius server radius.domain.tld Is this approach fine? Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet from client ...
Abdul Lateef wrote: [...] Mon May 2 12:34:44 2005 : Error: Dropping conflicting packet from client 212.100.235.227:1812 - ID: 11 due to unfinished request 2064 [...] heheh.. it seems you read my e-mail from last month: http://lists.freeradius.org/archives/freeradius-users/2005/04/frm00119.html almost textual!!! :P anyway... If you follow this thread you'll see I was also having some similar errors when using Exec-Program-Wait but with a php script I was then told there was a bug on the Exec-Program-Wait code, and that I should upgrade to latest CVS version. I upgraded and the errors I mentioned on my first e-mail disappeared, and Exec-Program-Wait started working fine, without having any of the other similar errors. Regards, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Dustin Doris wrote: I run freeradius server (1.0.2) with ldap support in a debian sarge server. Last days I'm having the error message "Error: Dropping conflicting packet due to unfinished request" a lot of times and the server dies too frequently. [...] Perhaps your ldap server might be running a little slow. Are you using openldap? If so, what version? Also, do you have the attributes you are searching with indexed? Finally, if you are using a BDB backend, what does your DB_CONFIG file show? I suppose that if you're seeing it lots of times, and it dies frequently, may be more related to LDAP and what Dustin tells you But I also add, that besides the external commands bug, I also saw some of those errors too, while NOT using external commands, which disappeared after upgrading to latest 1.0.x version form CVS. Regards, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Session-Timeout on Exec-Program-Wait
Hi, I'm using Exec-Program-Wait for user validation. On some cases, I want to send back the Session-Timeout According to what I've seen, on the script I execute on Exec-Program-Wait, I can send back this value like this: print "Session-Timeout=$timeout\n"; exit 0; # Grant Access Now, on this thread: http://lists.cistron.nl/pipermail/freeradius-users/2004-March/029131.html they say to add "Service-Type := Framed-User" to the reply in order to work with Cisco. Is this correct? Must I always send that value pair, for it to work on Cisco systems? So it would end being: print "Service-Type=Framed-User\n"; print "Session-Timeout=$timeout\n"; exit 0; # Grant Access Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient: received response to request we did not send.
Hi, I'm trying to use radclient in order to disconnect users, with the following PHP script: But I receive the error: Sending Disconnect-Request of id 3 to aaa.aaa.aaa.aaa:1700 Framed-IP-Address = xxx.xxx.xxx.xxx rad_recv: Disconnect-NAK packet from host aaa.aaa.aaa.aaa:1645, id=3, length=20 radclient: received response to request we did not send. This is the tcpdump (where bbb.bbb.bbb.bbb is the IP address of the server where I'm running the script from): 21:07:59.171286 IP bbb.bbb.bbb.bbb.40122 > aaa.aaa.aaa.aaa.1700: UDP, length 26 21:07:59.315031 IP aaa.aaa.aaa.aaa.datametrics > bbb.bbb.bbb.bbb.40122: RADIUS, Unknown Command (42), id: 0x03 length: 20 On my Cisco AS5300 I've added: aaa pod server auth-type any server-key secret What can be the problem?? Thanks in advance, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient: received response to request we did not send.
Alan, Sorry I don't reply to your original mail, but I received it at home, and now I'm at work. My problem was I was receiving this error: # /bin/echo 'Framed-IP-Address=192.168.1.197' | /home/radius/bin/radclient -d /home/radius/etc/raddb/ -x aaa.aaa.aaa.aaa disconnect secret Sending Disconnect-Request of id 196 to aaa.aaa.aaa.aaa:1700 Framed-IP-Address = 192.168.1.197 rad_recv: Disconnect-NAK packet from host aaa.aaa.aaa.aaa:1645, id=196, length=20 radclient: received response to request we did not send. You told me the problem is I'm sending packet to port 1700 and receiving the reply from port 1645... but how can I fix this?? I tried using: # /bin/echo 'Framed-IP-Address=192.168.1.197' | /home/radius/bin/radclient -d /home/radius/etc/raddb/ -x aaa.aaa.aaa.aaa:1700 disconnect secret but I receive the same error, and with: # /bin/echo 'Framed-IP-Address=192.168.1.197' | /home/radius/bin/radclient -d /home/radius/etc/raddb/ -x aaa.aaa.aaa.aaa:1645 disconnect secret I get no response from NAS.. Thanks again! Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + jradius core dump
Hi all, I'm using freeradius + jradius and I get a core dump when freeradius is started normally. if I start freeradius with the option -X everything works fine. I'm using FreeBSD 5.4, FreeRadius 1.0.4 + jradius. Anyone had this issue before? can somebody help me? Thank you in advance Juan Priotti this is the coredump I get [EMAIL PROTECTED] gdb /radiusd ./radiusd.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)... Core was generated by `radiusd'. Program terminated with signal 10, Bus error. Reading symbols from /lib/libcrypt.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.2 Reading symbols from /usr/lib/libpthread.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libpthread.so.1 Reading symbols from /lib/libcrypto.so.3...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypto.so.3 Reading symbols from /usr/lib/libssl.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libssl.so.3 Reading symbols from /usr/local/lib/libradius-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/libradius-1.0.4.so Reading symbols from /usr/local/lib/libltdl.so.4...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/libltdl.so.4 Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.5 Reading symbols from /usr/local/lib/rlm_exec-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_exec-1.0.4.so Reading symbols from /usr/local/lib/rlm_expr-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_expr-1.0.4.so Reading symbols from /usr/local/lib/rlm_jradius.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_jradius.so Reading symbols from /usr/local/lib/rlm_preprocess-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_preprocess-1.0.4.so Reading symbols from /usr/local/lib/rlm_realm-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_realm-1.0.4.so Reading symbols from /usr/local/lib/rlm_acct_unique-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_acct_unique-1.0.4.so Reading symbols from /usr/local/lib/rlm_files-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_files-1.0.4.so Reading symbols from /usr/local/lib/rlm_detail-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_detail-1.0.4.so Reading symbols from /usr/local/lib/rlm_radutmp-1.0.4.so...(no debugging symbols found)...done. Loaded symbols for /usr/local/lib/rlm_radutmp-1.0.4.so Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x280c231b in pthread_testcancel () from /usr/lib/libpthread.so.1 (gdb) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + jradius core dump
Thank you Alan, It works with -sf option. regards Juan On 7/21/05, Alan DeKok <[EMAIL PROTECTED]> wrote: > Juan Priotti <[EMAIL PROTECTED]> wrote: > > I'm using freeradius + jradius and I get a core dump when freeradius > > is started normally. if I start freeradius with the option -X > > everything works fine. I'm using FreeBSD 5.4, FreeRadius 1.0.4 + > > jradius. > > Anyone had this issue before? can somebody help me? > > The problem may be jradius, or the problem may be something I recall > hearing about FreeBSD's signal handling & interaction with fork. > > For now, do "radiusd -sf", and it should work. > > Alan DeKok. > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pairfind segmentation fault
Hi, i m writing a module2 for freeradius 2.1.10 on linux 2.6.18-194.el5PAE. this is the code: vp = pairfind(request->packet->vps,PW_USER_NAME); DEBUG("Found username = %s",vp->data.strvalue); // create and add the cleartext-password vp_clear_password = pairmake("Cleartext-password","smart",T_OP_SET); pairadd(&request->config_items, vp_clear_password); // create and add the callback-id vp = pairmake("callback-id","0702005010701059",T_OP_SET); pairadd(&request->reply->vps,vp); but the pairfind is giving segmentation fault: Program received signal SIGSEGV, Segmentation fault. 0x00b2879b in authorize (instance=0x8184460, request=0x81bbc68) at ../main.c:135 135 vp = pairfind(request->packet->vps,PW_USER_NAME); I have no idea what the problem is. What is the different between pairmake and radius_paircreate ? when am i supposed to use pairfree ? please let me know what the problem is. thanks!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
implementing 3gpp2 attributes
Hi, i m in the early stages of implementing a prepaid service for a CDMA network, i have to exchange radius package using the 3gpp2 standard which is an extension to the basic radius protocol. i m facing an issue and that is that the attributes in the 3gpp2 standard included attributes that contain subtypes, in the form of: type:26Length: variable, greated than 8Vendor-ID: 5535Vendor-Type: 91Vendor-Length: variable, greater than 2Sub-Type (=1): Sub-Type for AvailableInClient attributeSub-Type (=2): Sub-Type for SelectedForSession attribute...Sub-Type (=N): i have done several tests to confirm that freeradius only supports simple attributes in the form of attribute = value, i need to implement the above, is there any way i can implement it ? i dont mind doing all the work my self but i do not see available or easy ways to access the actual data of the structures directly ... can someone please advise how to implement attributes such as the above ? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: implementing 3gpp2 attributes
