Freeradius 2.1.12 Second LDAP Server

[Kevin Bigalke]

Hello,
i`m
 running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login 
with 802.1 works perfectly. I`m using a Windows LDAP Server for the 
Login and want to add a second LDAP-Server for a Fail Over. I`m 
following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a 
suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files 
are responsible for the integration of a second LDAP server? These are my 
current Settings:


 
/etc/freeradius/modules/ldap:
 
ldap ldap1 {
server = serv01.xyz.local


basedn = dc=xyz,dc=local
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap


edir_account_policy_check = no
 
set_auth_type = no

keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE
   idle = 60


 
   # LDAP_OPT_X_KEEPALIVE_PROBES
   probes = 3


 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL
   interval = 3


}
}
 
ldap ldap2 {
server = serv02.xyz.local


basedn = dc=xyz,dc=local
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
 
}
 


dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no

set_auth_type = no
 
keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE


   idle = 60
 
   # LDAP_OPT_X_KEEPALIVE_PROBES


   probes = 3
 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL


   interval = 3
}
}
 
/etc/samba/smb.conf:

 
[global]
workgroup = XYZ
 dns proxy = no
 
  security = ads

password server = serv01.xyz.local 
password server = serv02.xyz.local
winbind separator = +


 
 
/etc/freeradius/sites-enabled/inner-tunnel:

 
authenticate {
ntlm_auth
…

 
 
/etc/freeradius/sites-enabled/default:
 

authenticate {
ntlm_auth
…
 

/etc/freeradius/users:
DEFAULT Auth-Type = ntlm_auth
 

Thanks for Help!
BeliarsFire
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP/MSCHAPv2 - Host Account Authentication Only

[Kevin Elliott]

That did the trick perfectly.

I am only using the default virtual server.

Is there any reason I would add this to the authorize section for the 
inner-tunnel?


Thanks.

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 

 

 -Original Message-
 From: 
 freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us@lists.f
 reeradius.org 
 [mailto:freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us
 @lists.freeradius.org] On Behalf Of alan buxey
 Sent: Wednesday, April 25, 2012 2:53 PM
 To: FreeRadius users mailing list
 Subject: Re: PEAP/MSCHAPv2 - Host Account Authentication Only
 
 Hi,
 
  Currently FreeRadius will send back Access-Accepts for 
 *both* user and machine/host accounts (in the Active 
 Directory context of those terms). I would like to configure 
 FreeRadius to ignore or reject authentication requests using 
 the user creditionals. I spent the better part of yesterday 
 afternoon searching the mailing list but I couldn't seem to 
 conjure up the correct search terms to find out which 
 configuration files I need to delve into to make this setting.
 
 I guess a simple way would be something like this in 
 authorise {} section of the server
 
 if (%{User-Name} !~ /^host\/.*\.yourAD\.realm$/i){
update reply {
 Reply-Message = Not an host/machine login!
}
reject
 }
 
 
 alan
 -
 List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP/MSCHAPv2 - Host Account Authentication Only

[Kevin Elliott]

 = /etc/freeradius/certs/server.pem
CA_file = /etc/freeradius/certs/ca.pem
private_key_password = SECRET
dh_file = /etc/freeradius/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating module suffix from file /etc/freeradius/modules/realm
  realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module files from file /etc/freeradius/modules/files
  files {
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module radutmp from file 
/etc/freeradius/modules/radutmp
  radutmp {
filename = /var/log/freeradius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module attr_filter.access_reject from file 
/etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
attrsfile = /etc/freeradius/attrs.access_reject
key = %{User-Name}
  }
 } # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_digest
 Module: Instantiating module digest from file /etc/freeradius/modules/digest
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module preprocess from file 
/etc/freeradius/modules/preprocess
  preprocess {
huntgroups = /etc/freeradius/huntgroups
hints = /etc/freeradius/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module acct_unique from file 
/etc/freeradius/modules/acct_unique
  acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, 
NAS-Port
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module detail from file /etc/freeradius/modules/detail
  detail {
detailfile = 
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Instantiating module attr_filter.accounting_response from file 
/etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
attrsfile = /etc/freeradius/attrs.accounting_response
key = %{User-Name}
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd:  Opening IP addresses and Ports 
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.


-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org

PEAP/MSCHAPv2 / Freeradius / AD

[Kevin Chan]

Hi all,

   hopefully i got to the right group of people.

   We are trying to use Freeradius to do  PEAP/MSCHAPv2
authentication against Active Directory (2003).  Our realm is
abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
to use   b...@acme.edu instead b...@abc.acme.edu as username.

   My question is can you modify the realm behind the user's back?
(during EAP process).

Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius-client lib documentation

[Kevin Lemonnier]

Hello,

I have to make an application using a RADIUS lib.
I want to use the freeradius-client lib, but I can't find the
documentation. I downloaded the bz2 archive as said on the wiki, and
installed it, but I don't have any help with it, neither ad in the wiki.

Is there a doc somewhere ? A example program at least ?
I've looked at the .h in the include folder, but there is too much funcs
for me to understand how to use it just with that.

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authorize an user using a multivalue ldap attribute

[Kevin Ehlers]

On 10/22/10 6:25 AM, Jonathan Gazeley wrote:
 On 22/10/10 13:16, Ana Gallardo wrote:
 Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
 Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
 symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
   at /usr/lib/perl/5.10/Data/Dumper.pm line 36
 
 You need to install the Data::Dumper module from your package manager,
 or from CPAN, or from somewhere else :)

Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it.  It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.

-- 
Kevin Ehlers
Network Engineer
University of Oregon



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Attribute Subtypes

[Kevin Baier]

2010/10/4 Alan DeKok al...@deployingradius.com:
 Kevin Baier wrote:
 As I can see the attribute itself has two subtyped values. How can I
 declare them in the dictionary file?

  You don't.

  Nested subtypes are non-standard, and are not supported in 2.0.4.
 They will likely be supported in 2.2.0, which will be out some time next
 year.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

@ Alan
Thank you for your response!


-- 
Kevin Baier

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Attribute Subtypes

[Kevin Baier]

Hi List,
My freeradius version is 2.0.4 shipped with standard debian lenny package.
I have to implement some special attribute to control the users
bandwidth on an Special NAS.
Here ist the attribute:
Type: 26
Length = 12
Vendor ID: 3902
Vendor-Type = 3
Vendor-Length = 14
Sub-Type = 1  Forward  maximum  gross aggregate bandwidth  value
Length = 6
Vendor-Value =
1 – 2**32 -1(binary value of the gross aggregate bandwidth for the
user, in bits
per second)
Sub-Type = 2  Reverse  maximum  gross aggregate bandwidth  value
Length = 6
Vendor-Value =
1 – 2**32 -1(binary value of the gross aggregate bandwidth for the
user, in bits per second)

As I can see the attribute itself has two subtyped values. How can I
declare them in the dictionary file?
Thank you for your help!
--
Kevin Baier

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius, samba, AD peap/mschap-v2 redundancy and Certificate

[Kevin Ehlers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/15/10 11:07 AM, schilling wrote:
 For certificate, do we need a server certificate for both radius1 and
 radius2 if we want supplicant to verify the server certificate?

Just a note on this, you can get a single certificate with SANs (Subject
Alternative Names), and use the same cert on both machines.  It's
sometimes cheaper to go this route.  Also, you can add more SANs and get
the CA to issue you a new cert.  This also allows you to have your two
production machines, and a test machine that use the same cert.  That
way you can test new configurations without having to worry about PKI
issues.

- -- 
Kevin Ehlers
Network Engineer
University of Oregon
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyRDh4ACgkQ0l216NgIDrwtawCfYWUWwHQwqM/d1Pr40wL7sn2A
UjUAniQqSI2tqzmTWVk0N/T6x5w3yx10
=Jncp
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + MySql + Wireless Clients without certificates

[Kevin Ehlers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/13/10 3:40 PM, Esteban TALAVERA wrote:
 I´ll like to know if there is a way to configurates a Radius server + Mysql
 to authenticate Wireless clients via a Cisco AP without  certificates (EAP
 TLS), only a username and password

Are you using an autonomous AP or a lightweight AP with a controller?
If you have a controller, you can do webauth.  For webauth, the only
certificate required is the one for https/ssl.  If it's an autonomous
system, then you could place clients on a vlan and make them go through
and authentication gateway.

- -- 
Kevin Ehlers
Network Engineer
University of Oregon
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyPlnEACgkQ0l216NgIDrz+fgCbBMTmrFDjUhQlouJou4OQh0k8
DaYAoJO9fdCQotSdyBKWdv7xdUbflexR
=3Lam
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + MySql + Wireless Clients without certificates

[Kevin Ehlers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/14/10 11:38 AM, Alan Buxey wrote:
 Hi,
 
 I´ll like to know if there is a way to configurates a Radius server + Mysql
 to authenticate Wireless clients via a Cisco AP without  certificates (EAP
 TLS), only a username and password
 
 yes. we use Cisco APs - we used to use them in autonomous mode but moved to 
 the 
 lightweight LWAPP (now CAPWAP) mode a few years back.
 
 I would not recommend broken captive portals. 802.1X is the way forward
 (and is now beign mandated by several government and education procurement
 systems around the world - expect any half-decent auditor to pick up on this 
 too.
 for EAP, you can use EAP-PEAP or EAP-TTLS - in which your RADIUS server
 has a certificate signed by a CA. the clients dont need certificates, they
 just need to have the CA on them that signed the RADIUS server (for trust!)

I agree for the most part.  However, captive portals will still be in
use for guest access.  There's less administrative and helpdesk overhead
for this type of deployment.

On windows machines, the CA/cert trust has to be explicitly enabled.
This can be a barrier for un-managed and non-employee machines.

- -- 
Kevin Ehlers
Network Engineer
University of Oregon
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyPxQUACgkQ0l216NgIDryV7ACfdCwwbjP6y4dWsNUOQS0x5woK
JQ4Amwa3WK5kSoGHvzX1FPiUxJp1cQt9
=opmK
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Data Mangling

[Kevin Ehlers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/3/10 2:30 PM, Alan DeKok wrote:
 Kevin Ehlers wrote:
 Is it possible to modify attributes returned from ldap?  E.g. We're
 trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
 passwords as {nthash}hash instead of {nt}hash.  It looks like
 the mschap module doesn't auto-detect the hash-type correctly, and says
 that it never received a valid password hash.  All authentication fails
 at this point.
 
   The PAP module is the one which does the password mangling.
 
 We store it as {nthash} because that's what our other radius servers
 (radiator) expect to see.
 
   I can add the {nthash} format for 2.1.10.  In the mean time, try
 putting this into the authorize section, just before the pap module:
 
   if (control:User-Password =~ /^{nthash}(.*)/) {
   update control {
   User-Password := {nt}%{1}
   }
   }

Hi Alan,

Thanks for pointing me in the right direction.

I found a solution that works in the mean-time by writing a perl module.
 I'm using the perl module during the authorize section in the
inner-tunnel virtual server.  What it does is query ldap, and get the
nt-password attribute from our ldap server.  It then does a $nt-password
=~ /^{nthash}(.*)$/.  From there, I update the control packet
$RAD_CHECK{NT-Password} = $1.  And then it returns OK.

It looks like the ldap module rejects the password and doesn't store it
in the User-Password or NT-Password field.  I tried updating the
ldap.attrmap, and it still didn't store it.  When I tried the
control:User-Password =~ /regex/, there was nothing to match it to.

Thanks,

- -- 
Kevin Ehlers
Network Engineer
University of Oregon
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyHuFEACgkQ0l216NgIDrys/QCfUg8v3U3ZObjpS7G6FswGkaH2
5uoAoIC3dFLS1cXNrAdnEZ/sYjvZElIZ
=0f4H
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Data Mangling

[Kevin Ehlers]

Hi,

Is it possible to modify attributes returned from ldap?  E.g. We're
trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
passwords as {nthash}hash instead of {nt}hash.  It looks like
the mschap module doesn't auto-detect the hash-type correctly, and says
that it never received a valid password hash.  All authentication fails
at this point.

