Re: Username with spaces (MySQL)
You can add
if (%{User-Name} =~ / /) {
reject
}
at the start of the authorize section.
This rule will reject user(s) in case they add blank spaces before or after the
username...
On 18.4.2013 9:47, Wilco Baan Hofman wrote:
On Wed, 2013-04-17 at 22:03 -0500, Andres Gomez Ruiz wrote:
So I have many users using the same username putting one, two,
three, ...etc., spaces after the username.
How can I solve this situation?
May be with a SQL query that ignores the spaces in the username?
(talking about the sql counters)
Not really a RADIUS question, but this is default behaviour for MySQL.
Convert the VARCHAR Field to binary or use TRIM() for the counters.
Regards,
Wilco Baan Hofman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS shared secret over internet
As I remmember, Alan mentioned that RADSEC will be implemented in freeRadius 3... On 9.4.2013 10:54, Muhammad Nuzaihan bin Kamal Luddin wrote: Interesting method by using TLS. This is what i had in mind but couldn't find the answer. The only method i see is through proxying the requests, based on a whitepaper i read - if this is what RFC6614 may contain. What are the roadmap for this? Are there any initial work being done or proof-of-concept work on this? By looking at implementations of TLS (in combination of openssl/gnutls) on other protocols might be similar to this but i may be wrong (i have yet to read on the RFC) as it's another layer taking place. Thanks for the hint. I'll read up on the RFC. Cheers, Muhammad Nuzaihan Bin Kamal Luddin On Tue, 2013-04-09 at 10:13 +0200, Stefan Winter wrote: Hi, RADSEC These days, the more proper answer is: RFC6614 http://tools.ietf.org/html/rfc6614 :-) Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Add eric@ut3 Calling-Station-Id == 02:1B:9E:D3:0B:F0 inside radcheck table or inside users file eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1 Calling-Station-Id == 02:1B:9E:D3:0B:F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 NOtice the double = sign On 8.4.2013 13:18, Mulindwa wrote: Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere. Has anyone done it before, please help throw some light on how i can achieve this. I want user eric@ut3 with this Mac Address to log in , and if the MAC address is different he will not be granted access. eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1 Mac-Addr = 02-1B-9E-D3-0B-F0, Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M *From:* Mulindwa meri...@yahoo.com *To:* FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Friday, April 5, 2013 9:07 AM *Subject:* Re: MAC Address Auth Thanks Mattias, I get an error saying; Unknown attribute Attr-2352-145 This is how i have it setup user20001@ut3 Password = 006060, Simultaneous-Use = 1 Attr-2352-145 = 5c-7d-5e-3f-d0-f7, Service-Type = Framed-User, Qos_Policy_Policing = broadband_128_policing, Qos_Policy_Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M *From:* Matthias Nagel matthias.h.na...@gmail.com *To:* freeradius-users@lists.freeradius.org *Sent:* Thursday, April 4, 2013 5:41 PM *Subject:* Re: MAC Address Auth Hello, add the correct check item to your user database. In the case below (User-Name = user2000@ut3) you should have the check item Attr-2352-145 == 5c-7d-5e-3f-d0-f7 for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want. Best regards, Matthias Am Donnerstag 04 April 2013, 07:25:55 schrieb Mulindwa: Great, i have run the debug and i did get the attribute required. If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145 How would i need to twick my radiusd.conf file to achieve this? User-Name = user2000@ut3 CHAP-Password = cccddd' CHAP-Challenge = Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = UT-BRAS-EDGE NAS-IP-Address = x.x.x.x NAS-Port = 855649483 NAS_Real_Port = 855638816 NAS-Port-Type = Virtual Attr-87 = 3/3 vlan-id 800 pppoe 11467 Medium_Type = 11 Attr-2352-145 = 5c-7d-5e-3f-d0-f7 MAC Address Attr-2352-98 = 3 Attr-2352-112 = 6.2.1.9 Acct-Session-Id = 020268008FC9-515D8419 Eric M From: Mulindwa meri...@yahoo.com mailto:meri...@yahoo.com To: Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:58 PM Subject: Re: MAC Address Auth Thanks Alan, Let me do so. Eric M From: Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com To: Mulindwa meri...@yahoo.com mailto:meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Sent: Thursday, April 4, 2013 4:47 PM Subject: Re: MAC Address Auth Mulindwa wrote: Hi All, Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation. I want to authenticate with the highlighted, anyone done this and can help? It's been done. This is how the accounting file looks; If you're trying to debug authentication, it helps to look at *authentication* traffic, and not *accounting* data. And run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Honestly, there is NO excuse for refusing to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