Thank you very much Alan and Peter!! it is nice to know that freeradius is capable of doing so with minors changes in the dictionary. i m using stable version 2.2 so i understand the master branch in the git supports this, i will downloaded. thanks a lot !!! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: implementing 3gpp2 attributes Date: Wed, 24 Apr 2013 22:35:58 + Hi, i m in the early stages of implementing a prepaid service for a CDMA network, i have to exchange radius package using the 3gpp2 standard which is an extension to the basic radius protocol. i m facing an issue and that is that the attributes in the 3gpp2 standard included attributes that contain subtypes, in the form of: type:26Length: variable, greated than 8Vendor-ID: 5535Vendor-Type: 91Vendor-Length: variable, greater than 2Sub-Type (=1): Sub-Type for AvailableInClient attributeSub-Type (=2): Sub-Type for SelectedForSession attribute...Sub-Type (=N): i have done several tests to confirm that freeradius only supports simple attributes in the form of attribute = value, i need to implement the above, is there any way i can implement it ? i dont mind doing all the work my self but i do not see available or easy ways to access the actual data of the structures directly ... can someone please advise how to implement attributes such as the above ? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wireshart shows wrong information
Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
i m sorry i accidentally press the wrong combination of keys and the mail left resuming my message below . this is the data that tcpdump show as being transmitted for this attribute: type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 subtype = 02 (3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 00 88 fa i dont see where i m doing wrong ... any help will be appreciated. From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: wireshart shows wrong information Date: Thu, 25 Apr 2013 20:53:58 + Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
thank you very much for your reply, please find attached the pcap file. the access-accept are "my" packages .. those are the ones with the problem. thanks! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Thu, 25 Apr 2013 21:00:51 + i m sorry i accidentally press the wrong combination of keys and the mail left resuming my message below . this is the data that tcpdump show as being transmitted for this attribute: type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 subtype = 02 (3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 00 88 fa i dont see where i m doing wrong ... any help will be appreciated. From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: wireshart shows wrong information Date: Thu, 25 Apr 2013 20:53:58 + Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); access-request.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
i realise now that i may have not been very clear in my explanation of the problem, that problem is that all values for the fields are the wrong values, for example, this is my code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ)); and this is what travels on the wire: subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 and this happens for all values ... i might be missing something thanks! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Thu, 25 Apr 2013 21:00:51 + i m sorry i accidentally press the wrong combination of keys and the mail left resuming my message below . this is the data that tcpdump show as being transmitted for this attribute: type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 subtype = 02 (3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 00 88 fa i dont see where i m doing wrong ... any help will be appreciated. From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: wireshart shows wrong information Date: Thu, 25 Apr 2013 20:53:58 + Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
Alan, can you please extend a little bot more ... what do you mean that you see the correct value i see value "f3 08 48 12" when i m actually expecting "0001" . i really dont see where it is actually correct. ... thanks!!! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Fri, 26 Apr 2013 14:22:20 + i realise now that i may have not been very clear in my explanation of the problem, that problem is that all values for the fields are the wrong values, for example, this is my code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ)); and this is what travels on the wire: subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 and this happens for all values ... i might be missing something thanks! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Thu, 25 Apr 2013 21:00:51 + i m sorry i accidentally press the wrong combination of keys and the mail left resuming my message below . this is the data that tcpdump show as being transmitted for this attribute: type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 subtype = 02 (3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 00 88 fa i dont see where i m doing wrong ... any help will be appreciated. From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: wireshart shows wrong information Date: Thu, 25 Apr 2013 20:53:58 + Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
Hi Alan, i m sorry i m sorry if i m not being clear enough, but please consider the example from my last reply: this is the code in the module:pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ)); and this is what travels on the wire: subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 as you see, the value in value is expected it to be 0001 and not f3 08 48 12 . maybe is a misunderstanding from me. i m using freeradius stable 2.2 and wireshark 1.8.6. thanks! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Fri, 26 Apr 2013 14:22:20 + i realise now that i may have not been very clear in my explanation of the problem, that problem is that all values for the fields are the wrong values, for example, this is my code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ)); and this is what travels on the wire: subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 and this happens for all values ... i might be missing something thanks! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: wireshart shows wrong information Date: Thu, 25 Apr 2013 21:00:51 + i m sorry i accidentally press the wrong combination of keys and the mail left resuming my message below . this is the data that tcpdump show as being transmitted for this attribute: type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14 subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06 value = f3 08 48 12 subtype = 02 (3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00 subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00 00 88 fa i dont see where i m doing wrong ... any help will be appreciated. From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: wireshart shows wrong information Date: Thu, 25 Apr 2013 20:53:58 + Hi, i m implementing a module in which i m using some TLV for which i modified the dictionary.3gpp2 as very well suggested in a different thread, but i see that the data for those TLV fields are not encoded properly or at least that is what wireshark is showing even thou debugging freeradius it shows that the data being sent is the correct it differs from the data captured using tcpdump ... here is my dictionary entry: ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV 3GPP2-Prepaid-Acct-QuotaATTRIBUTE 3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE 3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV 3GPP2-Prepaid-Acct-Quota and for that i m writing the following code: pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100", T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100", T_OP_EQ)); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accessing subtypes (tlv)
Hi, i have downloaded and installed freeradius from git master FreeRADIUS Version 3.0.0 (git #7a9281c), i m developing a module to do some charging based on 3gpp2 standards for a cdma network, i have modified the dictionary to reflect a subtype in one of the attributes: ATTRIBUTE 3GPP2-Prepaid-acct-Capability 91 tlvATTRIBUTE 3GPP2-Prepaid-acct-Capability-AvailableInClient 91.1 integer but i m having trouble accesing 3GPP2-Prepaid-acct-Capability-AvailableInClient, basically i dont know how and i cant find an example in the code so far. when i do: ppac = pairfind(request->packet->vps,91.1,5535,TAG_ANY)orppac = pairfind(request->packet->vps,91,5535,TAG_ANY) they both return null. any hint will be appreciated as to how can i access the values in the subtypesof any tlv-type attribute. the other option is just put back the dictionary to octect type and access the values manuallybut i know this version of freeradius supports tlv so i would like to find a way to do it using freeradius capabilities. thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accessing subtypes (tlv)
Hi, thank you very much, that worked.regarding the float as parameter, i should not have sent that as an example because it was wrong anyways as you very well mentionedthe function is not expecting a float .. lol ... thanks for the advise too! From: jpablolorenze...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: accessing subtypes (tlv) Date: Wed, 15 May 2013 19:55:56 + Hi, i have downloaded and installed freeradius from git master FreeRADIUS Version 3.0.0 (git #7a9281c), i m developing a module to do some charging based on 3gpp2 standards for a cdma network, i have modified the dictionary to reflect a subtype in one of the attributes: ATTRIBUTE 3GPP2-Prepaid-acct-Capability 91 tlvATTRIBUTE 3GPP2-Prepaid-acct-Capability-AvailableInClient 91.1 integer but i m having trouble accesing 3GPP2-Prepaid-acct-Capability-AvailableInClient, basically i dont know how and i cant find an example in the code so far. when i do: ppac = pairfind(request->packet->vps,91.1,5535,TAG_ANY)orppac = pairfind(request->packet->vps,91,5535,TAG_ANY) they both return null. any hint will be appreciated as to how can i access the values in the subtypesof any tlv-type attribute. the other option is just put back the dictionary to octect type and access the values manuallybut i know this version of freeradius supports tlv so i would like to find a way to do it using freeradius capabilities. thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to Authenticate Mysql Users whit freeradius editing the users file
