Re: monitoring freeradius with nagios
On Wed, 17 Jan 2007, Mike wrote: |-All, |-When trying to use the radauth tool from nagios to monitor |-freeradius, I get the following in the freeradius log: |- |-Error: WARNING: Malformed RADIUS packet from host ... too long (length |-18432 maximum 4096) |- |-radtest seems to be ok. has anyone else experienced this or knows |-what is wrong? I know what some monitoring tool I used a while ago (whats up Gold I think) I had to add the Ip of the whatsup server as a NAS to the allowed list with the shared secret to monitor an old livingston radius server. I have not tried with my Freeradius box yet, but I think I might just to see. The FR is not in production as of yet so I'm not worried about it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nortel Shasta BSN
Anyone using a Nortel Shasta with FreeRadius? I'd like to cutover the PPPoE customers on the Shasta from an old Livingston radius server to our FR server. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users fil vs sql
On Mon, 18 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- While this is ok, how does radius get configured to use the sql table to |- send the replies, not the users file? |- |- Look in radiusd.conf for sql. You have to configure the SQL |-module. Snip from radiusd.conf: # Look in an SQL database. The schema of the database # is meant to mirror the users file. # # See Authorization Queries in sql.conf sql This has been uncommented in radiusd.conf since the start. Which part of the SQL module needs to be configured? I'm not grokking that part. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Message in radiusd -X
Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Any harm in the above message? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users fil vs sql
On Tue, 19 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- This has been uncommented in radiusd.conf since the start. Which part of |- the SQL module needs to be configured? I'm not grokking that part. |- |- See *all* references to sql in radiusd.conf. See doc/rlm_sql. I had read rlm_sql before, but did so again with a more careful eye and notice this for the flow of sql: 1. Search the radcheck table for any check attributes specific to the user 2. If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply 3. Group processing then begins if any of the following conditions are met: a. The user IS NOT found in radcheck b. The user IS found in radcheck, but the check items don't match c. The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes' Where is the read_groups directive? Or does it exist? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users fil vs sql
Ive got things working using 1.1.3, username in radcheck with crypt-password, using auth-type = Local in radgroupcheck. I'm using the flat Users file with a simple 6 line Default entry to make it all work. On my test bed this has been working quite well for the last 3 days. While this is ok, how does radius get configured to use the sql table to send the replies, not the users file? Ive tried commenting out all the files entries in radiusd.conf but radius sends back a access-accept but the client side gets rejected. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Sat, 9 Sep 2006, Keith Woodworth wrote: |-|- |-|- And while Radius seems to send an Access-Accept, the dialup user gets an |-|- error 691 password invalid. |-|- |-|- Because you're not sending the same reply attributes as in the |-|-previous example. Fix that. |-|- |-|- Again I get Access-Accept, but a 691 password error on the client side. |-|- |-|- Again because the replies are empty. |- |-Just testing a different way to do this I setup the users file with: |- |-DEFAULT Service-Type = Framed-User |-Framed-Protocol = PPP, |-Framed-Routing = None, |-Framed-IP-Netmask = 255.255.255.255, |-Framed-Compression = Van-Jacobsen-TCP-IP, |-Framed-MTU = 1500 |- |-Now when I try to login: |- Again had to put this aside for a few days (really starting to grind on me, its a wonder I actually get any work done) Anyway so started in again on this. One thing overall I think that has confused me is that I was trying to do everything from SQL, which now I dont think I need to do. Basicall: Have a user and their crypted password stored in SQL, have radius query the database for that info, if its ok, start a PPP session. Only way I could get that to work was have the username in both the radcheck AND usergroup tables. I didnt want it to work that way as it would be extra work to populate the database from our current radius setup, which uses Auth-Type System. I think I have figured it out, though not sure if its the correct way. Use a combination of users(5) and SQL. Have the user and password in radcheck, auth-type=local in radgroupcheck and use the users(5) file to do the rest and it seems to finally work. My users file: DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Using it like this works. But as soon as I use it this way: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Why does the top way work and the bottom way not? And is this an acceptable way to do it? Store the users and passwords in SQL and have the Users file supply the rest? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Sat, 9 Sep 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- Anyway here is the error: |- |- radiusd.conf: PAP modules aren't allowed in 'authorize' sections -- they |- have no such method. |- |- That's in 1.1.3. In 2.0, that is allowed. That error was from 1.1.2, now I'm running 1.1.3. |- And while Radius seems to send an Access-Accept, the dialup user gets an |- error 691 password invalid. |- |- Because you're not sending the same reply attributes as in the |-previous example. Fix that. |- |- Again I get Access-Accept, but a 691 password error on the client side. |- |- Again because the replies are empty. Which table do the replys come from? In the debug: radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user -- 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' Here is the select from radcheck, which has the user tester in it. rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' Radreply is populated, but the username tester is not listed there, so no match obvioiusly. radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 130 to 204.244.99.67 port 1645 So where to put the reply items? Should I not be using a default entry to reply to all users that authenticate? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
|- |- And while Radius seems to send an Access-Accept, the dialup user gets an |- error 691 password invalid. |- |- Because you're not sending the same reply attributes as in the |-previous example. Fix that. |- |- Again I get Access-Accept, but a 691 password error on the client side. |- |- Again because the replies are empty. Just testing a different way to do this I setup the users file with: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-Routing = None, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP, Framed-MTU = 1500 Now when I try to login: rad_recv: Access-Request packet from host 204.244.99.67:1645, id=149, length=76 NAS-IP-Address = 204.244.98.67 NAS-Port = 27 NAS-Port-Type = Async User-Name = tester User-Password = test Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 users: Matched entry DEFAULT at line 19 modcall[authorize]: module files returns ok for request 2 radius_xlat: 'tester' rlm_sql (sql): sql_set_user escaped user -- 'tester' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'tester' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'tester' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 auth: type Crypt Sending Access-Accept of id 149 to 204.244.99.67 port 1645 Framed-Protocol = PPP Framed-Routing = None Framed-IP-Netmask = 255.255.255.255 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Finished request 2 Going to the next request Still get password rejected on client side though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP questions.
On Tue, 22 Aug 2006, Alan DeKok wrote:
|-Keith Woodworth [EMAIL PROTECTED] wrote:
|- One of the things I did try was add PAP to the authorize section, but
|- radius failed to start when I did that.
|-
|- And the error message was...?
Had to put this project a side for the last 2 weeks...Hate when I have to
do that. Also this post has lots of debug output.
Anyway here is the error:
radiusd.conf: PAP modules aren't allowed in 'authorize' sections -- they
have no such method.
radiusd.conf[1569] Failed to parse authorize section.
Here is where I put pap, with all the comments stripped:
authorize {
preprocess
# auth_log
# attr_filter
### KEITH
pap
chap
mschap
# digest
# IPASS
# ntdomain
#eap
files
sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
|- Deployingradius.com did say there were very few circumstances to set
|- Auth-Type, but not which ones. Guess I found one?
|-
|- Possibly. Much of this is fixed in CVS head, which is currently
|-planned to be 2.0 before Christmas. The PAP module does more there,
|-and there are MANY fewer cases where you have to set Auth-Type.
At the rate I'm going, it will be Christmas before I'm ready to go.
|- How stable is the current server version? Anyone using it in production?
|-
|- Yes. A number of people. There are 3 issues that need addressing
|-before it's ready for an official 2.0, however.
Would it be advisable to upgrade at this point or wait till its official?
|- Sounds like I might have to be using the CVS version to do what I want
|- properly of only having the user in one table and do PAP authentication
|- with the crypt password stored in sql.
|-
|- 1.1.2 can do it, it just takes a little more configuration.
|-Basically, for every user who has a Crypt-Password attribute, you have
|-to set Auth-Type = Local.Not :=, but =.
After having to put this aside for a few weeks I have finally done some
testing.
One. If the user has a crypt password in radcheck:
4 | tester | Crypt-Password | := | f3RCpSYQzT292
is listed in Usergroup:
14 | tester | default
And default is in radgroupcheck:
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | default | Auth-Type | = | Local |
This is the debug output:
rad_recv: Access-Request packet from host 204.244.99.67:1645, id=92,
length=76
NAS-Port-Type = Async
User-Name = tester
User-Password = test
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
radius_xlat: 'tester'
rlm_sql (sql): sql_set_user escaped user -- 'tester'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'tester' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'tester' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'tester' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module sql returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Ok, so next change radgroupcheck so Auth-Type is PAP:
++---+---++---+
| id | GroupName | Attribute | op | Value |
++---+---++---+
| 1 | default | Auth-Type | := | PAP |
and do another dialup try:
rad_recv: Access-Request packet from host 204.244.99.67:1645, id=93,
length=76
NAS-Port-Type = Async
User-Name = tester
User-Password = test
Service-Type = Framed-User
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall[authorize]: module files
Re: PAP questions.