Do you plan to read anything or you think we're here in a chat room, waiting for your questions (the same questions every day...) ? On 8.4.2013 15:32, Mulindwa wrote: Thanks Matthew, Sorry to askm but where is the reply list and where is the check list? Eric M *From:* Matthew Newton m...@leicester.ac.uk *To:* Mulindwa meri...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org *Sent:* Monday, April 8, 2013 4:16 PM *Subject:* Re: MAC Address Auth On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: I want user eric@ut3 with this Mac Address to log in, and if the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := eric, Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk mailto:m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk mailto:ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radusergroup without primary key
You can add what ever you want to the read-only tables. On 26.12.2012 10:59, Efi merdler wrote: Hello, I'm using radius 2.1.12 with postgresql as a backend. I've noticed that radusergroup does not contain any key column. There is a complaint on the subject posted back in 2007 (http://lists.freeradius.org/pipermail/freeradius-devel/2007-August/003239.html) however nobody addressed it. We are accessing the table from an external process and it requires a primary key to be successful, how would you recommend handling it ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radusergroup without primary key
As I know, FreeRadius will only read from radusergroup table. All you need to do is to take care about the SQL queries inside dialup.conf file which are executed on this table (which means do not change the column names unless you change them inside dialup.conf too). For example, I several columns inside nas table and it all works fine. Marinko On 26.12.2012 13:11, Efi merdler wrote: What do you mean by read-only tables ? As I understand I'm suppose to add items to it. On Wed, Dec 26, 2012 at 1:20 PM, Marinko Tarlać mangi...@gmail.com wrote: You can add what ever you want to the read-only tables. On 26.12.2012 10:59, Efi merdler wrote: Hello, I'm using radius 2.1.12 with postgresql as a backend. I've noticed that radusergroup does not contain any key column. There is a complaint on the subject posted back in 2007 (http://lists.freeradius.org/pipermail/freeradius-devel/2007-August/003239.html) however nobody addressed it. We are accessing the table from an external process and it requires a primary key to be successful, how would you recommend handling it ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Efi Merdler-Kravitz LacoonSecurity LTD 052-5126464 | www.lacoonSecurity.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
It works perfectly almost without any changes inside config files... :) hint: default_eap_type = peap inside eap.conf On 20.11.2012 14:24, Alan Buxey wrote: From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user names and user passwords
op should be := and (not ==) On 16.11.2012 16:45, Dmitry Korzhevin wrote: Guys, does anybody know something about maximum username length and user password lengt? I try to use next login passwords without success (checked with radtest): http://dpaste.com/832115/ Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed login lockout protection in FreeRADIUS
Nice option but please keep in mind that suspended routers can behave like a brute force attacker and you'll lock them too. On 14.9.2012 15:36, Phil Mayers wrote: On 14/09/12 13:57, mr. s wrote: Hello, I was reading an article in computer world comparing a few RADIUS servers. It said that FreeRADIUS had failed login lockout protection, however I can't find that particular verbiage in the FreeRADIUS documentation, FAQ or HowTos. What are you asking here? How to lock out a user after X failed logins? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, memory consumption
You're using FR just for authorization and not for accounting and session control ? On 3.9.2012 10:16, Miha wrote: Hi, I am using Freeradius for authorization with mysql. In my sql I have about 15k user entries and there si about 50 active calls all the time (just for information about traffic). Now Freeradius is in production for abot 4 months and I did not noticed any problems (works perfect). Today I noticed that it is using around 77% of memory. Is this normal? Thanks! Miha root 27533 0.0 77.4 13524108 9500600 ?Ssl Mar26 29:51 radiusd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql Error