Hi. I had been installed freeradius 2.0.4 in debian 4.0 and with daloradius like web management interface Now i'm have an inconvenient with the users that i have in mysql. That users can autenthicate in mysql but, can't get authenticate completly; i think you know waht I mean. Freeradius don't authenticate with mysql, so it uses another ways like EAP, PAP an others. I had been edited the users file in the attribute auth-type with various values: Local, EAP, PAP, System... I got this when i try to loggin i got this: rad_recv: Access-Request packet from host 127.0.0.1 port 32814, id=68, length=212 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = "juanpal" User-Password = "juanpal" NAS-IP-Address = 192.168.181.1 Service-Type = Login-User Framed-IP-Address = 192.168.181.2 Calling-Station-Id = "08-00-27-0A-F7-67" Called-Station-Id = "08-00-27-C0-08-85" NAS-Identifier = "nas01" Acct-Session-Id = "499d9aa80001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Logoff-URL = "http://192.168.181.1:3990/logoff"; Message-Authenticator = 0xd5b4b59894a7fbb350da9e2f90d9eb5c +- entering group authorize ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090219 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090219 expand: %t -> Thu Feb 19 13:13:58 2009 ++[auth_log] returns ok expand: %{Realm} -> ++[attr_filter] returns noop ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "juanpal", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 61 WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. users: Matched entry DEFAULT at line 201 ++[files] returns ok expand: %{User-Name} -> juanpal rlm_sql (sql): sql_set_user escaped user --> 'juanpal' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'juanpal' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'juanpal' ORDER BY id expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='juanpal' rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [juanpal/juanpal] (from client localhost port 1 cli 08-00-27-0A-F7-67) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 68 to 127.0.0.1 port 32814 Service-Type = Login-User Session-Timeout := 2400 Waking up in 4.9 seconds. Cleaning up request 0 ID 68 with timestamp +10 Ready to process requests. As you see, the user juanpal authenticate with mysql but the next step stop him My user file has this: DEFAULT Auth-Type := Local, Crypt-password = User-Password Fall-Through = yes Whit auth-type = System, the users need to be Systems users. Whit aut-type = ACCEPT, anyone can loggin. I don't know what try now, i had been google, read in many forums. Thanks a lot. -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editing the usersfile
t-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == "alphen" # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == "delft" # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Sample defaults for all framed connections. # #DEFAULTService-Type == Framed-User # Framed-IP-Address = 255.255.255.254, # Framed-MTU = 576, # Service-Type = Framed-User, # Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected # by the terminal server in which case there may not be a "P" suffix. # The terminal server sends "Framed-Protocol = PPP" for auto PPP. # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Administrative-User # On no match, the user is denied access. Thanks -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editing theusersfile
On Fri, Feb 20, 2009 at 9:12 AM, wrote: > >i didn't force any authentication, I left the users file by default, when > i > >tried to login i got this: > > > .. > >++[files] returns noop > > OK. Files are empty now. But ... > > >expand: %{User-Name} -> juanpal > >rlm_sql (sql): sql_set_user escaped user --> 'juanpal' > >rlm_sql (sql): Reserving sql socket id: 1 > >expand: SELECT id, UserName, Attribute, Value, op FROM > >radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY > id > >-> SELECT id, UserName, Attribute, Value, op FROM > >radcheck WHERE Username = 'juanpal' ORDER BY id > >rlm_sql (sql): User found in radcheck table > > .. this should be the password. And ... > > .. > >++[sql] returns ok > >auth: No authenticate method (Auth-Type) configuration found for the > >request: Rejecting the user > >auth: Failed to validate the user. > > .. no pap module. Why did you remove the pap from authorize? Put it back. I Put pap in authorize section in radius.conf. I got this: rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=32, length=212 Vendor-14559-Attr-8 = 0x312e302e3132 User-Name = "juanpal" User-Password = "juanpal" NAS-IP-Address = 192.168.181.1 Service-Type = Login-User Framed-IP-Address = 192.168.181.2 Calling-Station-Id = "08-00-27-0A-F7-67" Called-Station-Id = "08-00-27-C0-08-85" NAS-Identifier = "nas01" Acct-Session-Id = "499e74280001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Logoff-URL = "http://192.168.181.1:3990/logoff"; Message-Authenticator = 0x0e0a63b0ee1fb9a95992d227586a9090 +- entering group authorize ++[preprocess] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090220 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20090220 expand: %t -> Fri Feb 20 04:24:43 2009 ++[auth_log] returns ok expand: %{Realm} -> ++[attr_filter] returns noop ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "juanpal", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> juanpal rlm_sql (sql): sql_set_user escaped user --> 'juanpal' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'juanpal' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'juanpal' ORDER BY id expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='juanpal' rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_pap: Normalizing MD5-Password from hex encoding ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "juanpal" rlm_pap: No password configured for the user. Cannot do authentication ++[pap] returns fail auth: Failed to validate the user. Login incorrect: [juanpal/juanpal] (from client localhost port 1 cli 08-00-27-0A-F7-67) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to 127.0.0.1 port 32770 Session-Timeout := 2400 > > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradius editingtheusersfile
I change the password user from md5 to User-Password and can login. I don't know if that was the suggestion, but thanks a lot On Fri, Feb 20, 2009 at 10:00 AM, wrote: > >rlm_pap: Normalizing MD5-Password from hex encoding > >++[pap] returns updated > > Try with Cleartext-Password first. And use := not == as operator. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Authenticate Mysql Users whit freeradiuseditingtheusersfile
NAS-Port-Id = "0001" Framed-IP-Address = 192.168.181.3 Acct-Session-Id = "499ee06c0001" NAS-IP-Address = 192.168.181.1 Called-Station-Id = "08-00-27-C0-08-85" NAS-Identifier = "nas01" +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 1,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 192.168.181.1,Acct-Session-Id = "499ee06c0001",User-Name = "juanpal"' rlm_acct_unique: Acct-Unique-Session-ID = "d2c306121c0bde41". ++[acct_unique] returns ok rlm_realm: No '@' in User-Name = "juanpal", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20090220 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20090220 expand: %t -> Fri Feb 20 11:55:31 2009 ++[detail] returns ok expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp expand: %{User-Name} -> juanpal ++[radutmp] returns ok expand: %{User-Name} -> juanpal rlm_sql (sql): sql_set_user escaped user --> 'juanpal' expand: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') -> INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('499ee06c0001', 'd2c306121c0bde41', 'juanpal', '', '192.168.181.1', '1', 'Wireless-802.11', '2009-02-20 11:55:31', '0', '0', '', '', '', '0', '0', '08-00-27-C0-08-85', '08-00-27-D6-27-3B', '', '', '', '192.168.181.3', '', '0') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok Sending Accounting-Response of id 4 to 127.0.0.1 port 3779 Finished request 5. Cleaning up request 5 ID 4 with timestamp +171 Going to the next request Waking up in 4.7 seconds. Cleaning up request 4 ID 55 with timestamp +171 Ready to process requests. Thanks a Lot On Fri, Feb 20, 2009 at 12:49 PM, wrote: > >I change the password user from md5 to User-Password and can login. > > > >I don't know if that was the suggestion, but thanks a lot > > > >> > >> Try with Cleartext-Password first. And use := not == as operator. > >> > > No. I ment what I wrote. User-Password shouldn't be used. Use > Cleartext-Password. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_sqlcounter log problem
In My case, that it's not necesary, you can comment out that lines; and probe with 'freeradius -X' On Wed, Feb 25, 2009 at 9:51 AM, Devrim Seral wrote: > Hi all, > I have a little problem with freeradius. And i can't find any solution for > it.. > We have logged failed login attempt following statement: (Its taken > from Freeradius Wiki) > Post-Auth-Type REJECT { ># Login failed: log to SQL database. >sql > } > > However when we use rlm_sqlcounter this modle can't handled with above > statement. > > So how its possible to log users that Rejected by rlm_sqlcounter module? > Regards.. > devrim > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Juan Pablo Botero Administrador de Sistemas informáticos http://jpill.wordpress.com eSSuX: http://slcolombia.org/eSSuX Linux Registered user #435293 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VoIP
Greg, I have been searching for the same information and have not found much…If I could get pointed in the right direction or get it working, I don’t have a problem with documenting… Good Luck, JC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory D. Burns Sent: Wednesday, August 18, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: Cisco VoIP Group, I have used freeradius for to collect CDR’s from Cisco before. But I want to learn how much can really be done, and also wanted to allow my customers to do some config changes (like adding new gateways) from an web interface. At this point I’m doing a lot of reading and testing, but I notice a lot of what I’m reading does not apply to using it for Cisco voip CDRS. So my question is does anyone know of a good web page, news group, IRC, or what every; that talks about using freeradius on VOIP gateways? -Greg
Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!)
ertificate_file:ASN1 lib:ssl_rsa.c:536:rlm_eap_tls: Error reading certificate filerlm_eap: Failed to initialize type tlsradiusd.conf[9]: eap: Module instantiation failed. I've searched in Google, readed all the messages in the freeradius users list, searched a lot of forums, tried lot of possibities, and nothingI'm stucj on that problem and I need a solution fast or my boss will cut my head with a dulled knife...:) Please, someone send me some tip!!! Thanx in advance. Juan Campanini Chipsur Sistemas Informáticos S.L. www.chipsur.es
RE: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!)