We store it as {nthash} because that's what our other radius servers
(radiator) expect to see.

I searched the archives, but was unable to find anything about that.

Thanks,

-- 
Kevin Ehlers
Network Engineer
University of Oregon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

coa proxy'ing with a NAC device

[Kevin Ehlers]

 I'm having a really hard time with proxying or just dealing with
CoA's.  The documentation just isn't working for me.

I can configure the coa server.  I can get the originate-coa server up
too.  I can send CoA's to the server, but I can't get it to proxy them
or re-send them as if it was originating the CoA.  I see that they're
being processed when looking at debug mode.  But I just don't know how
to do anything with them.

This is what I want to do:
[lots of switches doing dot1x]-[freeradius]-[NAC device,
PacketFence in this case]

I want to be able to send a CoA request from PacketFence (or another
management server) to freeradius, and have it relay that CoA to a
specific switch.  E.g. I have determined that a user needs to be
quarantined, so I run a script on the backend, and part of that
requires having that user re-authenticate and get assigned a
quarantine vlan.  PF determines which switch they're on, sends a CoA
to FreeRadius, FreeRadius then sends the CoA to the correct switch.

Is there a way to do this without configuring a client entry for every
edge device?  Should I be using the proxy.conf in some way?  I'm not
really clear about how to use the virtual servers in regard to proxying.

Thanks,

-- 
Kevin Ehlers
Network Engineer
University of Oregon

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

option 82

[Kevin Croes]

Hi,

I work at an ISP and we are looking at the possibility to use option
82 in FreeRADIUS. The other side is going to send us an ordernumber
and then we want to send a configuration back (an ip address etc.).
Been searching how to do this in FreeRADIUS, but haven't found much
useful information. So, if somebody can point me in the right
direction on how to set it up in FreeRADIUS. Any help will be greatly
appreciated.

Gr,

Kevin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-IP-Address modified during Access-Request process

[kevin leblanc]

On Mon, Jun 22, 2009 at 23:08, Ivan Kalik t...@kalik.net wrote:

  I installed freeradius 2 but my problem is still there.
  To remember it :
 
  I configured Freeradius to look in openldap directory to authenticate and
  authorize an user.
  The authentication phase is OK
  During the authorize phase, a ldap search is done : if the user is member
  of
  a group identified by the host ip he wants to connect, the user is
  authorized.
  The problem is here : freeradius receives an Access-Request packet with a
  NAS-IP-Address (the good one) and to search in the ldap, it doesn't send
  the
  ip received in the packet but another one !

 Dynamic expansion for Ldap and SQL-Group doesn't work in users file. I can
 replicate this. But it works in unlang:

 if(Ldap-Group == %{NAS-IP-Address}) {
 ...
 }

 will work just fine.

 Ivan Kalik
 Kalik Informatika ISP


:) It works fine !

To help users who have the same problem, I put these lines in authorize
section :
if(Ldap-Group == %{NAS-IP-Address}) {
ok
}
else {
reject
}

Thanks !
-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS-IP-Address modified during Access-Request process

[kevin leblanc]

Hi,

I installed freeradius 2 but my problem is still there.
To remember it :

I configured Freeradius to look in openldap directory to authenticate and
authorize an user.
The authentication phase is OK
During the authorize phase, a ldap search is done : if the user is member of
a group identified by the host ip he wants to connect, the user is
authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !

Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?

To precize :
I think there is some cache enabled anywhere (the ip used for ldap filter is
always the one of the first request), is there any way to disable it ?

Before testing, I created the group for IP1 and I added the test user to it.
Test 1:

   - I ran radiusd -X
   - I try to connect with IP 1. = OK
   - I try to connect with IP 2 = OK (not right result because to check the
   membership it's the first IP which is used)


Then, I kill radiusd.
test 2 :

   - I ran radiusd -X
   - I try to connect with IP2 = KO (expected because the group for IP 2
   doesn't exist)
   - I try to connect with IP1 = KO (not expected because the group for IP1
   exists)


To help, the logs :
--
rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34,
length=80
NAS-IP-Address = 126.50.0.148
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = testuser
Calling-Station-Id = 126.100.100.6
User-Password = X
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: dc=example,dc=com - dc=example,dc=com
[files] expand: (uid=%{User-Name}) - (uid=testuser)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/X to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
((objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) -
((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
((cn=126.50.0.147)((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap]  expand: (uid=%{User-Name}) - (uid=testuser)
[ldap]  expand: dc=example,dc=com - dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by testuser with password azerty12
[ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user testuser authenticated succesfully
++[ldap] returns ok
Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6)
Sending Access-Accept of id 34 to 126.50.0.148 port 1645
Nokia-IPSO-User-Role = adminRole
Nokia-IPSO-SuperUser-Access = 1
Service-Type = Login-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 34 with timestamp +52
Ready to process requests.

--

-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS-IP-Address modified during Access-Request process

[kevin leblanc]

Hi everybody,
I have a big problem in freeradius installed in version 1.1.4 on RHEL 5, and
today it's the third day i'm looking for a solution :(
Here is the problem:
I configured Freeradius to look in openldap directory to auth and auth an
user.
The authentication phase is OK
During the auth phase, a ldap search is done : if the user is member of a
group identified by the host ip he wants to connect, the user is authorized.
The problem is here : freeradius receives an Access-Request packet with a
NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the
ip received in the packet but another one !

Why this attribute is modified ?
Is there any cache (the other ip comes from another equipment) ?

Thanks for any helpful idea

Here are
/etc/raddb/users (I also tried with ldap-group == %{NAS-IP-Address} )

DEFAULT ldap-group == %{Client-Ip-Address}, Auth-Type := LDAP
Service-Type = 1,
Fall-Through = no

DEFAULT Auth-Type := Reject
Fall-Through = no,
Reply-Message = You are not authorized to log in to this host :(


/etc/raddb/clients.conf

client 126.50.0.0/8 {
secret = secretsecret
shortname = shortname
}


radius LOG (with radiusd -X)

rad_recv: Access-Request packet from host *126.50.0.148*:1645, id=17,
length=82
NAS-IP-Address = *126.50.0.148*
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = testadmin
Calling-Station-Id = XX.XX.XX.XX
User-Password = X
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module preprocess returns ok for request 4
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=example,dc=com'
radius_xlat:  '(uid=testadmin)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as uid=radius,ou=applications,dc=example,dc=com/radiuspass to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter ((cn=*
126.50.0.147*
)(|((objectClass=GroupOfNames)(member=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestAdmin\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom
rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 3
  modcall[authorize]: module files returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testadmin
radius_xlat:  '(uid=testadmin)'
radius_xlat:  'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter
(uid=testadmin)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testadmin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
  rad_check_password:  Found Auth-Type LDAP
auth: type LDAP
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by testadmin with password X
rlm_ldap: user DN: uid=testAdmin,uid=test01,ou=users,dc=example,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: starting TLS
rlm_ldap: bind as
uid=testAdmin,uid=test01,ou=users,dc=example,dc=com/X to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testadmin authenticated succesfully
  modcall[authenticate]: module ldap returns ok for request 4
modcall: leaving group LDAP 

Re: NAS-IP-Address modified during Access-Request process

[kevin leblanc]

thanks for the quick answer :)

Indeed, the version installed is not the last one but the no longer
maintained one
I just did yum install freeradius.

I will fix this right now

Thanks again

-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restrict access to certain groups

[kevin leblanc]

On Tue, Feb 10, 2009 at 1:54 PM, kevin leblanc kevinzebe...@gmail.comwrote:

 To remember : I want only user1 can access to host1.

 To illustrate it:
 root
  |
 --
 ||
   hosts users
 ||
 --
 |||
   host1   user1  user2
 |
 |  members:
 |
  user1


 I find a possible way.

 in radiusd.conf, I put:
 groupname_attribute = cn
 group_membership_filter =
 (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))

 In the users file, I put:
 Ldap-Group == X Auth-Type:= LDAP

 X will be the IP/hostname of the host which try to connect.

 Is there any variable like %{LDAP-UserDN} which could give me this
 information ??

 thanks for any help


 --
 KeV


I found the variable %{Client-IP-Address} which gives me host's ip.
But is there any way to get the hostname instead of the ip ?
By hostname, I mean the real hostname, not this defined in clients.conf with
the attribute shortname.

Other question, I don't want to store the identity/password attributes in
radiusd.conf for security reasons.
I tried with the line below in the users file, but that doesn't work :
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
Any idea ?

Thanks


-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Restrict access to certain groups

[kevin leblanc]

Hi
I have a Freeradius which checks if an user has right to connect to a
network equipment via LDAP.
For security reasons, i want to restrict access to certain users (network
administrator).

At the beginning, I wanted to do it by adding host attribute to a user, it
will contain all allowed hosts he can connect : I don't find a solution.
But, i found another way : in my schema I added an OU which contains all
computers in the network, and to allow a user to connect to one of them, I
make it member of this host.

So, I want to check if the user is member of the host he try to connect,
to give him corresponding access.

I don't know if it's possible and how to do this (if it's possible).
May I change users file ? radiusd.conf ? cleints.conf ?

I'm lost whereas I'm on it since the last week :(
thanx for all possible solutions

-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restrict access to certain groups

[kevin leblanc]

To remember : I want only user1 can access to host1.

To illustrate it:
root
 |
--
||
  hosts users
||
--
|||
  host1   user1  user2
|
|  members:
|
 user1


I find a possible way.

in radiusd.conf, I put:
groupname_attribute = cn
group_membership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))

In the users file, I put:
Ldap-Group == X Auth-Type:= LDAP

X will be the IP/hostname of the host which try to connect.

Is there any variable like %{LDAP-UserDN} which could give me this
information ??

thanks for any help


-- 
KeV
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WISPr-Bandwidth question

[kevin]

On Thu, 2008-12-18 at 15:05 +0100, Alan DeKok wrote:
 kevin wrote:
  IOW, when using WISPr-Bandwidth, does that modify the client connection
  at the client computer or does that occur at a proxy or firewall device?
 
   The RADIUS client (NAS) that receives the WISPr-Bandwidth attribute is
 responsible for enforcing it.

OK, I think I understand this better.  If I was using PPPOE or similar
(so long as it honoured the WISPr-Bandwidth attribute), the client would
handle and enforce these parameters.  A NAC would not be required if
authentication is direct by that method.

Sorry for the off-topic nature this thread is taking, but I'm thinking
out loud, here.

On the other hand, I think I've narrowed down my choices for NAC.  I
will look further into UNI-FY, but right now I think my best option,
without having to go to open-wrt or whatever, with some version of
chilli (or derivative) integration, is looking like ZeroShell:

http://www.zeroshell.net

Apparently, it can be configured to use a remote Radius server for AAA.
I'm just noticing that chilli based AAA has limitations which I don't
want to deal with.

I don't want to use a router with firmware update because I'd like more
options and don't want to deal with vendor lock-in.  And from what I
can see, zeroshell offers a lot of extra, low-level control.  As
mentioned in another part of this thread, being able to manage office
users using WISPr-Bandwidth and similar controls, allowing me to
aggregate all bandwidth with a single point of authentication which is
what I'm looking at.  My own cloud, if you will.

I know freeradius is part of the puzzle and I want to do this only once.
Changing from my old infrastructure, to a new, robust, and scalable
system.  I'm currently using smoothwall and I don't have the time,
energy, or resources to fix and modify to suit my needs and others like
pfsense or ipcop or wifidog seem to be at about similar as far as
limitations.

Cheers,

Kevin


 
  What I'm getting at is, is a captive portal necessary or can a person
  simply have client authentication via freeradius and the client network
  card handle managing its own bandwidth?  And if so, is there any
  possibility that the client computer could be modified by someone with a
  bit of skill to bypass those controls?
 
   No.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WISPr-Bandwidth question

[kevin]

While an out of the box solution is where I'll probably end up, I'm
battling with myself over the idea of how to best manage bandwidth on a
network including multiple remote locations, with both wired and
wireless connections.