would it make any difference? It won't help in case you have x trillion records in radacct table and this table is MyISAM, used for simult. login detection, etc... On 13.8.2012 15:00, Antonio Modesto wrote: Hi, Here in the ISP which I work we have a Freeradius 1.X in production, and a 2.X that we're testing to replace the old one. On both Radius we get the following error sometimes, What can be causing this? The SQL Database is in the same server of freeradius 1.X, but the load is low, we have about 2500 subscribers. I was thinking about increasing the number of sql connections, which is set to 4, would it make any difference? Database server load: load averages: 1.10, 1.05, 1.03 Error: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP Authentication working not every time
I'm not 100% sure but as I know the UBNT equipment has introduced RADIUS client support in firmw. 5.x which is still active and under development... RADIUS MAC authentication was introduced in latest firmware (5.5) so I believe that some things are still not as they should. On 8.8.2012 11:59, stefan novak wrote: when you say clients, you just mean these rad_eap_test requests? I assume you are using NAGIOS...and that occasionally you are getting a WARNING for the RADIUS server? yes? its a bug in rap_eap_test as far as I can see - I moved to a native eapol_test with my NAGIOS because of this bug. rad_eap_test is not maintained as far as i can see. no the real clients are Ubiquiti (www.ubnt.com http://www.ubnt.com) Nanostation M5 on Ubiquiti Rocket M5 AccessPoints. we encountered the problem that sometimes the rekey'ing from eap not works and disconnects the client. the radius logs then an access-reject now i am sure that the ubnt clients maybe the problem. now i am thinking of the next debug steps -- kind regards, Stefan ___ www.epb.at http://www.epb.at - Your IT Partner in East Austria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate Radius Accounting
If you're using Mikrotik, update to the latest version... I had many problems with older versions (2.9.x) On 6.8.2012 15:19, Alan DeKok wrote: Christopher Manigan wrote: In my logs I see many entries like the following: Info: WARNING: Child is hung for request 51651 in component core module queue.3 Error: Dropping request (2049 is too many): from client myhost.mysite port 32869 - ID: 239 Something is blocking the server. This is usually a slow database. In the last ~10 hours, the status server reports the following for accounting: Responses0 Duplicate954442 Malformed115045 Invalid 564029 That is *terrible*. Zero responses? It indicates a catastrophic failure in the system. And *malformed* packets? Something is sending NON RADIUS packets to the RADIUS port. Go fix that. And invalid packets? Something is sending non-accounting packets to the accounting port. Dropped 0 Unknown 0 Radius will hang and start to time out and eventually die. It looks like the duplicate count gets extremely high very quickly. Could it be the NAS that are pointing to it? Or could it be my radius configs somehow causing this? I am not really sure how to prove it out or troubleshoot. I can increase the max requests but I don't think that is the right solution. Your RADIUS system is horribly slow, and isn't finishing any requests. Go fix that. The default configuration *works*. And your NAS is broken. Something is very, very, wrong in your network. Find out what it is. Ensure that only RADIUS accounting packets go to the RADIUS accounting port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Then AP probably doesn't understand Session-Timeout attribute... (not implemented for example) It would be helpful to tell us what are you using as AP On 26.7.2012 16:08, Klaus Klein wrote: Hi Folks, I'm in the process to setup a WPA(2)-Enterprise (IEEE 802.1X) protected WLAN. I choose FreeRADIUS (2.1.10) with a EAP-TLS to authenticate and control the access to the network. While everything works so far, I just can't get the Session-Timeout to work. If I start 'freeradius -X' I can see that FreeRADIUS sends the Session-Timeout information with the Access-Accept message. Also if I limit the Login-Time (e.g. Login-Time := Wk-1500) and the remaining time is less then the Session-Timeout, the remaining time is send as a Session-Timeout. Nevertheless, after the session times out, no reauthentication takes place and the client stays connected to the network. As this behavior happens with all (two) APs I've got, I'm not sure where to locate the problem.(FreeRADIUS, AP or Client (Debian Squeeze with wpa_supplicant)) Any idea how I could pinpoint the problem either from the FreeRADIUS or the client side? Thanks, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
I fear the AP is not sending accounting packets at all. The only
thing I can configure at the TP-Link AP is that it can communicate
with the radiusserver at port 1812 for auth packets.
Good to know I had the same problem with TP Link... RADIUS auth works fine
but accounting no-no
On 17.7.2012 11:54, Andreas Meyer wrote:
Hello!