Thanx for the response... Yep, I've tried to regenerate the certificates, and nothing... Maybe the problem is related with the distribution? I'm using Suse Linux Pro 9.1, but seems that all of you are using RedHatI'm cosidering buiding from scratch in RH. Juan Campanini Chipsur Sistemas Informáticos S.L. www.chipsur.es -Mensaje original- De: Alan DeKok [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 29 de diciembre de 2004 16:33 Para: freeradius-users@lists.freeradius.org Asunto: Re: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!) "Juan Andres Campanini" <[EMAIL PROTECTED]> wrote: > When I configure freeradius following the directives in this document: > <http://www.broadbandreports.com/forum/remark,9286052~mode=flat> > http://www.broadbandreports.com/forum/remark,9286052~mode=flat Hmm... try using the documentation included with FreeRADIUS, or the docs pointed to from http://www.freeradius.org/doc/ > rlm_eap_tls: Error reading certificate file Yup. OpenSSL doesn't produce useful errors. > I've searched in Google, readed all the messages in the freeradius users > list, searched a lot of forums, tried lot of possibities, and > nothingI'm stucj on that problem and I need a solution fast or my > boss will cut my head with a dulled knife...:) Regenerate the certificates using the scripts that are included with the server. See scripts/CA.certs, for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!)
yep...I know...and it's clear that the error is related with the certificates, but I can't get rid of it. I'v tried different versions of opeenssl, different versions of freeradius, different procedures, but nothing... No one had the same error? Juan Campanini Chipsur Sistemas Informáticos S.L. www.chipsur.es -Mensaje original- De: Stuart Harris [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 29 de diciembre de 2004 17:17 Para: freeradius-users@lists.freeradius.org Asunto: RE: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!) Just to dispell your myth we all use redhat ... I've got clients running it on Debian and also on FreeBSD .. :P > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Juan Andres Campanini > Sent: 29 December 2004 15:58 > To: freeradius-users@lists.freeradius.org > Cc: Alan DeKok > Subject: RE: Errors in the initialization of EAP/PEAP with > freeradius (URGENT HELPPP!!) > > Thanx for the response... > Yep, I've tried to regenerate the certificates, and nothing... > Maybe the problem is related with the distribution? I'm using > Suse Linux Pro 9.1, but seems that all of you are using > RedHatI'm cosidering buiding from scratch in RH. > > Juan Campanini > Chipsur Sistemas Informáticos S.L. > www.chipsur.es > > > -Mensaje original- > De: Alan DeKok [mailto:[EMAIL PROTECTED] > Enviado el: miércoles, 29 de diciembre de 2004 16:33 > Para: freeradius-users@lists.freeradius.org > Asunto: Re: Errors in the initialization of EAP/PEAP with > freeradius (URGENT HELPPP!!) > > > "Juan Andres Campanini" <[EMAIL PROTECTED]> wrote: > > When I configure freeradius following the directives in > this document: > > <http://www.broadbandreports.com/forum/remark,9286052~mode=flat> > > http://www.broadbandreports.com/forum/remark,9286052~mode=flat > > Hmm... try using the documentation included with > FreeRADIUS, or the docs pointed to from http://www.freeradius.org/doc/ > > > rlm_eap_tls: Error reading certificate file > > Yup. OpenSSL doesn't produce useful errors. > > > I've searched in Google, readed all the messages in the freeradius > > users list, searched a lot of forums, tried lot of possibities, and > > nothingI'm stucj on that problem and I need a solution > fast or my > > boss will cut my head with a dulled knife...:) > > Regenerate the certificates using the scripts that are > included with the server. See scripts/CA.certs, for example. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!)
-Mensaje original- De: Stuart Harris [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 29 de diciembre de 2004 18:32 Para: freeradius-users@lists.freeradius.org Asunto: RE: Errors in the initialization of EAP/PEAP with freeradius (URGENT HELPPP!!) ok, as I showed bad ettique last time by re-posting the whole message + top posting, I'll try to be good this time :P You said you tried different versions of openSSL.. are you sure.. I have numerous problems when I update openSSL .. by default when you link against it, the linker first looks in /lib (which on many distros, have a libcrypto and or libssl there...) then /usr/lib (usual place for openssl) and then finally /usr/local/lib... it's very very easy to configure/build against conflicting installs of openSSL.. a good example of this is Apache and or PHP.. both are kind of weak (ironically) when it comes to using openSSL in a specified location (can set -with-ssl= but it still prefers default if it exists) ... so if you are trying with 'other versions of openssl' ensure that... /usr/lib/libcrypto* /usr/lib/libssl* /usr/include/openssl* /lib/libcrypto* /lib/libssl* all point to 'the right version' ... if you've rebuilt freeradius you can use ldd to check which ssl library freeradius has built against, and then check to see if that library is in fact the correct one.. there is a tool in the contrib directory of openssh (note openssh not openssl!) called findssl.sh ... which is very good for checking ssl sanity.. hope this helps a little :P --- Yes, I've made the same mistake, sorry to all. Responding your questions, thanks for the details. I will do that check! But every time I've tried a new version of openssl or freeradius, I've installed a fresh OS, to avoid that kind of problems, since it takes 15 to build a basic system...:) The info will be helpful to me in future tests. Juan Campanini Chipsur Sistemas Informáticos S.L. www.chipsur.es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP md5
Hi everyone, I'm having a problem with freeradius 1.0.4 configuration. I configured it to work with PAP, CHAP, MS-CHAPv1, and MS-CHAPv2. Now I would like to work with EAP-MD5 but I have always the same response: rad_recv: Access-Request packet from host 192.168.2.63:1108, id=65, length=88 Waking up in 31 seconds... Thread 1 got semaphore Thread 1 handling request 5, (2 handled so far) User-Name = "juan" EAP-Message = 0x025700180410b8c3ecb73fe2a82ab50152301561f65f0008 State = 0x36f19352ad8e53da9ad68e321a2a1a81 Message-Authenticator = 0x676a955991b9dcdee684a339aa8420c2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "juan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 87 length 24 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry juan at line 93 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Thread 1 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 65 to 192.168.2.63:1108 EAP-Message = 0x04570004 Message-Authenticator = 0x Reply-Message = "Hello, %u" I really don't know what to do. I'm almost sure it's the radiusd.conf or eap.con files. Can anybody help me?? Thank you!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
I am doing a client interface for radius authentication. To test my progress I have installed a freeradius 1.0.4 in a SuSe 9.3. I have configured almost all of the protocols (PAP, CHAP, MS-CHAPv1, MS-CHAPv2), but wen I tried to configure EAP-MD5 I had a lot of problems, like "not password found", etc. I changed somethings in my program, then I tested it with WinRadius and it functionned; but when I tested it with my freeradius it didn't function. I would like to know how to configure my freeradius 1.0.4 so it function with EAP-MD5. I send you the error messages in "./radiusd -xxyz -l stdout": rad_recv: Access-Request packet from host 192.168.2.63:1594, id=80, length=55 --- Walking the entire request list --- Cleaning up request 7 ID 97 with timestamp 42fb4a13 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = "test" EAP-Message = 0x025200090174657374 Message-Authenticator = 0x3ad1dba850a6555f55e323c808b2acd0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 users: Matched entry test at line 91 modcall[authorize]: module "files" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 82 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 80 to 192.168.2.63:1594 Reply-Message = "Hello, %u" EAP-Message = 0x015300160410f37740423ba2a90d29911e943424e5a3 Message-Authenticator = 0x State = 0x78773e2f34d4b5159977be0ef3156654 Finished request 8 Going to the next request Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.2.63:1594, id=80, length=88 Waking up in 31 seconds... Thread 5 got semaphore Thread 5 handling request 9, (2 handled so far) User-Name = "test" EAP-Message = 0x0253001804105060ab97739328de2b67fa7930d8633e0008 State = 0x78773e2f34d4b5159977be0ef3156654 Message-Authenticator = 0x3ebc35a4d37c84a293d3a3d4eb0a21fb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 users: Matched entry test at line 91 modcall[authorize]: module "files" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 83 length 24 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 9 modcall: group authenticate returns reject for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request Thread 5 waiting to be assigned a request --- Walking the entire request list --- Sending Access-Reject of id 80 to 192.168.2.63:1594 EAP-Message = 0x04530004 Message-Authenticator = 0x Reply-Message = "Hello, %u" Cleaning up request 9 ID 80 with timestamp 42fb4a30THANK YOU! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message without subject. EAP-MD5
Sorry for my last message without subject. I've already repared my problem. I had put in my users file: "test" User-Password := password # Auth-Type = Local Reply-Message = "Hello, %u" and this Reply-Message (which is included in users file as an example) was the reason for my server to don't work. I've only commented this line and the server functions again. Thank you!!! I will ask you something about LEAP protocol soon . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP and PEAP protocols
Hi everybody again, I would like to know if any of you has somme information about LEAP and PEAP protocols. Does any RFC about them exist? I find nothing in the net. Thanks you!!! Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Configuration
Hello, I am trying to configure PEAP protocol with my freeRadius 1.0.4. I have already configured PAP, CHAP, MS-CHAP v1, MS-CHAP v2, EAP-md5, LEAP but I really don't understand the documentations about it. Can anybody help me? Thanks a lot. JUAN DANIEL MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP OTP