On Tue, 22 Aug 2006, Phil Mayers wrote: |-Keith Woodworth wrote: |- |- Been trying to do PAP authentication with the crypt'd password stored in |- mysql. We, unfortunately have to do PAP. |- |- This has been done for the most part and works, but I had to go against |- what deployingradius.com said w/regards to using Auth-Type as I have not |- found an alternative that seems to work right. |- |-In current versions of the server, the pap module does not run in |-authorize, and does not set Auth-Type correctly to itself, so this is |-one of the FEW circumstances in which setting Auth-Type is correct in I |-think. Later versions of the server (i.e. CVS) perform correctly in |-this regard, which is much more consistent. |- |-Many people leave the Auth-Type at the default of Local, which |-confusingly does similar but not identical things to the pap module, |-and hence don't see this problem with their PAP requests. One of the things I did try was add PAP to the authorize section, but radius failed to start when I did that. Deployingradius.com did say there were very few circumstances to set Auth-Type, but not which ones. Guess I found one? |- I'm using stock radiusd.conf that comes with 1.1.2, except proxy is set to |- no. |- |-You can't possibly be, since sql is commented out in that! Even slight |-differences can be important. Bah, you are right. I forgot, I did set the SQL module. |- To make this work I added a user to radcheck with a crypt'd password: |- |- +++++---+ |- | id | UserName | Attribute | op | Value | |- +++++---+ |- | 1 | bob| Password | == | test | |- | 4 | tester | Crypt-Password | == | gmxwp4dfOcHAI | |- +++++---+ |- |-Your op should be := Ok thanks. |- The one main issue is that the user has to be both in the usergroup table |- and the radcheck table for this to work. Is there a way to just have the |- username in just radcheck for example? What is needed to setup a default |- profile for all users to authenticate via PAP w/o having to set |- auth-type=pap? Is that possible? |- |-Not if you're using the pap module on the current server version. How stable is the current server version? Anyone using it in production? Sounds like I might have to be using the CVS version to do what I want properly of only having the user in one table and do PAP authentication with the crypt password stored in sql. Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scripts.
Just a note to anyone moving from ICRadius to FreeRadius, the radacct table, while having a 4 extra fields in the structure in FR than IC, Ive been able to use the perl scripts I wrote to massage and pull data out of them with no modification to the scripts. Kind of nice to say the least. Also in my last message re: Auth-Type and setting it to PAP in radgroupcheck to read Crypt-Password from radcheck, was that the right way to do that? Thanks, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP/mysql/crypt stuff
After working on this off and on for the last few days I believe I have gotten authentication working using a Crypt'd password stored in mysql but want to run this by to make sure I did it right. I setup a user in radcheck: tester | Crypt-Password | == | gmxwp4dfOcHAI In radgroupreply: admin | Service-Type | := | Administrative-User In radgroupcheck: admin | Auth-Type | := | PAP Then when I telnet to the NAS, I can login using tester with the right password and get a NAS prompt. I have to move one of our T1's to this test NAS to test PPP, but it seems to for now, be working using PAP authentication with the encrypted password stored in mysql. Is this the correct way to do this? Thanks for any info. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mySQL auth
We are consolidating servers and moving from a BSD/OS and ICRadius setup and auth'ing via passwd file to FreeBSD. I have run into an issue with authenticating and how I should do it. Our old setup had a web interface designed 7 yrs ago, written in C, which the developer is no longer around and most of the source has gone too that we entered users into the passwd file to login via dialup. So my options are to a) move the passwd file from another machine over the network and build a new one each time or b) auth via database. Will FreeRadius auth via mySQL using the unix crypt? I have no way of adding the users into a database with their passwords. Or long way of capturing each users password from ICRadius and adding them to the database. Has anyone else converted from a passwd file to a database of some variety? Thanks for any info. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mySQL auth
On Fri, 11 Aug 2006, Alan DeKok wrote: |-Keith Woodworth [EMAIL PROTECTED] wrote: |- Will FreeRadius auth via mySQL using the unix crypt? |- |- No... but it will read crypt'd passwords from the DB, and use them |-for authentication. Thats basically what I want, but didnt know now to express it properly. Just be able to take the username, crypted password and real name, stuff it into a database and read the database when someone dials up. Any pointers on how to setup radiusd.conf to do this? |- I don't know anything about the ICRadius schema. The FreeRADIUS |-schema is pretty rigid, so integrating the two might take a bit of |-work. Almost the same acutally. There are few things that ICRadius keeps in a database table, such as dictionary, hints, nas info and there are a few extra table columns in FreeRadius compared to ICRadius, but overall very similiar. Even the table names are the same. Ive already got an AS5200 we had sitting around using this FR setup, but have come to the point we need to move all users to a database now for ease of use mostly and for future portability. We have one NAS left in production and only ~600 users left on dialup. The rest of our user base is DSL now. Thanks for any pointers. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