Fajar A. Nugraha l...@fajar.net wrote:
On Tue, Jul 17, 2012 at 4:08 PM, Andreas Meyer anme...@anup.de wrote:
Hm, no luck with this one. I changed buffered.sql to log to sql, but it
Did I EVER mention anything about buffered.sql?
Was it EVER mentioned in the wiki page?
accounting {
sql
}
so accounting section has sql. That's good.
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
See that? That's post-auth. That section is called after
access-request packets are processed.
Ok
+- entering group post-auth {...}
[reply_log] expand:
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log]
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log] expand: %t - Tue Jul 17 10:57:08 2012
++[reply_log] returns ok
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
[sql] expand: %{User-Name} - bitcorner-1
... and you didn't have ANYTHING in the log about accounting.
Does your NAS send accounting packets? Accounting section is only
called when radius receive accounting packets.
I fear the AP is not sending accounting packets at all. The only
thing I can configure at the TP-Link AP is that it can communicate
with the radiusserver at port 1812 for auth packets.
Or is it that you want to log some data to sql in post-auth, instead
of accounting? If so, then you need to modify the correct section
not that I know of
I have a section in radisud.conf to listen for type = acct
(i.e. post-auth, not accounting). And the table modified will NOT be
radacct, but radpostauth. See sql.conf and sql/mysql/dialup.conf for
details, look for postauth. You CAN change what's logged, and where,
by editing the queries.
I must say I am not sure, what information belongs to post-auth exactly
and why. I promise I read the FAQ!
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes
We're glad to help ... In both cases :) On 11.5.2012 6:53, Shawky Skaff wrote: Nevermind, found the answer From: Shawky Skaff Sent: Friday, 11 May 2012 2:51 PM To: freeradius-users@lists.freeradius.org Subject: Attributes Hi, In dialup admin, under the groups and users I have the option to add an attribute, however the option which I need is not in the list. The list provided is - Protocol - IP address - IP netmask - Framed-MTU - Compression Used - Service Type - Session Timeout - Idle Timeout - Port Limit - Lock Message The option which I need to add is Framed-Route, how can I do this? Kind Regards, Shawky Skaf iVox Communications www.ivox.com.au P: +61 2 8252 0205 F: +61 2 8252 0202 The contents of this document may be privileged and confidential, any unauthorised use of the contents is expressly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. iVox Communications is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: We are using the Cisco ACS 5.3 as a RADIUS for database authentication and authorization. The purpose is to authenticate incoming users based on the NAS-PORT-ID. The problem is that we cannot find
Next time put something in subject so we can know something about your problem... :) On 25.4.2012 15:03, Xbert_badstuber wrote: We are using the Cisco ACS 5.3 as a RADIUS for database authentication and authorization. The purpose is to authenticate incoming users based on the NAS-PORT-ID. The problem is that we cannot find any solution for the Service Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME. The username field is set to the MAC address. The ACS requires a USERNAME and there is not a way to manipulate the User-Name value once it is received. We heard that it could be possible to use the freeradius to act as a proxy for the Cisco secure ACS. This is what we want: User -- [SR] -- User-Name = “MAC:xx.xx.xx.xx” Password = “secret” NAS-Port-Id = 1/1/4.1001.129 -- [FR] -- User-Name = “1/1/4.1001.129” Password = “secret” -- [ACS 5.3] Is there a solution for this option in the Freeradius? Is there a way to manipulate the User-Name sent from the service router, (MAC address), and change it to its NAS-Port-Id before it reaches the ACS RADIUS with help from the freeradius acting as a proxy? -- View this message in context: http://freeradius.1045715.n5.nabble.com/We-are-using-the-Cisco-ACS-5-3-as-a-RADIUS-for-database-authentication-and-authorization-The-purpose-tp5664804p5664804.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double-check the shared secret on the server and the NAS!