Hello everyone, I am interested in EAP protocols with OTP (one time password). I would like to configure my freeradius 1.0.4 to be able to authenticate passwords which has been created with Shawan's method and an external key. Can anybody help me? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP TLS establishment and certificates
Hi everyone, I would like to configure a freeradius 1.0.4 with PEAP protocol and OpenSSL certificates. My first question is where should I place the generated certificates with Openssl? As I am developing a client's interface, can anybody tell me how to "create" the Client_Hello packet? Thank you very much!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LEAP Protocol
Hi everyone, is me again!! I have a question about freeradius 1.0.4. With LEAP protocol, the last packet sent by the server has a "leap-session-key". Does anybody knows how this key is generated? Thank you very much!!! Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius PEAP protocol
Hi everyone, I am trying to create a client's interface for Radius PEAP protocol. The server has donne all I wonder it to do, but now I have a question about the finish handshake message I have to send. When I get the server's cetificate, I get a public key too. I have to "public-key-encrypt" a PreMasterSecret that is a vector of 46 random bytes and the tls version (1.0). My question is how can I do that. Am I obliged to get the ssl libraries to "public-key-encrypt" this packet? Thank you for any complemetary information. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Public_key_exchange padding
Hi, I am using a freeRadius 1.0.4 and I would like to know something about client_key_exchange(). Into this function it is necessary to specify a padding system that the server accepts. My question is, which of these paddings: RSA_PKCS1_PADDING RSA_PKCS1_OAEP_PADDING RSA_SSLV23_PADDING RSA_NO_PADDING is accepted by freeRadius 1.0.4? Thank you very much. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Protocol
Hi everyone, I have a little problem with freeradius 1.0.4. It's maybe something I don't understand but I really need help. With PEAP protocol, I have a user test with its own password. The first 8 packets are fine but as I send the 9th, radius says Length in packet header doesn't match actual length. Does it means that the length in the first packet (when I send a two packets certificate) is greater or less than in second packet? Or is just the header length in this very packet? Thank you four your help. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL3_GET_CLIENT_KEY_EXCHANGE
Hi everyone, I have a problem and I would like to ask you what to do. My problem is with PEAP protocol when I send the Client_Key_Exchange. FreeRadius 1.0.4 server tells me: SSL3_GET_CLIENT_KEY_EXCHANGE: tls rsa encrypted value length is wrong: s3_srvr.c: 1450: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I am using OpenSSL libraries and everything seems to work (the key is found by the X509_get_pubkey). And I send all this data with RSA_public_encrypt(). I don't know what I'm doing wrong. Please help me! THANKS, JUAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
> > The protocol specification describes this. The implementation in > src/modules/rlm_eap/ contains diagrams of the packets it expects to > receive. > > Alan DeKok. > > Thank you Alan, but now I have a new problem. I have been reading the src/modules/rlm_eap/ to understand my problem but I don't find the issue. In TLS establishment, the public key in the server.cert is 128 bytes length. I generate a random string of 46 bytes and the protocol version (TLS 1.0 (0x03, 0x01)) and I use the SSL function RSA_public_encrypt() with server's public key to encrypt the PreMasterSecret. As a result I get a 128 length string. As I send this data to the server, I get a "tls rsa encrypted length is wrong: s3_srvr.c: 1450:" Can anybody please tell me where can be my problem? Here is my code for exemple. void Client_Key_Exchange (SSLData *ClientSSLData, unsigned short *length, char *HandshakeMessages, unsigned short *length_Hndshk, char *buff) { char *PreMasterSecret = (char*) _MEMORY_Allocate (58 , true); char *EncryptedPreMasterSecret = (char*) _MEMORY_Allocate (128, true); char *temp = (char*) _MEMORY_Allocate (58 , true); unsigned char *tmpCert= _MEMORY_Allocate (ClientSSLData->certificate_len + 128, true); _RANDOM_MakeCharString (temp, 46); PreMasterSecret [0] = 0x03; PreMasterSecret [1] = 0x01; for (register int i = 0; i<46; i++) { PreMasterSecret[i+2]= temp [i]; ClientSSLData->PreMasterSecret[i] = PreMasterSecret[i]; } for (i = 0; i < ClientSSLData->certificate_len; i++) tmpCert[i] =(unsigned char) ClientSSLData->certificate[i]; //- OpenSSL Functions - RSA *server_public_key; X509 *cert = X509_new (); EVP_PKEY *evp = EVP_PKEY_new (); X509 *err = d2i_X509 (&cert, (unsigned char**) &tmpCert, (ClientSSLData->certificate_len) ); //- d2i_509 Function retrives tmpCert pointer advanced the number of bytes read - tmpCert = tmpCert - (ClientSSLData->certificate_len); //- We get the public key from the Server certificate - evp = X509_get_pubkey(cert); server_public_key = (RSA *) evp->pkey.ptr; int rsasize = RSA_size(server_public_key); //- We get the PreMasterSecret encrypted - int Encrypted_len = RSA_public_encrypt(48, (BYTE*) PreMasterSecret, (unsigned char*)EncryptedPreMasterSecret, server_public_key, RSA_PKCS1_PADDING); ClientSSLData->bufferSSL[(*length)++] = 0x16; // Handshake Message ClientSSLData->bufferSSL[(*length)++] = 0x03; // Version ClientSSLData->bufferSSL[(*length)++] = 0x01; // Version ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) / 256; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len + 6) % 256; // Length ClientSSLData->bufferSSL[(*length)++] = 0x10; // Client key exchange ClientSSLData->bufferSSL[(*length)++] = 0x00; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) / 256; // Length ClientSSLData->bufferSSL[(*length)++] = (Encrypted_len ) % 256; // Length //- Public key exchange - for (i = 0; i < Encrypted_len; i++) { buff[i] = EncryptedPreMasterSecret[i]; HandshakeMessages[(*length_Hndshk)++] = EncryptedPreMasterSecret[i]; } free (PreMasterSecret); free (EncryptedPreMasterSecret); free (temp); free (tmpCert); } Thank you for your help. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL3_GET_CLIENT_KEY_EXCHANGE
>Juan Daniel Moreno <[EMAIL PROTECTED]> wrote: >> Thank you Alan, but now I have a new problem. I have been reading the >> src/modules/rlm_eap/ to understand my problem but I don't find the >> issue. In TLS establishment, the public key in the server.cert is 128 >> bytes length. I generate a random string of 46 bytes and the protocol >> version (TLS 1.0 (0x03, 0x01)) and I use the SSL function >> RSA_public_encrypt() with server's public key to encrypt the >> PreMasterSecret. As a result I get a 128 length string. As I send this >> data to the server, I get a "tls rsa encrypted length is wrong: >> s3_srvr.c: 1450:" > I have no idea what the problem is, sorry. >Alan DeKok. Can you please tell me the client's exchange packet form the server is attempting? How is it calculated? Or, can you show me a typical byte suite from this message? (I hope you understand me) Tank you. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS establishment
Hi, It's me again with my little problem. I have freeRadius 1.0.4 and I work at this moment with PEAP protocol. I have generated a certificate with a 128 byte length key. This is the server's certificate. The certificate is sent by the server, with server hello end to establish the TLS. By my part I send a Client_Key_exchange and a finished message, but the server responds me that the length is wrong. The finished message (as you see) is 128 length (the size of the server's public key). Can anybody help me please? I am really lost with this!! The freeRadis -X responses: rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept:error in SSLv3 read client key exchange A 6918:error:1408B0EA:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:tls rsa encrypted value length is wrong:s3_srvr.c:1450: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS Question
Hi, I'm using freeRadius 1.0.4 and I would like to know something about tls config. When I launch radius en debug mode I get this messages: tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/juan/key.key" tls: certificate_file = "/etc/raddb/certs/juan/cert.cert" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" but I would like to know how to change some parameters (like rsa_key_exchange = yes) and, even more important, if the rsa_key_length is given in Bytes or bits. Does it mean that the certificate length changes in function of this rsa_key_length? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with OpenSSL functions
Hi, I would like to ask you (experienced people) something. I'm using freeradius 1.0.4 and I have a message of 48 bytes long (a premaster secret) generated with the random function of openssl. This message has to be "public_encrypted" and sent to a radius server. Nevertheless, when I use the RSA_public_encrypt() function this encrypts the message of 48 bytes and generates a 64 bytes encrypted message. Normally this functions like this; but as I sent this "encrypted message" to the server, the server responds me: "tls rsa encrypted value length is wrong". This means that the message is well generated but not well encrypted. Can any of you tell me please how can I fix this problem? Knowing that the RSA public key is 64 bytes long, is it normal that the encrypted message is 64 bytes long too? Do you know another openSSL function that "public_encrypts" a message? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Fast
Hi, I would like to know if EAP FAST is accepted by freeRadius or if it's under development. If it is under development, when will it be available? Thank you, Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius around the world
Hi everyone!! I have a question really important for my personal researches. Do you know how many or which entreprises work today with freeRadius? Are there any banks or security entreprises? Thank you for your answers. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlcounter: count=0 ?????