I'm moving to using freeradius to authenticate (which ultimately will be
done by MAC for initial ease of setup) but I'm trying to figure out
where the Bandwidth attributes actually are used.

IOW, when using WISPr-Bandwidth, does that modify the client connection
at the client computer or does that occur at a proxy or firewall device?
What I'm getting at is, is a captive portal necessary or can a person
simply have client authentication via freeradius and the client network
card handle managing its own bandwidth?  And if so, is there any
possibility that the client computer could be modified by someone with a
bit of skill to bypass those controls?

Hope that made sense.

Cheers,

Kevin


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WISPr-Bandwidth question

[kevin]

Thanks, Leigh...

Yes, that does make more sense.  How you explained it.

So basically, I would need to put a NAC (network access controller) at
each remote location.  BUT...  I wouldn't necessarily have to put a
traditional captive portal at each location, even though they would
probably provide pretty much the same features.

thx...

Kevin

On Wed, 2008-12-17 at 12:49 -0500, Leigh Martell wrote:
 Hello Kevin,
 
 I can't answer definitively, but I would assume that it would be done
 on your NAS(depending on your hardware these rules could be
 propagated to the child devices). It would defy all logic for it to be
 done on the clie nt, Just as you would in an unauthenticated
 wired/wireless network it is always best to control traffic at the
 distribution point.
 
 Hope that helps.
 
 Take Care,
 Leigh Martell
 
 On Wed, Dec 17, 2008 at 12:14 PM, kevin r...@yia.ca wrote:
 While an out of the box solution is where I'll probably end
 up, I'm
 battling with myself over the idea of how to best manage
 bandwidth on a
 network including multiple remote locations, with both wired
 and
 wireless connections.
 
 I'm moving to using freeradius to authenticate (which
 ultimately will be
 done by MAC for initial ease of setup) but I'm trying to
 figure out
 where the Bandwidth attributes actually are used.
 
 IOW, when using WISPr-Bandwidth, does that modify the client
 connection
 at the client computer or does that occur at a proxy or
 firewall device?
 What I'm getting at is, is a captive portal necessary or can a
 person
 simply have client authentication via freeradius and the
 client network
 card handle managing its own bandwidth?  And if so, is there
 any
 possibility that the client computer could be modified by
 someone with a
 bit of skill to bypass those controls?
 
 Hope that made sense.
 
 Cheers,
 
 Kevin
 
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not responding on machine specific IPs

[kevin]

Hi Alan,

OK, you pointed me in the right direction.  I did run radius in debug
and came up with no errors as shown in a previous message to the list
that was cut from this continuation.

What I didn't realize nor think of, is that I could run radtest against
the debug run.  Every reference to debug mode simply indicated to run in
debug, check if there were errors, and the ctrl-X and run freeradius
again in standard mode.

So I ran freeradius in debug mode an then ssh'd into the server again in
another instance.  Ran radtest again and found these output results:

 rad_recv: Access-Request packet from host 192.168.3.199:41953, id=15, 
 length=56
 Ignoring request from unknown client 192.168.3.199:41953
 --- Walking the entire request list ---
 Nothing to do.  Sleeping until we see a request.

unh-hunh...  FR was getting the request, and IGNORING IT...  so the
client never knew that FR had received the request.  Great for security
(looks like the port was closed), so that pointed me in the wrong
direction, thinking it wasn't open or getting requests.

Anyhow, I changed the clients.conf to include the external IP of the
server, ran the test again, and it worked as expected:


 r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret
 Sending Access-Request of id 60 to 192.168.3.199 port 1812
   User-Name = fred
   User-Password = wilma
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1812
 rad_recv: Access-Reject packet from host 192.168.3.199:1812, id=60, length=20
 rad_verify: Received Access-Reject packet from client 192.168.3.199 port 1812 
 with invalid signature (err=2)!  (Shared secret is incorrect.)

Thanks to all helping me figure this out...

Cheers,

Kevin

On Sat, 2008-12-13 at 08:45 +0100, Alan DeKok wrote:
 kevin wrote:
  I'm using fake data to send to the radius server.  I do not care if it
  passes or fails.  I simply want the server to respond when I send a
  message to x.x.3.199 (the network address of the machine) just as it
  does when I send a request to the localhost address on the machine.
 
   It's not clear from your messages if you're running the server in
 debugging mode for these tests.  If you are, the possible outcomes are:
 
   1) it doesn't receive the packet.  This usually means firewall issues.
 
   2) it receives the packet, and doesn't respond.  Debug output explains
 why.
 
   3) it receives the packet and responds, but the client doesn't see the
 response.  This usually means firewall issues.
 
  It does respond to localhost, it does not respond to the network
  address.  That's where the problem lies, that I am trying to figure out.
 
   As always, READ the debug output.  From your messages it looks like
 you are NOT looking at the debug output when you send requests from
 outside of localhost.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius not responding on machine specific IPs

[kevin]

I was loathe to ask a newbie question, but it appears I have one.

How does one configure freeradius to listen on all IPs specific to a
machine?

I have a remote Ubuntu 7.10 server (32bit) which I want to use for
authentication via freeradius.  It (freeradius 1.1.6-2) installed all
nice and is running properly in default config, or it would seem.  I
cannot get a response when a remote authenticate is made.

When I ssh into the server, it appropriately responds to the following:

 r...@server3:/home/kevin# radtest fred wilma 127.0.0.1 1812 mysecret
 Sending Access-Request of id 1 to 127.0.0.1 port 1812
   User-Name = fred
   User-Password = wilma
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1812
 Re-sending Access-Request of id 1 to 127.0.0.1 port 1812
   User-Name = fred
   User-Password = wilma
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1812
 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=1, length=20
 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 
 with invalid signature (err=2)!  (Shared secret is incorrect.)

When I try radtest on the network IP, it fails, as per:

 r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret
 Sending Access-Request of id 5 to 192.168.3.199 port 1812
   User-Name = fred
   User-Password = wilma
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1812
 Re-sending Access-Request of id 5 to 192.168.3.199 port 1812
   User-Name = fred
   User-Password = wilma
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1812

etc...

I have tried setting the listen in Radiusd.conf to be the network IP of the 
machine
(x.x.3.199), but that gave the same results.

Any thoughts on what this n00b is doing wrong?

Thanks,

Kevin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius not responding on machine specific IPs

[kevin]

Just to be sure, iptables has been set to accept all.

A netstat shows:


 udp0  0 *:radius*:*   
  
 udp0  0 *:radius-acct   *:*   
  

So radius appears to be listening to the ports on ALL IPs.  If the
above is correct, then I should be able to do a radtest on any IPs
associated with the box and get a response.  Yet I am only able to get a
response using localhost (127.0.0.1)...

Just to be sure, I also did a localhost radtest on the machine:

 radtest fred wilma localhost 1812 mysecret

And it resolved localhost as 127.0.0.1 (as expected) and responded the
same as when I used 127.0.0.1

In radiusd.conf, bind_address = * and listen { } is all commented out.

Running freeradius -XXX -A provides the following output:

 r...@server3:/home/kevin# freeradius -XXX -A
 Fri Dec 12 13:53:24 2008 : Info: Starting - reading configuration files ...
 Fri Dec 12 13:53:24 2008 : Debug: reread_config:  reading radiusd.conf
 Fri Dec 12 13:53:24 2008 : Debug: Config:   including file: 
 /etc/freeradius/proxy.conf
 Fri Dec 12 13:53:24 2008 : Debug: Config:   including file: 
 /etc/freeradius/clients.conf
 Fri Dec 12 13:53:24 2008 : Debug: Config:   including file: 
 /etc/freeradius/snmp.conf
 Fri Dec 12 13:53:24 2008 : Debug: Config:   including file: 
 /etc/freeradius/eap.conf
 Fri Dec 12 13:53:24 2008 : Debug: Config:   including file: 
 /etc/freeradius/sql.conf
 Fri Dec 12 13:53:24 2008 : Debug:  main: prefix = /usr
 Fri Dec 12 13:53:24 2008 : Debug:  main: localstatedir = /var
 Fri Dec 12 13:53:24 2008 : Debug:  main: logdir = /var/log/freeradius
 Fri Dec 12 13:53:24 2008 : Debug:  main: libdir = /usr/lib/freeradius
 Fri Dec 12 13:53:24 2008 : Debug:  main: radacctdir = 
 /var/log/freeradius/radacct
 Fri Dec 12 13:53:24 2008 : Debug:  main: hostname_lookups = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: max_request_time = 30
 Fri Dec 12 13:53:24 2008 : Debug:  main: cleanup_delay = 5
 Fri Dec 12 13:53:24 2008 : Debug:  main: max_requests = 1024
 Fri Dec 12 13:53:24 2008 : Debug:  main: delete_blocked_requests = 0
 Fri Dec 12 13:53:24 2008 : Debug:  main: port = 0
 Fri Dec 12 13:53:24 2008 : Debug:  main: allow_core_dumps = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: log_stripped_names = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: log_file = 
 /var/log/freeradius/radius.log
 Fri Dec 12 13:53:24 2008 : Debug:  main: log_auth = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: log_auth_badpass = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: log_auth_goodpass = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: pidfile = 
 /var/run/freeradius/freeradius.pid
 Fri Dec 12 13:53:24 2008 : Debug:  main: user = freerad
 Fri Dec 12 13:53:24 2008 : Debug:  main: group = freerad
 Fri Dec 12 13:53:24 2008 : Debug:  main: usercollide = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: lower_user = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: lower_pass = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: nospace_user = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: nospace_pass = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: checkrad = /usr/sbin/checkrad
 Fri Dec 12 13:53:24 2008 : Debug:  main: proxy_requests = yes
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: retry_delay = 5
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: retry_count = 3
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: synchronous = no
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: default_fallback = yes
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: dead_time = 120
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: post_proxy_authorize = no
 Fri Dec 12 13:53:24 2008 : Debug:  proxy: wake_all_if_all_dead = no
 Fri Dec 12 13:53:24 2008 : Debug:  security: max_attributes = 200
 Fri Dec 12 13:53:24 2008 : Debug:  security: reject_delay = 1
 Fri Dec 12 13:53:24 2008 : Debug:  security: status_server = no
 Fri Dec 12 13:53:24 2008 : Debug:  main: debug_level = 0
 Fri Dec 12 13:53:24 2008 : Debug: read_config_files:  reading dictionary
 Fri Dec 12 13:53:24 2008 : Debug: read_config_files:  reading naslist
 Fri Dec 12 13:53:24 2008 : Info: Using deprecated naslist file.  Support for 
 this will go away soon.
 Fri Dec 12 13:53:24 2008 : Debug: read_config_files:  reading clients
 Fri Dec 12 13:53:24 2008 : Debug: read_config_files:  reading realms
 Fri Dec 12 13:53:24 2008 : Debug: radiusd:  entering modules setup
 Fri Dec 12 13:53:24 2008 : Debug: Module: Library search path is 
 /usr/lib/freeradius
 Fri Dec 12 13:53:24 2008 : Debug: Module: Loaded exec 
 Fri Dec 12 13:53:24 2008 : Debug:  exec: wait = yes
 Fri Dec 12 13:53:24 2008 : Debug:  exec: program = (null)
 Fri Dec 12 13:53:24 2008 : Debug:  exec: input_pairs = request
 Fri Dec 12 13:53:24 2008 : Debug:  exec: output_pairs = (null)
 Fri Dec 12 13:53:24 2008 : Debug:  exec: packet_type = (null)
 Fri Dec 12 13:53:24 2008 : Info: rlm_exec: Wait=yes but no output defined. 
 Did you mean output=none?
 Fri Dec 12 13:53:24 2008 : Debug: Module: Instantiated exec (exec

RE: freeradius not responding on machine specific IPs

[kevin]

Thanks Jason, but I might have been unclear.  Sorry about that.

I'm using fake data to send to the radius server.  I do not care if it
passes or fails.  I simply want the server to respond when I send a
message to x.x.3.199 (the network address of the machine) just as it
does when I send a request to the localhost address on the machine.