In nas table in case you're using sql... On 5.3.2012 16:40, Javier Ruiz Escalante wrote: Hello, The secret is set in clients.conf, where has to be se also? Regards ** Javier Ruiz Escalante* * **Teléfono: *00 34 512 700 524 * Skype: fruiz002** From: a.cudba...@freeradius.org Subject: Re: Double-check the shared secret on the server and the NAS! Date: Mon, 5 Mar 2012 16:10:37 +0100 To: freeradius-users@lists.freeradius.org On 5 Mar 2012, at 15:53, Javier Ruiz Escalante wrote: Sorry, I have no idea which files to check despite the message is clear. raddb/clients.conf and the configuration of your NAS. RADIUS uses pre-shared secret to encrypt parts of the packet and for authenticator hashes. The pre-shared secret is not the same in the clients.conf entry associated with your NAS and the RADIUS server configuration on your NAS, it needs to be, go make it the same :) -Arran Thanks in advance. Best regards ** Javier Ruiz Escalante* * **Teléfono:*00 34 512 700 524 * Skype: fruiz002** Date: Mon, 5 Mar 2012 14:34:21 + From:p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.uk To:freeradius-users@lists.freeradius.org mailto:freeradius-users@lists.freeradius.org Subject: Re: Authentification On 05/03/12 13:55, Javier Ruiz Escalante wrote: Good afternoon, I'm new in Radius and I have no clue what happens, can anybody help me? from the server in the command line works fine, from the wireless client get this one. Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! This message should be clear, no? - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@networkradius.com mailto:a.cudba...@networkradius.com Technical consultant and solutions architect 15 Ave. du Granier, Meylan, France +33 4 69 66 54 50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). ISC DHCP works very well for 6000 users and the same number of cable modems but I'm not sure is Mtik capable for something like that... ISC problem is database integration which won't be added in the next 150 years... :) On 22.2.2012 13:03, Johan Meiring wrote: On 2012/02/22 01:10 PM, Alan DeKok wrote: Yes. If you use FreeRADIUS for both RADIUS and DHCP, you can track user status in a database. When you receive a RADIUS packet, update the database. When you receive a DHCP packet, query the database. Traditional DHCP servers (i.e. ISC) make this hard. They don't talk to databases. They're firmly stuck in 1980's technology. Another option which we use very successfully is a Mikrotik DHCP server. It can talk to Freeradius. http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server It works well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius to authenticate DHCP Requests with Option82
No No, you didn't understand me... Mtik is installed on the server (HP ML3xx series) and the optimum is 500-600 online PPPoE users... I achieved 1100 online PPPoE users per Mikrotik but the CPU load was always to high and the packet loss was to high (1-2%). The problem is visible because the Mtik creates simple queue rule for every active connection. RADIUS server works perfectly with 5 NAS-es (2000-3000 online users in the same moment)... I just wanted to know is Mikrotik capable (according to users experiences) to act as a DHCP server for a large networks (for example 10k modems and 10k users behind those modems). best regards Marinko On 22.2.2012 13:53, Fajar A. Nugraha wrote: 2012/2/22 Marinko Tarlaćmangi...@gmail.com: Hi Can you tell me something about performances? I'm using Mtik as NAS for PPPoE users and 500-600 online users per server is optimum according to my experiences (Quad core server, 2GB RAM,...). you mean the server is used by FR? You either: - setup accouting interim interval to a very low value (e.g. 60 seconds), OR - your configuration is REALLY non-optimum If you use files backend, then it's very easy to get several auth/sec. If you use db backend, then your main limiting factor will be accounting, which is limited by how fast your disk IOPS is. So for starters: - what backend did you use for FR? mysql? postgres? others? - what kind of disk you have, and how many? (e.g. 2 x SATA 7200 rpm disks, in hardware raid 1) - what is your accounting interim interval? - did you modify the default db schema/queries (if using db backend)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius stopped to work
radutmp file became to large... But to be sure, check you radius in debug mode... /usr/local/var/log/radius/radutmp On 20.2.2012 13:25, dorje2...@seznam.cz wrote: Hi after more then year my freeradius 2.1.9 stopped to work in log I have a lot of the following info: Feb 20 13:11:55 radius radiusd[12006]: WARNING: Child is hung for request 35 in component accounting module radutmp. Feb 20 13:11:56 radius radiusd[12006]: WARNING: Child is hung for request 34 in component accounting module radutmp. Feb 20 13:11:56 radius radiusd[12006]: WARNING: Child is hung for request 51 in component accounting module radutmp. Feb 20 13:10:45 radius radiusd[12006]: WARNING: Unresponsive child for request 134, in module radutmp component accounting Feb 20 13:10:47 radius radiusd[12006]: WARNING: Unresponsive child for request 132, in module radutmp component accounting Feb 20 13:10:48 radius radiusd[12006]: WARNING: Unresponsive child for request 136, in module radutmp component accounting and so on When i restart the radius, it start to work, then after a few minutes goes down Any idieas ? thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Next release of the server?