Hi, the problem is that my instalation of sqlcounter doesn`t work, i think because the counter returns ZERO!! and i don`t know why, because if i execute sql code by hand, i doesn`t get zero: radcheck is ok: mysql> select * from radcheck where username='troll'; ++--+-++---+ | id | UserName | Attribute | op | Value | ++--+-++---+ | 3 | troll| User-Password | == | troll | | 5 | troll| Max-Monthly-Session | := | 3600 | ++--+-++---+ 2 rows in set (0.11 sec) mysql> SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'; +--+ | SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) | +--+ | 376200 | +--+ 1 row in set (0.00 sec) Now, lets see radiusd output: rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'' sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'}' WARNING: Attempt to use unknown xlat function or attribute in string %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'} radius_xlat: '' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0 <= HERE !! rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout, value=3600 modcall[authorize]: module "monthlycounter" returns ok for request 5 <==== NO, IT`S NOT OK USER CAN`T LOGIN!! :P Some one have an idea about what`s going on here? I doesn`t understand the Warning above... Thanks in advance, and excuse my english. -- Juan Pablo Fava - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Here it is. Thanks! apellido dijo: > can we take a look at your sqlcounter.conf? > > > - Original Message ----- > From: "Juan Pablo Fava" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 20, 2004 10:12 AM > Subject: sqlcounter: count=0 ? > > >> Hi, the problem is that my instalation of sqlcounter doesn`t work, i >> think >> because the counter returns ZERO!! >> and i don`t know why, because if i execute sql code by hand, i doesn`t >> get >> zero: >> >> radcheck is ok: >> >> mysql> select * from radcheck where username='troll'; >> ++--+-++---+ >> | id | UserName | Attribute | op | Value | >> ++--+-++---+ >> | 3 | troll| User-Password | == | troll | >> | 5 | troll| Max-Monthly-Session | := | 3600 | >> ++--+-++---+ >> 2 rows in set (0.11 sec) >> >> >> mysql> SELECT SUM(AcctSessionTime - GREATEST((107811 - >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'; >> > +--- > ---+ >> | SUM(AcctSessionTime - GREATEST((107811 - >> UNIX_TIMESTAMP(AcctStartTime)), 0)) | >> > +--- > ---+ >> | >> 376200 | >> > +--- > ---+ >> 1 row in set (0.00 sec) >> >> Now, lets see radiusd output: >> >> >> rlm_sqlcounter: Entering module authorize code >> >> sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE >> UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + >> AcctSessionTime > '107811'' >> >> radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'' >> >> sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - >> GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct >> WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + >> AcctSessionTime >> > '107811'}' >> >> WARNING: Attempt to use unknown xlat function or attribute in string >> %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'} >> >> radius_xlat: '' >> rlm_sqlcounter: (Check item - counter) is greater than zero >> rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0 >> <= HERE !! >> rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout, >> value=3600 >> modcall[authorize]: module "monthlycounter" returns ok for request 5 >> < NO, IT`S NOT OK USER CAN`T LOGIN!! :P >> >> >> Some one have an idea about what`s going on here? >> I doesn`t understand the Warning above... >> >> >> Thanks in advance, and excuse my english. >> >> -- >> Juan Pablo Fava >> >> >> >> >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >> >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > sqlcounter.conf Description: Binary data
Re: sqlcounter: count=0 ?????
That was the problem, I solved last night reading an old post. I really apreciate your help. But this is not documented in module`s doc file. What is sqlacc3??? Thankyou all!!! apellido dijo: > To to change the following : > > Try to change the following in your sqlcounter dailycounter and > montlycounter. > > sqlmod-inst = sqlcca3 > sqlmod-inst = sql > > > > - Original Message - > From: "Juan Pablo Fava" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 20, 2004 10:18 PM > Subject: Re: sqlcounter: count=0 ? > > >> Here it is. >> >> Thanks! >> >> apellido dijo: >> > can we take a look at your sqlcounter.conf? >> > >> > >> > - Original Message - >> > From: "Juan Pablo Fava" <[EMAIL PROTECTED]> >> > To: <[EMAIL PROTECTED]> >> > Sent: Saturday, March 20, 2004 10:12 AM >> > Subject: sqlcounter: count=0 ? >> > >> > >> >> Hi, the problem is that my instalation of sqlcounter doesn`t work, i >> >> think >> >> because the counter returns ZERO!! >> >> and i don`t know why, because if i execute sql code by hand, i >> doesn`t >> >> get >> >> zero: >> >> >> >> radcheck is ok: >> >> >> >> mysql> select * from radcheck where username='troll'; >> >> ++--+-++---+ >> >> | id | UserName | Attribute | op | Value | >> >> ++--+-++---+ >> >> | 3 | troll| User-Password | == | troll | >> >> | 5 | troll| Max-Monthly-Session | := | 3600 | >> >> ++--+-++---+ >> >> 2 rows in set (0.11 sec) >> >> >> >> >> >> mysql> SELECT SUM(AcctSessionTime - GREATEST((107811 - >> >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE >> UserName='troll' >> >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'; >> >> >> > > +--- >> > ---+ >> >> | SUM(AcctSessionTime - GREATEST((107811 - >> >> UNIX_TIMESTAMP(AcctStartTime)), 0)) | >> >> >> > > +--- >> > ---+ >> >> | >> >> 376200 | >> >> >> > > +--- >> > ---+ >> >> 1 row in set (0.00 sec) >> >> >> >> Now, lets see radiusd output: >> >> >> >> >> >> rlm_sqlcounter: Entering module authorize code >> >> >> >> sqlcounter_expand: 'SELECT SUM(AcctSessionTime - > GREATEST((107811 - >> >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE >> >> UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + >> >> AcctSessionTime > '107811'' >> >> >> >> radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - >> >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE >> UserName='troll' >> >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'' >> >> >> >> sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - >> >> GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM >> radacct >> >> WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + >> >> AcctSessionTime >> >> > '107811'}' >> >> >> >> WARNING: Attempt to use unknown xlat function or attribute in string >> >> %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - >> >> UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE >> UserName='troll' >> >> AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '107811'} >> >> >> >> radius_xlat: '' >> >> rlm_sqlcounter: (Check item - counter) is greater than zero >> >> rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0 >> >> <= HERE !! >> >> rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout, >> >> value=3600 >> >> modcall[authorize]: module "monthlycounter" returns ok for request >> 5 >> >> < NO, IT`S NOT OK USER CAN`T LOGIN!! :P >> >> >> >> >> >> Some one have an idea about what`s going on here? >> >> I doesn`t understand the Warning above... >> >> >> >> >> >> Thanks in advance, and excuse my english. >> >> >> >> -- >> >> Juan Pablo Fava >> >> >> >> >> >> >> >> >> >> - >> >> List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> >> >> >> >> > >> > >> > - >> > List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> > >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Alan i want to thank you all that you do. Regards. Juan Pablo PD: Do you have nightmares about freeradius :P Alan DeKok dijo: > "Juan Pablo Fava" <[EMAIL PROTECTED]> wrote: >> But this is not documented in module`s doc file. What is sqlacc3??? > > Nothing. It's fixed in the latest CVS snapshot. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQLCOUNTER Problems