It does respond to localhost, it does not respond to the network
address.  That's where the problem lies, that I am trying to figure out.

Thanks again, though.

The network I am trying to authenticate is remote from the radius
server, so I cannot use localhost.  Otherwise, I wouldn't worry about
it...  Eventually, the remote location will be running covachilli or
something similar.  But for security (equipment) reasons, I cannot put a
server at that end, so must do authentication remotely, at this end.

Cheers,

Kevin

On Fri, 2008-12-12 at 16:11 -0500, Jason Wittlin-Cohen wrote:
 Kevin, 
 
 The relevant line is:
 
  rad_verify: Received Access-Reject packet from client 127.0.0.1
 port 1812 with invalid signature (err=2)!  (Shared secret is
 incorrect.)
 
 The shared secret to authenticate a client to the RADIUS server (for
 RADIUS, not EAP traffic) is either not set, or you're using the wrong
 secret. By default there is no shared secret set for localhost. Edit
 clients.conf, search for 127.0.0.1. You'll find a line that looks
 like:
 
 ipaddr = 127.0.0.1
 
 Now, add this line beneath:
 
 secret = secret
 
 Restart freeradius and try again. The message should go away.
 Remember, you're still going to get an access-reject response unless
 you setup the user account and password your authenticating with in
 the users file.
 
 Jason
 
 -- 
 Jason Wittlin-Cohen
 Yale Law School, Class of 2010
 jason.wittlin-co...@yale.edu
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Unresponsive Child in component authorize

[Kevin Smith]

FreeRadius version is?

 

Version of Freeradius is 2.0.5 

 

 That may be a side-effect of something else taking long amounts of
 time.  Usually, this is SQL.

 

 I believe this may have been a side effect of perhaps all my ldap
threads being utilized.  I have increased the number of ldap threads and
have adjusted the timeout values somewhat.  I'll keep an eye on it.  

 

Thanks!

 

 

 

From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Marinko Tarlac
Sent: Wednesday, October 08, 2008 3:36 AM
To: FreeRadius users mailing list
Subject: Re: Unresponsive Child in component authorize

 

@kesm0724 

FreeRadius version is?




On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED]
wrote:

kesm0724 wrote:
 Does the Unresponsive Child in module files component authorize
allude to
 something I have misconfigured in the virtual server or a process that
is
 hung?

 The server is blocked somewhere.


 Tue Oct  7 12:14:43 2008 : Error: WARNING: Unresponsive child (id
 3054615440) for request 8, in module files component authorize

 Hm... that's a little surprising.  The files module doesn't take
much CPU time.  It doesn't use locks.  So there's no reason for it to
block for long periods of time.

 That may be a side-effect of something else taking long amounts of
time.  Usually, this is SQL.

 Or, if you're putting hostnames in the users file, instead of
numerical IP addresses... and your DNS server is down.  The server won't
be able to create the reply because it needs the IP address.  It won't
be able to create the IP address because DNS is down.

 Don't use hostnames.  Or, fix DNS so that it works.

 Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: autentication against active directory does not work

[Kevin Smith]

Have you verified that Samba was joined to your domain successfully
using wbinfo -t?  You should see  checking the trust secret via RPC
calls succeeded

If that is successful try:

[EMAIL PROTECTED] ~]# ntlm_auth  --username your_user --password users_password
--domain your_ad_domain --request-nt-key

Should see: NT_STATUS_OK: Success (0x0)

If the two steps above aren't successful you will need to correct those
issues first before proceeding.

In the mschap module my ntlm_auth configuration is as follows:

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}

Good luck.


-Original Message-
From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, September 19, 2008 3:40 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: autentication against active directory does not work

i have read allready the documentation at 
http://deployingradius.com/documents/configuration/active_directory.htm
l


Read it again.

my freeradius debug is pasted at 

http://pastebin.ca/1206001


1. You are using an outdated version of the server which has a default
entry in users file setting Auth-Type Sistem if all else fails. Upgrade
or at least comment that out since you have removed unix from the
configuration.

2. Read the obvious WARNING in the debug and fix that.

3. You have configured AD integration (ntlm_auth) in mschap module. And
then sent pap request. No wonder it's not working. Send mschap requests.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

performance report?

[Kevin J]

Does anybody know the performance on Sun T-1000?
Just noticed that radius cannot reach more than 20% CPU time when we ran a 
heavy traffic with nas simulations.  We have tested some other programs and 
could reach even more than 90% so just curious anybody experienced the similar 
result.


  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: performance report?

[Kevin J]

Well, Radius protocol is not just machine-to-machine issue.  I think you don't 
understand how request protocol can be simulated by hammering with our tool.  
We have tested various protocols by this tool.

Per our test results, radius can reach the limit of requests by hammering 
easily but CPU was still low. We have various statistics on all these.  My 
point is that radius was not able to use full cpu resource until reaching max 
number of handful requests.

Your point with more clients does not make sense because we already reached max 
reqeusts hammering by our tool and that was same regardless of adding more 
clients under multi-threaded enviroment.


- Original Message 
From: Anders Holm [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, August 20, 2008 12:52:20 PM
Subject: Re: performance report?

Re: performance report? I still do ...

I’ve had 10 multi core boxes hammering one server, still not enough .. You need 
more clients .. ;) RADIUS as such requires very little from the server side in 
terms of CPU. All it really does is compare x with y and then respond yes or 
no, once you strip down all the various variants of auth protocols. That’s not 
a high requirement. I’m confident if you use a SSL enabled protocol, your CPU 
on the server is spending more time per request doing the necessary SSL stuff 
than RADIUS related work ..

A pint of unspecified beverage says you’ll need more client CPU .. I’ll agree 
with the pint ..

//anders


On 20/08/2008 20:45, Kevin J [EMAIL PROTECTED] wrote:


Well, that's why I am saying we used the nas simulation tool.  We can hammer a 
lot of traffic with this multi-threaded tool and also we tried at least three 
client boxes so don't assume our traffic was not enough.

- Original Message 
From: Anders Holm [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, August 20, 2008 12:25:19 PM
Subject: Re: performance report?

Re: performance report? It is not likely your actually putting too much strain 
on the server side. You’ll need quite a lot of machines hammering the RADIUS 
server before it’ll break into a sweat. The client side would have higher CPU 
utilization then the server side, per request.

Comparing one program to another is not exactly comparing apples with apples. 
It’s more like comparing a duck with a fork lift. One flies, the other just 
doesn’t (or rather, when it does, you don’t want to be there to see it) ...

//anders

On 20/08/2008 20:18, Kevin J [EMAIL PROTECTED] wrote:


Does anybody know the performance on Sun T-1000?
Just noticed that radius cannot reach more than 20% CPU time when we ran a 
heavy traffic with nas simulations.  We have tested some other programs and 
could reach even more than 90% so just curious anybody experienced the similar 
result.



 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Goodbye SNMP, hello statistics.

[Kevin Bonner]

On Friday 20 June 2008 09:48:53 Alan DeKok wrote:
   I've commited some code (~1K LoC) to CVS head that will go into 2.0.6.
  In short, there's no point in using SNMP any more.  The good news is
 that the Status-Server packet is overloaded to get all sorts of
 statistics that weren't available in SNMP.  For more information, see:

   share/dictionary.freeradius

The changes sound great!  I'd cutover to this if I were still at the company 
that used FR and SNMP monitoring stuff...

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Two Daemons on One Box?

[Kevin J]

Folks,

I need to run two different configurations on one box.  I guess the only way is 
to run two daemons on different ports.
Any advice or concern?  I also want to hear if there is known issues, bugs, or 
performance matters when more than one daemon run on the same box.

Thanks,
Kevin



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

regular expression

[Kevin J]

Is there a way that I can use for a regular expression to validate the username 
attribute?

Something like 
User-Name =~ [0-9a-zA-Z.#_] 

I think . or # does not work.




  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

compile error

[Kevin Zhang]

I tried to compile freeradius-1.1.7 and freeradius-server-2.0.3,
but encountered the following error. Could someone help?

Kevin SZ


[EMAIL PROTECTED] ~]$ more /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)
[EMAIL PROTECTED] ~]$

ient.lo libeap/libeap.la -lnsl -lresolv  -lpthread  -lcrypto -lssl
-lcrypto
gcc -o .libs/radeapclient .libs/radeapclient.o  libeap/.libs/libeap.so
/home/szhang/freeradius-1.1.7/src/lib/.libs/libradius.so -lcrypt -lnsl
-lresolv -lpthread -lssl -lcrypto
libeap/.libs/libeap.so: undefined reference to `EVP_MD_size'
collect2: ld returned 1 exit status
gmake[6]: *** [radeapclient] Error 1
gmake[6]: Leaving directory
`/home/szhang/freeradius-1.1.7/src/modules/rlm_eap'
gmake[5]: *** [common] Error 2
gmake[5]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/home/szhang/freeradius-1.1.7/src/modules'
gmake[3]: *** [common] Error 2
gmake[3]: Leaving directory `/home/szhang/freeradius-1.1.7/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/home/szhang/freeradius-1.1.7/src'
gmake[1]: *** [common] Error 2
gmake[1]: Leaving directory `/home/szhang/freeradius-1.1.7'
make: *** [all] Error 2

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

dhcp+radius

[Kevin Zhang]

Hi,

 

How do I configure Radius server to work with DHCP server, so the client
will authenticate with Radius first

before DHCP will assign it an IP?

 

Kevin SZ

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: dhcp+radius

[Kevin Zhang]

Hi Ivan,

Thanks for your reply. But how do DHCP know NOT to give the IP to the client
When the authentication fail on RADIUS?

Kevin SZ

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: Tuesday, March 25, 2008 4:51 PM
To: FreeRadius users mailing list
Subject: Re: dhcp+radius

There is nothing to configure. It works that way.

Ivan Kalik
Kalik Informatika ISP

Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše:

Hi,

 

How do I configure Radius server to work with DHCP server, so the client
will authenticate with Radius first

before DHCP will assign it an IP?

 

Kevin SZ




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: dhcp+radius

[Kevin Zhang]

Hi Ivan,

Thanks again for the reply. Actually my scenario is like this:
I have a box needs to be installed via PXE. The box will send out its mac
address to get the ip of tftp server and the location of pxelinux.0.
Without Radius, the box will talk to DHCP server directly for all
The information it needs. If I want to implement the authentication
Using RADIUS so net boot will continue only after the 
authentication succeed. I just want to know where RADIUS fit into 
this model step by step.

Kevin SZ


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: Tuesday, March 25, 2008 5:03 PM
To: FreeRadius users mailing list
Subject: RE: dhcp+radius

Because it will never be asked for one. PPP negotaiation will not reach
that stage.

Ivan Kalik
Kalik Informatika ISP


Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše:

Hi Ivan,

Thanks for your reply. But how do DHCP know NOT to give the IP to the client
When the authentication fail on RADIUS?

Kevin SZ

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: Tuesday, March 25, 2008 4:51 PM
To: FreeRadius users mailing list
Subject: Re: dhcp+radius

There is nothing to configure. It works that way.

Ivan Kalik
Kalik Informatika ISP

Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše:

Hi,

 

How do I configure Radius server to work with DHCP server, so the client
will authenticate with Radius first

before DHCP will assign it an IP?

 

Kevin SZ




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Could not link driver rlm_sql_mysql.so

[Kevin Bonner]

On Friday 15 February 2008 05:20:21 [EMAIL PROTECTED] wrote:
 if you run the configure stage through some sanity checking, you get to
 see all the good stuffeg

 ./configure --with-blah-blah  | grep WARN

 alan

I prefer the following so you can go over all the output, not just the WARN 
lines:
  script ~/fr2-output
  ./configure --blah
  exit
  grep whatever ~/fr2-output

-Kevin


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_ldap.c

[Kevin J]

In ldap.c:2660, there is a condition check to see if vals_idx is zero

2660if (!vals_idx){
2661pairdelete(pairs, 
newpair-attribute);
2662}
2663pairadd(pairlist, newpair);


this code line makes Radius not appending any reply attribute if the number of 
attribute is greater than 1.  any thought in why we need this here?