Hi Fajar
Thank you very much for your time.
I'm using CentOS so I'll try with the latest 2.1.x from git
The problem which bothers me is that I need more than classic ip-mac
pairing. Beside the IP address I need to return a few other parameters
to cable modems/MTA.
For example ISC DHCP config for regular modems is:
host blaBlaBla {
filename confingFile.cm;
fixed-address 192.168.12.167;
hardware ethernet 00:cc:ab:11:cc:22;
}
As you can see, I'm returning the IP address and the name for config file.
Is this possible with FreeRadius DHCP ?
ISC DHCP can't cooperate with database (maybe omapi but I hate it)
Best regards
On 24.1.2012 10:05, Fajar A. Nugraha wrote:
On Sat, Jan 7, 2012 at 5:55 AM, Marinko Tarlacmangi...@gmail.com wrote:
I'm not a developer but I will try to help as much as I can.
@Marinko: If you use Ubuntu, I've just uploaded a new package to my
unofficial ppa: https://launchpad.net/~freeradius/+archive/testing-2.x
The master (3.0) branch is still missing some DHCP-related
improvements present on v2.1.x, so if you want to do some DHCP-testing
better stick with v2.1.x for now.
The ppa is currently:
- based on latest v2.1.x git commit (5fedd50), which already include
some config file improvements needed to have a working DHCP server
with dynamic and static IP assignment
- has some additional patches to make testing easier (e.g. comments on
how to use static IP assignement)
- has dhcp functionality compiled-in, so only some configuration
change is neeed to use the functionality (see comments
/etc/freeradius/sites-available/dhcp)
You can also compile yourself from v2.1.x git branch, but if you do
that you (currently) still need to modify some config files manually.
Let us know how your testing goes.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Next release of the server?
If it isn't secret, where is the DHCP functionality on the priority list ? On 1/4/2012 3:49 PM, Alan DeKok wrote: The hope is that I can do some small changes for 3.0 which will finalize the internal state machine. That will make it easier to separate the RADIUS, DHCP, and VMPS functionality in the server. It will also mean that certain new features will be easier to add. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
The same thing happens with Mikrotik. If you send the pool name then assigned ip address is ignored... On 1/3/2012 3:19 PM, Alan DeKok wrote: Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? If it's being sent to OpenVPN in an Access-Accept, then the problem is in OpenVPN. Ask them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address not working
And what was the problem ? On 1/4/2012 6:55 AM, Azfar Hashmi wrote: Solved, problem was in openvpn. On 1/3/2012 3:30 PM, Azfar Hashmi wrote: I have assigned static ip to some users but users still getting ip addresses from openvpn server pool. what I am missing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth: Invalid user
I don't understand even single word but when I see Simultaneous-Use... On 12/15/2011 2:23 PM, Caio wrote: Bom dia pessoal. Uso ubuntu-server 10.10. Tenho freeradius 2.1.9 + Postgres 8.2 integrados a mikrotik. Situação: Toda vez que preciso reiniciar o meu mikrotik com aproximadamente 600 clientes autenticados, log após o reboot, o freeradius não suporta a carga de solicitação das autenticações do mikrotik, e retorna no log como Auth: Invalid user: Gostaria de saber se no freeradius existe a opção Simultaneous-Use para aumentar a capacidade de autenticação simultânea de usuários. Ou se existe alguma outra solução. Agradeço desde já. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: semulteneius-use with cisco nas
I'm not sure why the Simultaneus-use is so hard to setup... 1. turn on sql inside accounting section 2. turn on sql inside session section 3. be sure that NAS works properly (sending Interim-Updates) 4. insert Simultaneus-Use := X (where X is number you want to allow) inside radcheck table.. http://www.serveradminblog.com/2011/12/freeradius-install-howto-4-populating-tables/ On 12/14/2011 10:27 AM, Alan DeKok wrote: tolik_shavlov...@mail.ru wrote: I just asked to indicate what exact is wrong, I supposed that maillist was created for such purposes. The whole point of asking questions is to read the responses. You have not been doing that. The point of mailing lists is to help people who want help. You want to ask questions. You seem to not want any help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