Fisrt at all replace in sqlcounter.conf this line: sqlmod-inst = sqlcca3} whith this one: sqlmod-inst = sql The usage statics are updated by rlm_sql. todo this you must have "sql" in the accounting section of your radiusd.conf Juan Pablo [EMAIL PROTECTED] dijo: > Hi All, > > I want to use RLM_SQLCOUNTER with Freeradius. > After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see > radius trying to update usage statistics in MYSQL tables. > I read doc/rlm_sqlcounter and thought whenever user uses any minutes out > of allocated values RLM_COUNTER will change statistics by calculating : > (Allocated time - Used time)= Remaining time. > Am I right here? Any help will be appreciated > > > Sqlcounter.conf : > sqlcounter dailycounter { > driver = "rlm_sqlcounter" > counter-name = Daily-Session-Time > check-name = Max-Daily-Session > sqlmod-inst = sqlcca3 > key = User-Name > reset = daily > query = "SELECT SUM(AcctSessionTime - GREATEST((%b - > UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' > AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" > } > sqlcounter monthlycounter { > counter-name = Monthly-Session-Time > check-name = Max-Monthly-Session > sqlmod-inst = sqlcca3 > key = User-Name > reset = monthly > query = "SELECT SUM(AcctSessionTime - GREATEST((%b - > UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' > AND UNIX_TIMESTAMP(AcctStartTime) + > AcctSessionTime > '%b'" > } > > # Query: > # SELECT * > # FROM `radcheck` > # > 'id','UserName','Attribute','op','Value' > '[NULL]','infinite','Password','==','infinite' > '[NULL]','infinite','Max-Daily-Session',':=','100' > '[NULL]','infinite','Max-Monthly-Session',':=','1000' > > Radiusd -Xp 1645 returns > --- Walking the entire request list --- > Cleaning up request 1 ID 67 with timestamp 405f32ea > Nothing to do. Sleeping until we see a request. > rad_recv: Accounting-Request packet from host 132.146.197.111:1646, > id=68, length=36 > User-Name = "infinite" > Acct-Status-Type = Stop > Processing the preacct section of radiusd.conf > modcall: entering group preacct for request 2 > modcall[preacct]: module "preprocess" returns noop for request 2 > rlm_realm: No '@' in User-Name = "infinite", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[preacct]: module "suffix" returns noop for request 2 > modcall[preacct]: module "files" returns noop for request 2 > modcall: group preacct returns noop for request 2 > Processing the accounting section of radiusd.conf > modcall: entering group accounting for request 2 > rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, > unique ID MAY be inconsistent > rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in > request, unique ID MAY be inconsistent > rlm_acct_unique: Hashing ',Client-IP-Address > 132.146.197.111,NAS-IP-Address = 132.146.197.111,,User-Name = "i > nfinite"' > rlm_acct_unique: Acct-Unique-Session-ID = "e017b662ef57e3ce". > modcall[accounting]: module "acct_unique" returns ok for request 2 > radius_xlat: > '/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322' > rlm_detail: > /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d > expands to /usr/local/var/log/ > radius/radacct/132.146.197.111/detail-20040322 > modcall[accounting]: module "detail" returns ok for request 2 > modcall[accounting]: module "unix" returns noop for request 2 > radius_xlat: '/usr/local/var/log/radius/radutmp' > radius_xlat: 'infinite' > rlm_radutmp: No NAS-Port seen. Cannot do anything. > rlm_radumtp: WARNING: checkrad will probably not work! > modcall[accounting]: module "radutmp" returns noop for request 2 > radius_xlat: 'infinite' > rlm_sql (sql): sql_set_user escaped user --> 'infinite' > radius_xlat: 'UPDATE radacct SET AcctStopTime = '2004-03-22 18:39:55', > AcctSessionTime = '', AcctInputOctets '', AcctOutputOctets = '', > AcctTerminateCause = '', AcctStopDelay = '', > ConnectInfo_stop = '' WHERE AcctSessio > nId = '' AND UserName = 'infinite' AND NASIPAddress = '132.146.197.111'' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql (sql): Released sql socket id: 4 > modcall[accounting]: module "sql" returns ok for request 2 > modcall: group accounting returns ok for request 2 > Sending Accounting-Response of id 68 to 132.146.197.111:1646 > Finished request 2 > Going to the next request > --- Walking the entire request list --- > Cleaning up request 2 ID 68 with timestamp 405f32fb > Nothing to do. Sleeping until we see a request. > > > > > Regards, > Sagar > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql and freeRadius
I have a working instalation all with binary rpm, i didnt compile anything. all from freshrpms. freeradius, mysql, freeradius-mysql (i think this is the name i cant check now) and freerdius-sqlcounter (not for red hat, but i moved the files to the right place and it works) juan. Keith Yoder dijo: > John Que escreveu: > >> As I understand , I must install the sources of MySql if I want to use >> rlm_sql in freeRadius >> (and not install the rpm for mySql Server and client). > > Actually, you can install the -devel rpms and that will allow you to > compile the rlm_sql_mysql module. This will make sure all the libraries > and header files get to the right places. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MySql and freeRadius
> Can you send link to RPMS and will this work on redhat 9 ? I dont know but i supose yes, i use fedora core 1 Mysql and freeradius from the oroginal distribution: and sqlcounter from here: http://rpm.pbone.net/index.php3/stat/4/idpl/1061499/com/freeradius-sqlcounter-0.9.3-alt3.i586.rpm.html freeradius-mysql you can get it here: ALTLinux ftp.altlinux.ru/pub/distributions/ALTLinux/Sisyphus/files/i586/RPMS/freeradius-mysql-0.9.3-alt3.i586.rpm Mandrake Other carroll.cac.psu.edu/pub/linux/distributions/mandrake-devel/contrib/i586/freeradius-mysql-0.9.2-3mdk.i586.rpm Fedora Core 1 download.fedora.redhat.com/pub/fedora/linux/core/1/i386/os/Fedora/RPMS/freeradius-mysql-0.9.1-1.i386.rpm Fedora Other download.fedora.redhat.com/pub/fedora/linux/core/development/i386/Fedora/RPMS/freeradius-mysql-0.9.1-1.i386.rpm Mandrake 9.X carroll.cac.psu.edu/pub/linux/distributions/mandrake/9.1/contrib/i586/freeradius-mysql-0.8.1-1mdk.i586.rpm Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time-session limits and Time-of-day restrictions.
I was reading on Mailing List about a new (at least for me) attribute 'login-time' is this an standard? It is not shown in RFC2865 as a standard radius attribute, Is it supported by a new RFC? Moreover, I am implementing a web-based admin tool for freeradius, an specific solution for an Ecuadorian ISP, and I need Supporting for: 1. Time-session limits. 2. Time-of-day login restrictions depending of customer. What solutions can you recommend? Cheers!. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compatibility issue with Nortel?
Hello, I have beeen experimenting some problems connecting a nortel router 1430 with freeradius (v1.0.1, using mysql). When I try telnet I couldn't get the command line, although the authentication process is ok. Then I added the specific vendor attributes as a new dictionary file. It looks as follows: ### VENDOR Nortel 1584 ATTRIBUTE Bay-User-Level 100 integer VALUE Bay-User-Level Manager 2 VALUE Bay-User-Level User4 VALUE Bay-User-Level Operator8 Also I added the following line into /etc/raddb/dictionary: $INCLUDE /usr/local/freeradius/share/dictionary.nortel However I still have the same problem, the router doesn't give me command line access. The logs in the router doesn't provide me any helpful information. I attached the freeradius -X logs at the end. Probably I have something wrong with the configuration because it seems the values of the new attributes are not correct when they are sent. Perhaps one of you have had a similar situation. I really appreciate any help, thanks. Regards, Juan Pablo Logs: radiusd -X rad_recv: Access-Request packet from host 10.0.2.26:21741, id=19, length=57 Service-Type = Framed-User NAS-IP-Address = 10.0.2.26 User-Name = "test1" User-Password = "test1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 radius_xlat: 'test1' rlm_sql (sql): sql_set_user escaped user --> 'test1' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test1' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test1' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test1' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 auth: type Local auth: user supplied User-Password matches local User-Password radius_xlat: 'prueba!!!' Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 rlm_sql (sql): Processing sql_postauth radius_xlat: 'test1' rlm_sql (sql): sql_set_user escaped user --> 'test1' radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test1', 'test1', 'Access-Accept', NOW())' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test1', 'test1', 'Access-Accept', NOW()) rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'test1', 'test1', 'Access-Accept', NOW()) rlm_sql (sql): Released sql socket id: 3 modcall[post-au
Re: Compatibility issue with Nortel?
Hi, thanks for the response. > Then I added the specific vendor attributes as a new dictionary file. Why? See dictionary.bay, that attribute is already there. I didn't know that :-) > Probably I have something wrong with the configuration because it > seems the values of the new attributes are not correct when they are > sent. What do you mean by that? I mean I see (using ethereal) something like "00/00/00/04" as the value of the Bay-User-Level attribute in the radius packet. So I guess that value is wrong. Thanks for helping. Regards, Juan Pablo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compatibility issue with Nortel?