   
-
Never miss a thing.   Make Yahoo your homepage.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap Cleartext-Password, sql etc...

[Kevin Bonner]

On Wednesday 30 January 2008 15:31:51 Andrew Long wrote:
 If I change the attribute to `Cleartext-Password', authentication
 fails and I see:

 rlm_pap: WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
   rad_check_password:  Found Auth-Type CHAP
 auth: type CHAP
 +- entering group CHAP
   rlm_chap: login attempt by elmaroma_cn3000 with CHAP password
   rlm_chap: Cleartext-Password is required for authentication
 ++[chap] returns invalid
 auth: Failed to validate the user.
 Login incorrect (rlm_chap: Clear text password not available):
 [elmaroma_cn3000/CHAP-Password] (from client cn3000_aroma port 0 cli
 00-02-6F-xx-xx-92)

 Thanks muchly,
 Andrew Long
 EWS

Can you run the radcheck query manually and post the output?  Is the operator 
correct?  Does it do the same thing when you move the SQL entry to the users 
file and make the same attribute name changes?

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

iCHAP?

[Kevin J]

Does anybody know about iCHAP?

Kevin,


   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IP Pool defined, but radius does not hand out an IP address.

[Kevin Bonner]

On Thursday 24 January 2008 13:10:09 Alan DeKok wrote:
   And with all of the information you posted, you didn't include the
 most important, which is requested in the FAQ, README, INSTALL, man
 page, and daily on this list: radiusd -X.

   Is there some other place in the documentation where this should be
 suggested?

   Alan DeKok.

Big red letters on the front page of the website.  Or below the 
subscribe/unsubscribe line in the footer of every message.  =)

-Kevin


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius V2.0.0 Simultaneous-Use Problems

[Kevin Bonner]

On Monday 21 January 2008 14:19:06 Dryw Paulic wrote:
 mysql select * from radgroupcheck;
 ++---+--++---+
 | id | GroupName | Attribute| op | Value |
 ++---+--++---+
 |  1 | dynamic   | Auth-Type| == | Local |
 |  2 | static| Auth-Type| == | Local |

Don't do this.  The operator is incorrect as is nearly every use of Auth-Type.

 mysql SELECT COUNT(*) FROM radacct  WHERE username = 'Kat' AND
 acctstoptime = 0;
...
 mysql select * from radacct where username ='Kat' \G;

What is shown when you use the full where clause from the previous command?  
What version of MySQL are you using?  I just tried this with 5.0.48 
and 'datefield = 0' does not match on datetime fields.

If you're using the V2.0.0 schema, that SQL query should be changed 
to 'acctstoptime IS NULL'.  Try this from your SQL command line and see if it 
gives the desired results for both connected and disconnected users.

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to use both 1645 and 1812?

[Kevin J]

Is there a way to open two ports (1645 and 1812) for auth at the same time?
We want to find a way to open 1645, 1812, 1646, and 1813 for auth and acct in 
parallel.

Thanks,
Kevin

   
-
Never miss a thing.   Make Yahoo your homepage.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP error

[Kevin Bonner]

On Thursday 10 January 2008 08:41:30 Amr el-Saeed wrote:
 but every time i wanted to snmpwalk from the radius i got that error 
 RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this
 agent at this OID  

 the command i execute is  snmpwalk -v2c -c testsnmp -m
 /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt  localhost radius 
  same command is working fine on the old machine.

 i searched  for that on google but found nothing .

 any one can help ??

What does debug mode (-X) show?  Are there any errors in your snmpd log file?

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Restricting user by realm

[Kevin Bonner]

On Thursday 08 November 2007 11:19:48 Lisa Casey wrote:
 The way things are setup now, any user can log in with any of the realms I
 have defined. For example, I (username lisa) could login as
 [EMAIL PROTECTED] and then turn around and login as [EMAIL PROTECTED]My
 boss would like me to restrict this so that (for example) lisa could log in
 as [EMAIL PROTECTED] but not [EMAIL PROTECTED]

Just add a check item to the user entry and it will only allow them from that 
realm.  Since you are using 1.1.6, don't use Auth-Type and start using 
Cleartext-Password with the := operator.

  lisa Cleartext-Password := xxx, Realm == jellico.com
...

Or if you want to reject from a specific realm, just use this before your real 
user entry:
  lisa Realm == realmY, Auth-Type := Reject

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco NAS Password problem

[Kevin Bonner]

On Thursday 25 October 2007 17:26:10 John Morris wrote:
   I then added a second switch to the freeradius client configuration (nas
 table), and encountered a problem. The password was being rejected. So I
 ran Freeradius -X so I could see what was going on.

 On the failed password attempt (second and now third switch in the list) I
 see something like this:

 rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80
 NAS-IP-Address = 192.168.x.z
 NAS-Port = 1
 NAS-Port-Type = Virtual
 User-Name = username
 Calling-Station-Id = 192.168.x.y
 User-Password = r\306\324\333M\014\247\022\363\216K\257`\315#]

Debug output like this usually points to non-matching RADIUS secrets.  Check 
the radius secret in your switch config as well as the secret configured in 
your nas SQL table.  Freeradius only reads the nas table on startup, so if 
you make changes to that table, you must restart the daemon for those changes 
to take effect.

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: aaa accounting command

[Kevin Bonner]

On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote:
 Hi folks,

 Is there any method of keeping track of the commands issued by a user with
 Radius. Under the aaa option, there is aaa accounting command blah but
 for some reason, I'm not seeing the accounting information stored in the
 radacct information. I know a few years ago, this was an issue, but I'm not
 sure if it has been resolved.

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html

 Does anyone have an alternative to accomplish this if it's not possible
 with Radius.

TACACS+

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Cisco AV Pairs per realm

[Kevin Bonner]

On Friday 14 September 2007 11:28:51 Dan Goscomb wrote:
 Hi

 I have a number of realms on my radius server (FreeRADIUS Version
 1.1.6). All users are valid in both realms (one is for dialup, one for
 broadband).

 e.g.
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]

 All realm's are stripped so that the user (dang in the examples above)
 is authenticated. However, on dial.realm I need to return a couple of
 Cisco-Avpair attributes; how can this be done?

You may be able to use the Realm attribute in the users file to add your 
specific attributes, depending on how the realms are stripped from the 
username.  You can also use the hints file, which you already tried.

 I have tried a hints file, however although I get the message on debug:

   hints: Matched DEFAULT at 17

 The data specifies is not sent back in the RADIUS reply.

That's because you cannot list reply attributes in the hints file, but you can 
add a Hint that can be checked in the users file.

Here is a short example that should work for you using the hints file:

#hints
DEFAULT User-Name =~ @dsl.realm
Hint = DSL
#/hints

#users
DEFAULT Hint == DSL
  Cisco-AVPair += ...
#/users

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

healthcheck?

[Kevin J]

We want to reject slb health checks immediately.  What is the best way to do 
that?   tried to add healthcheck Auth := Reject but it still go through all 
authorization/authentication modules.  Is there anyway that we can immediately 
reject it so we can make it lighter?

Thanks in advance.
Kevin
   
-
Be a better Globetrotter. Get better travel answers from someone who knows.
Yahoo! Answers - Check it out.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: error on start freeradius + jradius

[Kevin Bonner]

On Thursday 09 August 2007 15:05:55 George Beitis wrote:
 I read this post and for more than 8 hours i have been trying to install
 freeradius 1.1.5 -.6 and .7 unseccesfully.  With versions 5 and 6 i get
 errors saying the glibc error.  With 7 i get something different:  with
 1.1.7 + jradius patch i get the rlm_acct_unique is not a valid libtool
 archive error.  For each installation i made sure i deleted the raddb
 folder before installing again.  Should i give up and go back to 1.1.1 ?

 I am using ubuntu by the way

 regards
 George

Can you post the actual 1.1.7 build output with errors?  I have no idea what 
the jradius patch is, but does the build work without that patch?

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication problem with mysql integration

[Kevin Bonner]

On Tuesday 07 August 2007 12:08:07 ram wrote:
 rad_verify: Received Access-Reject packet from client x.x.x.x port 1812
 with invalid signature (err=2)!  (Shared secret is incorrect.)
...
   WARNING: Unprintable characters in the password. ?  Double-check the
 shared secret on the server and the NAS!
...
 any suggestions.

 ram

Those messages seem pretty clear to me.  Have you verified the secret is the 
same?

-Kevin


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS's and client's? what's the difference and where are they and where defined?

[Kevin Bailey]

Hi,

I have Debian Etch installed with Freeradius and dialupadmin packages.

Versions are

ii  freeradius  1.1.3-3 a 
high-performance and highly configurable RADIUS server
ii  freeradius-dialupadmin  1.1.3-3 set of PHP 
scripts for administering a FreeRADIUS server
ii  freeradius-mysql1.1.3-3 MySQL module 
for FreeRADIUS server


Now two months ago I set the system up and it authenticates an Epygi 
VOIP box and keeps accounts records for the calls made.

Now I need to carry out further work - I had got things working but 
never fully cleared it in my head.

My questions are fundemental.

What are the differences between clients and NAS's? - Where should they 
be defined?


I seem to have been able to connect the client box by adding an entry 
into client.com

# 03/05/2007 - kbailey
# Test connection to AF-IT Epygi box.
client quadro.af-it.com {
secret  = password
shortname   = afit_test
nastype = epygi
}


But this is not showing up under the NAS list in the dialupadmin 
interface - under Radius clients, NAS administration.

Also, I see that the /etc/freeradius/naslist file is deprecated in 
favour of clients.conf - but there is also a 
/etc/freeradius-dialupadmin/naslist.conf file.  This has some default 
servers in it.

I'm almost tempted to think that the /etc/freeradius/clients.conf file 
is the only file which should be used - but I've heard that there are 
two things which are separate - clients and NAS's.

Also, why are there the two references in the dialupadmin app - on web 
page and in naslist.conf?

Thanks,

Kevin

-- 
Kevin Bailey
IT Consultant

Email: [EMAIL PROTECTED]
Tel: 01752 268923
W: www.freewayprojects.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS's and client's? what's the difference and where are they and where defined?

[Kevin Bailey]

Alan DeKok wrote:

  Kevin Bailey wrote:
  
  
What are the differences between clients and NAS's? - Where should they 
be defined?

  
  
  A Network Access Server (NAS) is a RADIUS client.  It should be
defined in "clients.conf"

  
  
I seem to have been able to connect the client box by adding an entry 
into client.com

  
  
  *Please* be careful about terminology.  If you keep getting it wrong,
you won't be able to remember what thing means what, and any answers
here won't help you.

  

Sorry - this should have been clients.conf


  
  
# 03/05/2007 - kbailey
# Test connection to AF-IT Epygi box.
client quadro.af-it.com {
secret  = password
shortname   = afit_test
nastype = epygi
}


But this is not showing up under the NAS list in the dialupadmin 
interface - under Radius clients, NAS administration.

  
  
  Because dialupadmin looks in an SQL database for the clients.  It
doesn't read the "clients.conf" file.

  


So can clients be stored in various places? - or should I only use
/etc/freeradius/clients.conf for the freeradius server. This was the
place which seemed to work.

Have spent several days reading as much online as possible and now have
the system authenticating calls from a VOIP box - but it's a big
subject to get on board!

Thanks,

Kevin









Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


-- 
Kevin Bailey
IT Consultant

Email: [EMAIL PROTECTED]
Tel: 01752 268923
W: www.freewayprojects.com



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuration doubt

[Kevin Bonner]

On Monday 16 July 2007 08:05:15 Alan DeKok wrote:
 Osvaldohp wrote:
  This is my users file:
  mike  Auth-Type = System, User-Password == mike
Session-Timeout := 3600,
 
  What i am doing wrong?

   You're telling the server to look in /etc/passwd for the users
 password, and then also telling it what the users password is.

   Don't set Auth-Type.

   Use 1.1.6.

   Use Cleartext-Password, not User-Password, as suggested in the FAQ.

   Alan DeKok.

Don't forget to use the ':=' operator for the Cleartext-Password attribute, in 
addition to all of the above.

-Kevin


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: figuration doubt

[Kevin Bonner]

On Monday 16 July 2007 09:40:48 Osvaldohp wrote:
 I found a nice paper about freeradius+mysql, so far everything is installed
 and working fine. My guestion is which field of my radius database
 (db_mysql.sql) i have to put Session-Timeout attribute to limit the use of
 the Internet from my HotSpot users?

Session-Timeout is a reply item, so it can go into the user or group reply 
item tables.

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS restart without proper client logout on radius (mysql)

[Kevin Bonner]

On Monday 16 July 2007 12:37:08 Nataniel Klug wrote:
 Hello all,

 I have a question: when a nas restart without sending client logout
 to the freeradius server the clients stay connected in radacct table
 (AcctStopTime=0). What can I do to solve this kind of problem? What
 could happen is that when a nas reboot my clients keep logged and when
 the nas start again they will get You are already logged in
 (simultaneous-use).


Your NAS should send an Accounting-On packet which you can use to flag the 
existing connections as offline/disconnected.  You can also use checkrad to 
confirm the session is active.

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: error on start freeradius + jradius

[Kevin Bonner]

* moved to -users list...

On Friday 13 July 2007 10:25:15 Renan Tateoka wrote:
 2007/7/13, Alan DeKok [EMAIL PROTECTED]:
  Renan Tateoka wrote:
   hi everybody,
  
   I have installed freeradius 1.1.5
 
Why?  Install 1.1.6.
 
Alan DeKok.

 hi,

 i`m sorry, I think that the message went wrong...

 I have installed freeradius 1.1.5 and jradius patch 1.1.5...
 ...
 Module: Library search path is /usr/local/lib
 *** glibc detected *** /usr/local/sbin/radiusd: double free or corruption
 (fasttop): 0x800fae98 ***

What part of Alan's message was unclear?  1.1.5 has a bug that has been beaten 
to death on the users list.  1.1.6 doesn't.  Use 1.1.6 or later, then try 
your tests again.

Kevin Bonner


signature.asc
Description: This is a digitally signed message part.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Simultaneous-Use problem.

[Kevin Bonner]

On Monday 25 June 2007 11:42:08 Josh Howlett wrote:
 I have a feeling that the answer is blindingly obvious, but I can't
 figure it out...

 The 'users' file consists of:

 DEFAULT   Auth-Type = Accept
   Simultaneous-Use := 1

Simultaneous-Use is a check item, not a reply item.

 In radiusd.conf I also have:

 session {
   sql
 }

 authorize {
   radius-user-auth
 }

 'radius-user-auth' is an rlm_exec instance that invokes a script used to
 authenticate users. It works fine, but the 'session' section never gets
 processed. Why?

 josh.

Because Simultaneous-Use is in the wrong place.  Make it a check item and the 
session section should be processed.

Kevin Bonner


pgpvI8CdFN5pf.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear text password not available

[Kevin Bonner]

On Monday 25 June 2007 10:14:07 Flavio Silvestrone wrote:
 If i enable the same pppoe profile (user: flavio, password: flavio) on the
 Access Point all work fine; When i disable the profile on the Access Point
 and i configure the radius client on the Access Point i have the problem
 This is the configuration on the file /etc/raddb/users for the user
 flavio


Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.1.1.8,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
 #   Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
 #   Framed-Compression = Van-Jacobsen-TCP-IP

 Any idea to find out the prob ?
 Than's a lot
 Flavio

Can you post the FULL entry that you have in the users file?  What you posted 
lists only reply items, which give us no information related to the problem 
you are having.  What check items do you have?  If you are using a recent 
version of freeradius, you should have the Cleartext-Password as a check 
item.

Have you run the server in debug mode?  If so, there are probably error 
messages in the output which may assist you in resolving your problem.

Kevin Bonner


pgpuOvqj7Bku9.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Clear text password not available

[Kevin Bonner]

On Monday 25 June 2007 12:45:15 Flavio Silvestrone wrote:
  If you are using a recent version of freeradius, you should have the
...
 The version of radius is freeradius-1.0.1-3.

1.0.1 is not recent.  Use 1.1.6.

 flavio Cleartext-Password := flavio
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.1.1.8,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
 #   Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
 #   Framed-Compression = Van-Jacobsen-TCP-IP

Since you're using such an old version of freeradius, you cannot use 
Cleartext-Password here as it was available in 1.1.5 (I think) and later 
versions.  You can use User-Password, but you should upgrade to a newer 
version.

Kevin Bonner


pgpwSTaVHg9Y8.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attribute User-Password is required for authentication

[Kevin Bonner]

On Monday 18 June 2007 16:31:37 Cody Jarrett wrote:
 I found a few topics on this issue but nothing quite informative enough.
 I'm trying to get freeradius auth working with pam and peap. When I test
 my config with radtest, I get Access-accept. When I use a windows XP
 supplicant with a 3com access point, I get:

 rlm_pam: Attribute User-Password is required for authentication.
 modcall[authenticate]: module pam returns invalid for request 4
 modcall: leaving group authenticate (returns invalid) for request 4
 auth: Failed to validate the user.

 Is the 3com not sending User-Password attributes in the packets, or is
 something else wrong?

Run FreeRADIUS in debug mode (radiusd -X) to verify.  We cannot guess what 
your NAS/client is sending.

-Kevin


pgpzZ32ZnVcdH.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Statistics tool?

[Kevin J]

If you meant that I have to restart radius whenever I need the statistics, I 
will not do that.  Is there a way that we can rotate radius.log then?


Dennis Skinner [EMAIL PROTECTED] wrote: Kevin J wrote:
 I am wondering if there is a tool or way to check the statistics in real
 time.
 I need something that can tell me how many users got accepted and
 rejected so far  since Radius started.

Rotate the log whenever you restart radius then:

grep -c OK radius.log
grep -c Failed radius.log

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   
-
Yahoo! oneSearch: Finally,  mobile search that gives answers, not web links. - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Statistics tool?

[Kevin J]

I am wondering if there is a tool or way to check the statistics in real time.
I need something that can tell me how many users got accepted and rejected so 
far  since Radius started.


   
-
Looking for a deal? Find great prices on flights and hotels with Yahoo! 
FareChase.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sql question

[Kevin Bonner]

On Friday 08 June 2007 13:24:20 [EMAIL PROTECTED] wrote:
 radgroupreply:
 | 27 | dialup| Framed-IP-Address  | 255.255.255.254 | == |
 | 28 | dialup| Framed-Compression | Van-Jacobson-TCP-IP | == |
 | 29 | dialup| Framed-IP-Netmask  | 255.255.255.255 | == |
 | 30 | dialup| Framed-MTU | 576 | == |
 | 31 | dialup| Idle-Timeout   | 900 | := |

 - change all ops to =

Change all '==' to just '=' or ':=', depending on your needs.  The operator 
for Idle-Timeout is correct.

 - is this (255.255.255.254) really the IP address you want to give your
 user; client is unlikely to accept IP address above 224 subnet

The RFCs say that this IP tells the NAS to assign an IP from the dynamic pool.

-Kevin


pgpnDk4jIgQil.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wiki

[Kevin Bonner]

On Friday 25 May 2007 04:11:24 Arran Cudbard-Bell wrote:
 Now which bloody wiki are you using, so I can look up the formatting
 rules :)

http://wiki.freeradius.org/Special:Version says MediaWiki: 1.8.2.

-Kevin


pgpd5qhwcXFFw.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server IP changed and FreeRADIUS+MySQL does not work

[Kevin Bonner]

On Tuesday 15 May 2007 09:39:55 yao guoxian wrote:
  I have installed FreeRADIUS and MySQL on the same machine.
 FreeRADIUS + MySQL  had worked well before Server IP changed. For
 some reason the server had to be carried to a new place and its IP must be
 changed.
 After the server IP changed, FreeRADIUS + MySQL does not work.
 I have edited sql.conf and  changed   IP to  the  new  correct IP .  I
 also  edited  the  table  user  in the  database  mysql  and  altered
 the  Host  field from the old IP to the new correct IP. However these
 mendings do not work.

As Alan stated, try connecting to MySQL from the command line to confirm that 
it works.  You updated the IPs in mysql.user, but that doesn't affect the 
MySQL permissions.  To apply any changes to the mysql privilege tables, you 
must either restart the MySQL service or run FLUSH PRIVILEGES.

Kevin Bonner


pgpVPKsiK9TTw.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC Authentication

[Kevin J]

Does anybody know if FreeRadius supports the MAC Authentication?
If so, how?

Thanks in advance,
Kevin

   
-
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sig HUP?

[Kevin J]

I saw some email threads about HUP.
Can we use kill -HUP pid in the latest version or is it still not stable?

Thanks,
Kevin

  
-
Ahhh...imagining that irresistible new car smell?
 Check outnew cars at Yahoo! Autos.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxying by Nas-Ip-Address (was Proxy.conf regex )

[Kevin Bonner]

On Monday 07 May 2007 07:45:36 Andrea Cerrito wrote:
 Hi to list,

 I've read the thread for Proxy.conf regex.
 I'd like to setup a proxy based on Nas-Ip-Address.

 I've tried two solutions:

 1) add to users file (please note that 255.255.255.255 is done by radtest,
 and realm test.com is configured in proxy.conf)
 DEFAULT NAS-IP-Address == 255.255.255.255
 Proxy-To-Realm = test.com

 2) add to users file
 DEFAULT Huntgroup-Name == test
 Proxy-To-Realm = test.com

 And to huntgroups file
 test   NAS-IP-Address == 255.255.255.255

 Without success. All logins are tested locally.

 Any clue?
 Thank you

Read what several others have posted to this thread.  Proxy-To-Realm is a 
_check_ item.  Make Proxy-To-Realm a check item and both of your solutions 
should work as expected.

Kevin Bonner


pgpnSS9BdZQJ2.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Crypt passwords doesn't work

[Kevin Bonner]

On Thursday 19 April 2007 10:42:30 Jacob Jarick wrote:
 On the topic of password encryption.
 Kevin would you know how to encode a password for windows 2003 active
 directory server. I need a user with permission to do active directory
 searchs, it tries atm but fails because the password is not encrypted.

 Even if you know what the encryption they use is it would be a big help
 thanks.

Win2k3?  Never used it before.  Active Directory?  Ditto.  =-)

Maybe [1] or [2] will help push you in the right direction.

Kevin Bonner


[1] http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
[2] 
http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html


pgpr1TWIInq7Y.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Crypt passwords doesn't work

[Kevin Bonner]

On Wednesday 18 April 2007 16:39:27 Sebastian Firpo wrote:
 Hi, I migrated a freeradius server from version 0.6 to 1.5. I'm using a
 users file for authorize.

Wow, that's quite a leap.  I assume from 0.6 to 1.1.5?

 The server don't authorize and when a do a debug (radiusd -X) I saw the
 User-password in clear text. If I modify the User-password in the users
 file by the clear text one it works.

 Here are the debug and an entry of the users file:

 Listening on authentication *:1812
 Listening on accounting *:1813
 Ready to process requests.
 rad_recv: Access-Request packet from host 10.12.4.2:1645, id=91, length=75
 NAS-IP-Address = 10.12.4.2
 NAS-Port = 1
 NAS-Port-Type = Virtual
 User-Name = sebas
 Calling-Station-Id = 10.11.1.25
 User-Password = hello
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 0
   modcall[authorize]: module preprocess returns ok for request 0
 users: Matched entry sebas at line 50
   modcall[authorize]: module files returns ok for request 0
 modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type Local
 auth: type Local
 auth: user supplied User-Password does NOT match local User-Password
 auth: Failed to validate the user.
 Delaying request 0 for 1 seconds

 users file

 sebas   Auth-Type := Local, Crypt-Password == (!lGOOlHaBWoQ
 Service-Type = Administrative-User,
 Cisco-AVPair = shell:priv-lvl=15

 Thanks very much!!