Hi, it's working now. I used dictionary.bay, but I'm still confused why my dictionary file didn't work. Thanks for the help. Juan Pablo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Cisco-AVPair + LDAP
Hi, I am currently running freeradius 0.8.1 with LDAP as backend. It works fine. I need to upgrade to a later version because I need some features regarding Autz. Certain users have some Cisco ACLs associated in the LDAP tree that are send to the NAS via Cisco-AVPair attribute. The ACLs have more than one line so the attribute is multivalued. The attribute is stored in the LDAP entry as radiusVendorSpecific. This works fine for the 0.8.1 release, but when I tested the same configuration in relases 0.9.0 and 1.0.0 the radius only gives back the first value of the Cisco-AVPair. The ldap module still gets all the values but freeradius choose to ignore the rest. I read the mail archive and found similar problems in threads: "about duplicated attribute in freeradius" "Multiple cisco-avpair entries" where is referenced the use of += operator, which works fine if you are adding the VSA attributes from the user files, but I am using the LDAP server. Can you help me ? Thanks a lot. J.M. rad_recv: Access-Request packet from host 200.x.y.z:36982, id=98, length=69 User-Name = "adslfilter2" User-Password = "test123" NAS-IP-Address = 10.252.8.6 NAS-Port = 10 Framed-Protocol = PPP rlm_ldap: - authorize rlm_ldap: performing user authorization for adslfilter2 ldap_get_conn: Got Id: 0 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value ip:inacl#40=permit tcp any 200.x.a.0 0.0.0.255 eq 25 & op=11 rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value ip:inacl#41=permit tcp any 200.x.b.0 0.0.0.255 eq 25 & op=11 rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value ip:inacl#42=permit tcp any 200.x.c.0.0 0.0.0.255 eq 25 & op=11 rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value ip:inacl#50=permit udp any eq 53 any & op=11 rlm_ldap: user adslfilter2 authorized to use remote access ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "adslfilter2" with password "test123" rlm_ldap: user DN: uid=adslfilter2,ou=organization,ou=users,o=host rlm_ldap: (re)connect to ldapserver.host.com.ar:389, authentication 1 rlm_ldap: bind as uid=adslfilter2,ou=organization,ou=users,o=host/test123 to ldapserver.host.com.ar:389 rlm_ldap: waiting for bind result ... rlm_ldap: user adslfilter2 authenticated succesfully Sending Access-Accept of id 98 to 200.x.y.z:36982 Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#40=permit tcp any 200.x.a.0 0.0.0.255 eq 25" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Cisco-AVPair + LDAP
It works fine. Thanks to all. J.M. Dmitry Lebkov wrote: Juan Manuel Garcia Carral ÐÐÑÐÑ: [skip] I read the mail archive and found similar problems in threads: "about duplicated attribute in freeradius" "Multiple cisco-avpair entries" where is referenced the use of += operator, which works fine if you are adding the VSA attributes from the user files, but I am using the LDAP server. Can you help me ? Here is part of user's config from LDAP: radiusReplyItem: cisco-avpair += "lcp:interface-config=ip vrf forwarding rmt" radiusReplyItem: cisco-avpair += "lcp:interface-config=ip unnumbered FastEthernet0/3.209" radiusReplyItem: cisco-avpair += "ipcp:interface-config=ppp ipcp dns 192.168.1.254 192.168.2.254" Working as expected ... ;) -- WBR, Dmitry Lebkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Ing. Juan Manuel GarcÃa Carral IntermediaSP Intermedia Comunicaciones S.A. Suipacha 128 - Bloque 2 Piso 2 C1008AAD Buenos Aires - Argentina Tel.: (+54 11) 5032 www.intermediasp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho "from" field
I just upgraded from freeradius 0.8 to 0.9.1. Everything works fine but when I run radwho the "From" field shows the IP Address of the NAS instead of the corresponding shortname I loaded in naslist file. I know naslist is deprecated and that I should use clients.conf but I can't find how to make radwho show NAS shortnames as used to do in later versions. Thanks in advance. J.M. -- ___ Ing. Juan Manuel García Carral IntermediaSP Intermedia Comunicaciones S.A. Suipacha 128 - Bloque 2 Piso 2 C1008AAD Buenos Aires - Argentina Tel.: (+54 11) 5032 www.intermediasp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, 802.1x, PEAP for wlan
Hi all, two newbie questions: is there a way of not using ntlm_auth-samba-ldap if I only have ldap? i prefer to use only ldap. how works "ntlm_auth --request-nt-key --username=%{St ripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-r esponse=%{mschap:NT-Response:-00}", what values return? Thanks -- LCC Juan Manuel Lopez Villalobos Departamento de Sistemas de Informacion Coordinacion de Informacion Academica Universidad Autonoma de Baja California Tel: (686) 551 8274 Fax: (686) 551 8269 Conmutador: (686) 551 8222 y 8270 ext. 3360 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use ntlm_auth
Hi, I want to know how to use ntlm_auth with ntlm-server-1 and freeradius, with the users login and password information in ldap. I have read documentation of ntlm_auth (only found the man page), docs and howtos about pptp and squid, i don't found about freeradius, and i'm experimenting with the options of ntlm_auth. I have configured freeradius+ldap+802.1X for a wireless lan, but i can't get it to work because of mschap, and i dont have windows domain. The ntlm_auth man page said: "Server-side helper protocol, intended for use by a RADIUS server or the 'winbind' plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication." Who i can use it with (free)radius only?? The radius.conf said in the mschap module definition: "#The module can perform authentication itself, OR # use a Windows Domain Controller. How can the module permorm authentication itself??? can someone helpme?? -- LCC Juan Manuel Lopez Villalobos Departamento de Sistemas de Informacion Coordinacion de Informacion Academica Universidad Autonoma de Baja California Tel: (686) 551 8274 Fax: (686) 551 8269 Conmutador: (686) 551 8222 y 8270 ext. 3360 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to use ntlm_auth
On Wed, 2005-11-02 at 18:10 -0500, Alan DeKok wrote: > [EMAIL PROTECTED] wrote: > > > Then why the heck are you using ntlm_auth? It's only purpose is to > > >do MSCHAP authentication to a Windows domain controller. > > > > Because the configuration for 802.1X, using the 802.1X howto and > > http://vuksan.com/linux/dot1x/802-1x-LDAP.html, said that needs to configure > > peap and peap use mschap ( {thinking} but don't said nothing about > > ntlm) > > Exactly. You don't need ntlm_auth. Please believe me. I believe you. > > how the mschap module can perform authentication itself?? > > Because, as I said in a previous message, FreeRADIUS gets the > password from LDAP. Automagically > > > or how can i use 802.1X/peap and ldap ??? can i use it??? > > Yes. Stop asking questions. Follow the HOWTO's. It WILL work. > following all the steps, again, and after a day without thinking about this, finally today it's ready. Thanks. -- LCC Juan Manuel Lopez Villalobos Departamento de Sistemas de Informacion Coordinacion de Informacion Academica Universidad Autonoma de Baja California Tel: (686) 551 8274 Fax: (686) 551 8269 Conmutador: (686) 551 8222 y 8270 ext. 3360 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP / PAP ?
You can add to the same user entry an encrypted password (eg: SHA) for PAP authentication and a NTPassword por CHAP authentication (both would be different attribs of the same entry). You can use smbencrypt en freeradius distrtribution to get the NTPassword encryption. J.M. Thor Spruyt wrote: Joel Eddy wrote: Would it work it I created and seperate group for them and used encrypted passwords in MySql to authenticate them? PAP can work with unencrypted passwords in the backend. CHAP cannot. -- ___ Ing. Juan Manuel García Carral IntermediaSP Intermedia Comunicaciones S.A. Suipacha 128 - Bloque 2 Piso 2 C1008AAD Buenos Aires - Argentina Tel.: (+54 11) 5032 www.intermediasp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: From Called-Station-ID Get Country Code??
Hi, I supose you are referring to some kind of roaming users. I don´t think that will work in every NAS they connect, because not every TELCO sends you the complete international number in the Called-Station-Id attribute. I have several TELCOs that only send me the last four numbers. Regards. J.M. - Original Message - From: "Abdul Lateef" <[EMAIL PROTECTED]> To: Sent: Sunday, March 06, 2005 6:21 AM Subject: From Called-Station-ID Get Country Code?? > Hi, > > I have one mySQL table contains > > Code, Country Name > > I want to get the code using Called-Station-ID > matching with mySQL country list table using the perl > file. > > > If anyone can give me a little example really it will > be great for me. > > Thank You > > > > > __ > Celebrate Yahoo!'s 10th Birthday! > Yahoo! Netrospective: 100 Moments of the Web > http://birthday.yahoo.com/netrospective/ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counting number of open sessions in RADIUS
I have two radius as primary and secondary so I found easier to count it in the mysql database that both radius use for accounting. You can search / select for records that don't have accountstoptime inserted. Regards. J.M. Sonali Karmarkar wrote: Hi I am using freeradius 0.9.3 with mysql on linux. What is the correct way to count number of open sessions for freeradius server ? -SK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Ing. Juan Manuel García Carral IntermediaSP Intermedia Comunicaciones S.A. Suipacha 128 - Bloque 2 Piso 2 C1008AAD Buenos Aires - Argentina Tel.: (+54 11) 5032 www.intermediasp.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie
Hello! I’ve been reading FreeRadius documentation but I don’t understand meaning of users file. If we have: 1234567890 Auth-Type := Local, Password =="1234567890" h323-credit-amount=10, h323-return-code=0, What is the meaning of h323 attributes? Do they tell that answers to radius client will carry these attributes with 10 and 0 values? Thanks Juan Antonio Ibáñez Santórum E-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED]
autentificacion TLS
muy buenos dias !! la intencion de este correo es la de solicitar informacion sobre el radius a ver si me puedes ayudar !! te comento tengo montado un serviodr radius en suse 9.2 el cual esta corriendo bien o eso parece cuando lo coloco a validar los usuarios por MAC Address por medio de un AP1100 de cisco esto lo hace de maravilla. La otra cuestion es que tengo un servidor LDAP donde esta la base de datos de toda la empresa cuando realizo pruebas con el NTRadping el servidor contesta perfecto. Pero cuando lo intento hacer por el AP1100 no lo hace como es devido le tengo configurado para que funcione con EAP/PEAP y me pide un certificado el cual ya se lo configure pero me da un error muy extraño que no entiendo les colocare el error a ver quien me puede ayudar Wed May 25 13:26:38 2005 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 25 13:26:38 2005 : Error: TLS Alert read:fatal:unknown CA Wed May 25 13:26:38 2005 : Error: TLS_accept:failed in SSLv3 read client certificate A 16174:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 16174:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: Wed May 25 13:26:38 2005 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed May 25 13:26:38 2005 : Debug: In SSL Handshake Phase Wed May 25 13:26:38 2005 : Debug: In SSL Accept mode de verdad que si me pueden ayudar seria muy bueno !! -- Juan Carlos Arevalo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html