Don't set Auth-Type, the server will figure it out.  The operator for 
Crypt-Password should be changed to := as well.

Kevin Bonner


pgpsPajLfZa7I.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Crypt passwords doesn't work

[Kevin Bonner]

 html

I almost ignored your message, as I don't parse HTML well.  =)

On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote:
 Thank you Kevin, but it didn't work now my entire users file is:

  sebas   Crypt-Password := (!lGOOlHaBWoQ
      Service-Type = Administrative-User,
      Cisco-AVPair = shell:priv-lvl=15

  and then the debug was:

  rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103,
 length=75 NAS-IP-Address = 10.12.4.2
      NAS-Port = 1
      NAS-Port-Type = Virtual
      User-Name = sebas
      Calling-Station-Id = 10.11.1.25
      User-Password = hello

  Another idea??
  Thanks a lot, any way.

$ perl -e 'print crypt(hello,(!) . \n;'
(!BVoPlmea8cg

Fix your Crypt-Password?  How you are generating that encrypted string?

-Kevin


pgp07VlZL3nEM.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault for SNMP query

[Kevin Bonner]

On Monday 16 April 2007 07:52:43 Alan DeKok wrote:
 Kevin Bonner wrote:
  Try http://bugs.freeradius.org/show_bug.cgi?id=150
 
  I doubt that patch will still apply cleanly due to the many recent
  changes. I'll see if I can test the CVS head later today and submit a
  newer patch.

   Please try the latest CVS.  I've added a patch based on yours.

   Alan DeKok.

Tested with the CVS head as of this morning and everything looks good to me, 
even the per-client data.  I'm hitting a segfault when testing the cases I 
listed in bug#150, but I don't think it is related to the SNMP portion of the 
code.  Segfault info is below.

Kevin Bonner

== cut ==
(gdb) bt
#0  0x00fe97a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
#2  0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
(gdb) up
#1  0x002fca0d in ___newselect_nocancel () from /lib/tls/libc.so.6
(gdb) up
#2  0x004ecbb6 in main (argc=2, argv=0xbfe06fc4) at radiusd.c:575
575 status = select(max_fd + 1, readfds, NULL, NULL, 
ptv);
(gdb) list
570 #else
571 DEBUG2(Waking up in %d seconds...,
572(int) tv.tv_sec);
573 #endif
574 }
575 status = select(max_fd + 1, readfds, NULL, NULL, 
ptv);
576 if (status == -1) {
577 /*
578  *  On interrupts, we clean up the request
579  *  list.  We then continue with the loop,
(gdb) print ptv
$1 = (struct timeval *) 0x0
(gdb) print readfds
$2 = (fd_set *) 0xbfe05ea0
(gdb) print max_fd
$3 = 10
== cut ==


pgpSJjuzOV29P.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP with 1.1.6 and Net-SNMP 5.3

[Kevin Bonner]

On Monday 16 April 2007 03:53:52 Stefan Winter wrote:
 Thanks for the tip. Looking up the net-snmp.spec file of openSUSE 10.2, it
 appears that ucd-snmp compat should be there... the compile
 switches --enable-local-smux and --enable-ucd-snmp-compatibility are there.

 Any other hints? Otherwise, I guess I'll need to source-compile net-snmp
 :-(

 Stefan

Sorry, those few things were all I could think of.  I don't have an openSUSE 
server lying around, so I can't even confirm it works at all.  Hopefully the 
source compile of net-snmp and freeradius will uncover the actual problem.

-Kevin


pgpbzO8AwkkDp.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP with 1.1.6 and Net-SNMP 5.3

[Kevin Bonner]

On Friday 13 April 2007 08:53:26 Stefan Winter wrote:
 Hi,

 trying for the first time to get SNMP working, and I have come to a point
 where I'm really startled why stuff doesn't work.

 I've configured FreeRADIUS 1.1.6 with SNMP, and it's printing out that it
 is starting up the SMUX connection. Then the snmpd refuses the SMUX
 connection.

 This would usually mean I screwed up the shared secret, but I'm very sure I
 haven't. I even verified with tcpdump that FR sends the correct secret on
 the loopback wire.

 So the problem would appear to be that Net-SNMP is confused wrt the secret.
 But I configured it with the line

 smuxpeer .1.3.6.1.4.1.3317.1.3.1 verysecret

 (also without the leading dot, in my desperation, didn't help). The
 password *is* verysecret on the FR side.

 Debug output says:

 ...
 Module: Instantiated detail (nas_reply_log)
  main: smux_password = verysecret
  main: snmp_write_access = no
 SMUX connect try 1
 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
 SMUX open progname: radiusd
 SMUX open password: verysecret
 SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
 SMUX register priority: -1
 SMUX register operation: 1
 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
 SMUX register priority: -1
 SMUX register operation: 1
 SMUX register message send failed: Broken pipe
 Listening on authentication *:1812
 Listening on accounting *:1813
 Ready to process requests.

 The broken pipe is because Net-SNMP closes the connection, it's log says:

 [smux_accept] accepted fd 9 from 127.0.0.1:4580
 refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd

 and tcpdump reveals that the reason for refusing is authenticationFailure.

 Anyone else running a similar config? It's the version of Net-SNMP that
 came as RPM on SUSE 10.1. FR compiled freshly.

 Greetings,

 Stefan Winter

I receive the same broken pipe error when the smuxpeer pass and smux_password 
aren't the same, though there is probably a more complex cause.  Are there 
any non-standard characters in either config file?

Is Net-SNMP configured with ucd-snmp compatibility?

Kevin Bonner


pgpu99VoRvAtE.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault for SNMP query

[Kevin Bonner]

On Thursday 12 April 2007 04:40:47 Milan Holub wrote:
 - when trying to force reload using snmp:
 `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt
 -c verysecret localhost radiusAuthServConfigReset.0 i 2`
 then 1st reload is OK but after then when trying to either run the
 snmp-read query or the snmp-write query radius seems to ignore it.
 * there is no debug activity when running with -X flag and the result of
 the snmp-read query is empty and result of snmp-write query is
 following:
 `snmpset -m /devel/freeradius/cvs/radiusd/mibs/RADIUS-AUTH-SERVER-MIB.txt
 -c verysecret localhost radiusAuthServConfigReset.0 i 2`
 Error in packet.
 Reason: (noSuchName) There is no such variable name in this MIB.
 Failed object:
 radiusMIB.radiusAuthentication.radiusAuthServMIB.radiusAuthServMIBObjects.r
adiusAuthServ.radiusAuthServConfigReset.0

 Radius itself seems to react on radius packets; only snmp is ignored
 after the snmp-write query. Completely same behaviour is observed when
 doing reload via HUP signal(using my memory leakage patch for reload).

 Please advise.

Try http://bugs.freeradius.org/show_bug.cgi?id=150

I doubt that patch will still apply cleanly due to the many recent changes.  
I'll see if I can test the CVS head later today and submit a newer patch.

Kevin Bonner


pgpktEd5UzlPw.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Segmentation fault for SNMP query

[Kevin Bonner]

On Thursday 12 April 2007 10:32:18 Kevin Bonner wrote:
 On Thursday 12 April 2007 04:40:47 Milan Holub wrote:
  Radius itself seems to react on radius packets; only snmp is ignored
  after the snmp-write query. Completely same behaviour is observed when
  doing reload via HUP signal(using my memory leakage patch for reload).
 
  Please advise.

 Try http://bugs.freeradius.org/show_bug.cgi?id=150

 I doubt that patch will still apply cleanly due to the many recent changes.
 I'll see if I can test the CVS head later today and submit a newer patch.

It surprises me that it still applies cleanly (just offset) with the current 
CVS head.  Feel free to test the patch and report results in the bug or on 
the list.  It would be nice to see the bug squashed, but it's become a 
default patch for my local freeradius build so I haven't been bothered with 
the issue in a long time.

Kevin Bonner


pgppnkGkMNWtE.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Version 2.0 is a lot closer to reality...

[Kevin Bonner]

On Tuesday 10 April 2007 13:51:29 Arran Cudbard-Bell wrote:
 and finally, how do you define a binding for the snmp module it's
 on, but I never explicitly bound it to anywhere :|
 unlike auth/acct that are bound with listen sections. Seems like there
 may be a need for a small extension to listen sections
 to allow type snmp .

Arran,

http://wiki.freeradius.org/SNMP_HOWTO

That page should give some base info on setting up SNMP support.

Kevin Bonner


pgp4G1jfBRBqQ.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject user without realm

[Kevin Bonner]

On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote:
 The problem I'm having is that if a user adds no realm, only the user,
 the server is autenticating locally. I wanted it to deny the
 authentication. How should I proceed?

A username with no realm will match the NULL realm.  You can reject NULL 
realms with:

== users ==
DEFAULT Realm == NULL, Auth-Type := Reject
== users ==

 hints file. Added only the following entry:
 # The following entry is to be authenticated locally
 DEFAULT Suffix == @domain1.com, Strip-User-Name = Yes
 Hint = PPP,
 Service-Type = Framed-User,
 Framed-Protocol = PPP

A realm definition for domain1.com and a small users file entry should do the 
same thing, as long as you don't add the nostrip option for the realm.

 rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58
 User-Name = [EMAIL PROTECTED]
 User-Password = user
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 0
   hints: Matched DEFAULT at 36
   modcall[authorize]: module preprocess returns ok for request 0
   modcall[authorize]: module chap returns noop for request 0
   modcall[authorize]: module mschap returns noop for request 0
 rlm_realm: No '@' in User-Name = user, looking up realm NULL
 rlm_realm: No such realm NULL

This request matches the NULL realm, which should be impossible based on your 
configuration and the description of how the NULL realm works.  The User-Name 
has a realm in this request, so it should match the DEFAULT realm if it is 
defined.  Since the hints file matched at line 36 here, I assume you actually 
configured provider1.com instead of domain1.com in your hints file.

Is this assumption correct?  If not, what is in your hints file at line 36?

Kevin Bonner


pgpAUsH7FbwDX.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

performace on chainging clients.conf and huntgroup

[Kevin J]

Alan,

I noticed that more IPs I add to clients.conf and huntgroups, more steep 
performance declines FreeRadius got.  Guessing the linked-list.  Have we 
considered other data structures like hashing or btree?

-Kevin 




 

Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco Configuration

[Kevin Bonner]

On Wednesday 04 April 2007 14:01:31 Norman Zhang wrote:
 Hi,

 I'm learning how to use freeradius. Does anyone have a working conf that
 works for cisco devices?

 Regards,
 Norman Zhang

DEFAULT Auth-Type := Accept

... but seriously, what are you trying to do?  Authenticate PPPoX sessions, 
admin sessions, or something else?  Have you run in debug mode to see what 
the cisco is sending to the radius server?  A little more information on what 
you are trying to do would be very helpful.

The wiki has some info related to cisco configs [1].  Another source that 
should have some cisco-related info is the mailing list archives.

Kevin Bonner

[1] http://wiki.freeradius.org/Cisco


pgpE4JK3pnVC6.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Checkrad Redback

[Kevin Bonner]

On Monday 02 April 2007 08:11:10 ahissi jean-françois wrote:
 Hello,

 I'am facing a Simultaneous-Use problem.

 We are ISP and we have adsl subscribers.
 The aaa is a freeradius 1.1.3 server
 and the NAS is a REDBACK  SMS.

 The Simultaneous-Use  don't  work!

 We want plan to use checkrad but
 there is no snmp script for redback!
 The telnet options is  not  good  i think because  we have  18000
 subscribers.

 Please help me with a  snmp  script  for  redback  or  with  an  other
 solution for Simultaneous-Use.

 Thinks!

I agree that verifying a session via telnet is not a scaleable solution.  
Lucent probably has SNMP MIBS for the Redback, which should have a way to 
confirm active sessions.

Kevin Bonner


pgpMuUVY0TsK7.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: chap rlm_sql authentication problem

[Kevin Bonner]

On Friday 30 March 2007 09:13:17 Andrew Long wrote:
 In NTRADPING:
 username: hiegalleria
...
 rad_recv: Access-Request packet from host 192.168.10.100:49259, id=5,
 length=59
 User-Name = hiegalleria_cn3200
 CHAP-Password = 0xac0b9199834a040866dd0050c44d4fdf35

Am I missing something obvious?  How is _cn3200 getting appended to the 
username?

 --
 1176  hiegalleria_cn3200  passwordPASSWORD_HERE   ==
 --

You've heard several times that the attribute and operator need to be fixed.  
I'm just listing it again for emphasis.

 radius_xlat:  'SELECT
 radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch
e ck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
 usergroup.Username = 'hiegalleria_cn3200' AND usergroup.GroupName =
 radgroupcheck.GroupName ORDER BY radgroupcheck.id'
 --
 9 colubrisService-TypeAdministrative-User ==
 --

If this is correct, your request will not match unless you send this 
particular Service-Type.  Looking at the request above, I don't see this 
attribute being sent in the access-request.

Kevin Bonner


pgpFB6Yq6Th26.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP support for radius problem

[Kevin Bonner]

On Thursday 29 March 2007 12:47:38 satish patel wrote:
 Thanks for help

 i got it and now my freeradius working with snmpd and it is working fine
 now can u tell me what i monitor through snmpd means can i check how much
 users login currently and how much failed and what stat i can check throgh
 this feature

The RADIUS mibs are in the mibs/ directory of the freeradius release.  You 
should be able to monitor any of those values.

-Kevin


pgpdHQD20yMNo.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP support for radius problem

[Kevin Bonner]

On Wednesday 28 March 2007 08:17:00 satish patel wrote:
  main: smux_password = verysecret
  main: snmp_write_access = no
 SMUX connect try 1
 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
 SMUX open progname: radiusd
 SMUX open password: verysecret
 SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
 SMUX register priority: -1
 SMUX register operation: 1
 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
 SMUX register priority: -1
 SMUX register operation: 1
 Listening on authentication *:1812
 Listening on accounting *:1813
 Ready to process requests.
 SMUX read start
 SMUX read len: 12
 SMUX message received type: 67 rest len: 4
 SMUX_RRSP
 SMUX_RRSP value: 0 errstat: 0
 --- Walking the entire request list ---
 Nothing to do.  Sleeping until we see a request.

This looks good.  It successfully registered with the local SNMP daemon, which 
means FreeRADIUS is built with SNMP support and is properly configured.

 Now i have run snmpwalk but i didnt get any output from radius

 $snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.67.1.1.1.1
 End of MIB

This looks correct as well.  Make sure the public community has permission to 
view that OID tree.  I did test my local SNMP config and receive the same 
results when I restrict the public community from accessing that OID.

Kevin Bonner


pgpgF2PbALtDG.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RFC 4590 Compliant?

[Kevin J]

Hi, 

I just noticed a email thread 
http://arcknowledge.com/gmane.comp.freeradius.devel/2006-11/msg00040.html


Any update on it?
Can we say FreeRadius is RFC 4590 compliant?

Kevin


 
  



 

Don't get soaked.  Take a quick peek at the forecast
with the Yahoo! Search weather shortcut.
http://tools.search.yahoo.com/shortcuts/#loc_weather- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: use realms to access different mysql tables

[Kevin Bonner]

On Tuesday 27 March 2007 18:13:09 Alexander Papenburg wrote:
 Hi Freeradius-Mailing-List,

 does anyone of you differentiate sql database table with realms?
 E.g.:

 Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius1
 Auth-Requests for [EMAIL PROTECTED] will be checked against table db_radius2
 .and so on.

 I already found out that it is possible to use multiple sql instances,
 but for what i understand is that they would be asked/checked one after
 another. That would be nice for failover scenarios but if there are
 about 20-30 realms to check it would be result in a very slow
 performance (depending on mysql host speed).
 So is there a better way to solve this Problem? All users in one
 database is at the time unfortunately no option...


 Thanks in advance

 Alex

An example of this is below.  In each sql definition you can define the 
different queries necessary to handle a particular realm.  realm3 shows how 
to allow multiple realms to use the same db/SQL queries, so you can easily 
merge the databases over time and update the users file to reflect the db 
changes.

Kevin Bonner

== sql.conf ==
sql db1 { ... }
sql db2 { ... }
...
== sql.conf ==

== radiusd.conf ==
authorize {
...
Autz-Type SQL1 {
db1
}
Autz-Type SQL2 {
db2
}
}
== radiusd.conf ==

== users ==
DEFAULT Realm == realm1, Autz-Type := SQL1
DEFAULT Realm == realm2, Autz-Type := SQL2
DEFAULT Realm == realm3, Autz-Type := SQL2
...  OR
DEFAULT User-Name =~ @realm1$, Autz-Type := SQL1
DEFAULT User-Name =~ @realm2$, Autz-Type := SQL2
DEFAULT User-Name =~ @realm3$, Autz-Type := SQL2
== users ==


pgpe2o0vglrsB.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Accounting is not working. Please help.

[Kevin Bonner]

On Monday 26 March 2007 16:30:35 alex wrote:
 Hey guys, i just follow this guide.
 http://www.frontios.com/freeradius.html
 and everything looks ok, the users are already working and login without
 problem. But the accounting is not working, the mysql tables are empty, i
 checked when i user access and everything looks ok, and the radacct still
 empty.

 In my radiusd.conf i have
 accounting {
 detail
 radutmp
 sql
 }
 Other guy is checking in the AP, but i wanna be sure i have the correct
 values in the server.

 Any  comment is appreciated.
 Alex

Did you run in debug mode (-X)?  If so, did the output show anything strange 
when processing an accounting packet?  Is the NAS configured to send 
accounting records to the radius server?

-Kevin


pgpy71kZbTCgQ.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: disconnect users from radius

[Kevin Bonner]

On Wednesday 28 February 2007 10:40, satish patel wrote:
 Dear all

   I have installed freeradius on RHEL with MSSQL server and it
 is working fine but now i have facing problem regarding disconnecting of
 users my NAS is cisco Router it is l2tp so what i do for this ??? problem
 ??

and i want to connect my dialupadmin with mssql ? so it is
 possible?/

 Satish Patel

Since it is a cisco, it may support Packet of Disconnect (PoD) requests.  [1] 
has some info about this.  To verify that it is available and configure it, 
you should refer to the vendor documentation for your device.

Kevin Bonner

[1] http://wiki.freeradius.org/Disconnect_Messages


pgpR7RBkMIfgo.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius says client is unknown.

[Kevin Bonner]

On Tuesday 27 February 2007 14:47, M. Onur ERGiN wrote:
 Just a moment ago, I noticed that I can't start radiusd daemon with
 'service radiusd start' command. It gives the following error:

 [EMAIL PROTECTED] raddb]# service radiusd start
 Starting RADIUS server: Tue Feb 27 21:44:38 2007 : Info: Starting - reading
 configuration files ... 6490:error:0906D06C:PEM routines:PEM_read_bio:no
 start line:pem_lib.c:632:Expecting: CERTIFICATE 6490:error:0906D06C:PEM
 routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE
 6490:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM
 lib:ssl_rsa.c:534: [FAILED]

 But I can start it with 'radiusd -X'

 Can the prooblem be related to that? By the way, I have signed a new
 certificate to be used in radius. But it seems okay.

 Thanks for any help,
 Onur.

Sounds like a permissions issue to me.  Check the user/group that is 
configured in radiusd.conf, then verify that the user can read the 
certificates and config files.

Kevin Bonner


pgphLZ52A7c3r.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: check active threads

[Kevin Bonner]

On Tuesday 20 February 2007 03:10, Tomas Hoger wrote:
  Freshly added to the Wiki FAQ as this has been covered countless times on
  the users list.

 Kevin, it may be better to add a bit more info to wiki, since combining
 SysV and BSD flags of ps is usually not permitted and -H flag is not
 recognized by older versions of ps.

 What about this:

 For older versions of ps, use:

   - ps -efm
   - ps auxm

 For newer versions of ps, you may prefer to use:

   - ps -efL
   - ps auxH

 th.

Sounds fine with me.  As it is a wiki, feel free to register an account and 
make that change.  I only included the ps versions I had available at the 
time.

-Kevin


pgp7KlZ4UqwGU.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: check active threads

[Kevin Bonner]

On Monday 19 February 2007 13:13, Andrew Long wrote:
 freeradius 1.4 on CentOS 4.4
 How can I verify the number of threads? I only see one process with

  ps aux | grep radiusd

 I could have sworn I used to see each thread with 0.9 and I am
 concerned that the threads are not starting correctly as defined in
 radiusd.conf:
thread pool {
 start_servers = 5
 max_servers = 32
 min_spare_servers = 3
 max_spare_servers = 10
 max_requests_per_server = 0
 }

http://wiki.freeradius.org/FAQ#I_see_only_one_radiusd_in_the_process_list.__What_is_wrong.3F

Freshly added to the Wiki FAQ as this has been covered countless times on the 
users list.

Kevin Bonner


pgpGUxgtGLaKb.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: attr_rewrite

[Kevin Bonner]

On Monday 19 February 2007 15:29, Ben Butler wrote:
 Hi,

 I am having some problems with attr_rewrite.

 What I want to do is the following at a pre authorisation phase:

 User-Name = [EMAIL PROTECTED]

 To

 User-Name = somedomain.com

 I want to call by attr_rewrite function for each of the domains that I want
 to stip the username from prior to authorisation.

I'm not very familiar with attr_rewrite, so I'm posting what I would do if I 
were presented with this issue.

We use the hints file to rewrite the request username, as needed.  A hints 
file example that should do what you want:

DEFAULT User-Name =~ [EMAIL PROTECTED]
User-Name := somedomain.com

Then just define somedomain.com in your users file (or DB) and process it like 
a normal request.

Kevin Bonner


pgpE4ALVzj8VL.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS will no longer start!

[Kevin Bonner]

On Wednesday 24 January 2007 10:02, Michelle Gates wrote:
 read_config_files:  reading clients
 /opt/freeradius/etc/raddb/radiusd.conf[751]: Missing client name

 -

 Can anyone shed any light on this? Unfortunately for me, one of our
 developers was working on our production server but *claims* not to have
 changed anything of any consequence...

 I'm really unsure of where this is coming from! Has anyone seen this error
 before or could anyone at least point me in the right direction?

Since you have multiple people poking around on a production config, you are 
using some sort of revision control... right?  ;-)

I tried to reproduce the error locally and here is what I've done to cause the 
same error message to show up.

== clients.conf ==
client {
secret  = testing
shortname   = testing
nastype = other
}
== clients.conf ==

[EMAIL PROTECTED] raddb.dial]# /usr/sbin/radiusd -X
...
read_config_files:  reading clients
/etc/raddb/radiusd.conf[327]: Missing client name

To fix the issue, find the broken client entry and either comment it out or 
restore it with the correct client IP.

Kevin Bonner


pgpZXQWGiPdYS.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting a realm in the User-Name based on Client-IP-Address

[Kevin Bonner]

On Wednesday 24 January 2007 16:59, Jason E. Murray wrote:
 My question is there a better way to do this, this seems a bit kludgy.

 Using FreeRadius 1.1.4

 Thanks in advance,

Use the hints file like below, then configure freeradius as if the realm were 
included in the original request.

== hints ==
DEFAULT User-Name !~ @, Client-IP-Address == A.B.C.D
User-Name := [EMAIL PROTECTED]
== hints ==

Kevin Bonner


pgpt7dICXx56J.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Best practices for redundant servers

[Kevin Bonner]

On Friday 19 January 2007 14:02, Peter Nixon wrote:
 On Fri 19 Jan 2007 18:56, Graham Beneke wrote:
  Would it be possible for someone to dump all the man pages into the wiki?

 Please feel free to do it.. It is a wiki after all :-)

Agreed.  I've added a few things here and there, but that's just because I was 
poking around in those areas of freeradius recently.

If you add stuff, I can clean up the page display, if necessary, after I find 
the box that contains my free time.  =)

-Kevin


pgpZNwNzZwfyb.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html