Everything can be found via Google in less than 1 minute. On 12/6/2011 1:22 PM, john decot wrote: Thanks for the reply. I am also trying same but couldn't compare with the field on the database as Expiration attribute use character value. I wish someone give me any idea on comparing those parameter inside database. *From:* Marinko Tarlać mangi...@gmail.com *To:* freeradius-users@lists.freeradius.org *Sent:* Tuesday, December 6, 2011 1:33 PM *Subject:* Re: Expiration email If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow DB / outstanding requests
Alan please do not forget to add this fix to changelog so it will be easier for a new FR users... Best regards On 9/16/2011 8:45 AM, Fajar A. Nugraha wrote: On Fri, Sep 16, 2011 at 1:22 PM, Alan DeKokal...@deployingradius.com wrote: old: for each new request clear out one dead request from queue If the dead requests originally arrived at a higher rate than the new requests, it can take a long time to clean them out. new: for each new request clear out all dead requests from queue Thanks, one more reason to update to 2.1.12 when it comes out :D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow DB / outstanding requests
Of course we don't need to do anything but if this small change inside code is announced in changelog, more people will upgrade to 2.1.12 and they will stop bothering us on this list with the same questions, over and over again :) On 9/16/2011 9:59 AM, Alan DeKok wrote: Marinko Tarlać wrote: Alan please do not forget to add this fix to changelog so it will be easier for a new FR users... to do...? It doesn't require anyone to do anything. There are no configuration changes. It's just code internal to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius with mysql issue
You broke the server... somehow... On 9/2/2011 11:36 AM, cktan wrote: I've conducted another test at another machine, the result is same, whenever User-Password the OP is :=, the password would not be check. Changed to == then OK.. By the way, my FR is running on 2.1.7-7 CK On 09/02/2011 05:27 PM, Alan Buxey wrote: Hi, OK, I think I know what is the problem d, I noticed the operator of User-Password is set to :=, when I changed it to ==, it work fine and wrong password would be rejected. Can someone confirm this? it should be := and in fact it should be Cleartext-Password := (though thats if you are running a reasonably up to date FR version) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleanup Stale Sessions - needed?
Please search before asking... I wrote at least 10 times about this problem On 8/8/2011 12:22 PM, Paolo Di Francesco wrote: Hi radius gurus, I am still having issues with this configuration. In few words I am still cleaning by hand some users but I would love that would be done by radius each time that it checks if the user is online or not. In few words: 1) the user is disconnected 2) the user tries to get into the net, and it knocks the NAS 3) the NAS knocks the radius saying hey this guy wants to get in 4) the radius asks to the NAS hey the user is already online or not? and the NAS says no I have no user with that name (checkrad) 5) but the radius thinks the user is still online somewhere because it shows online into the mysql database, therefore the answer is no, this user is already online somewhere So I am looking for some script/hint/whatever to CLEAN those users who are not online but still online into the mysql. Suggestions very welcome! Hi Radius Gurus I have a problem with one not-so-typical situation. First of all, I am running daloradius on top of Freeradius: [root@radman ~]# radiusd -v radiusd: FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar 31 2010 at 00:25:31 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. I have just update my network topology and therefore I moved some NASes from one server to another. When I did this change, obviously I did it without worrying what could happen to the radiusd. So I simply moved the NASes on new IPs/servers and restarted the radiusd. Now I have the users trying to get into the network but they look online to radiusd on the old NASes. In few words the connection is refused because radiusd thinks that the user is ALREADY online on the old NAS (not true) and it does not permit the user to get into the network. So I have this teasing menu option in daloradius which is called Cleanup Stale Sessions. I think it does exactly what I need but: 1) I do not want to break the radiusd 2) I do not want to loose my radius logs (who had that IP that day..) 3) I do not know if this is the right button to click So I am asking you if you have any idea of how to solve this issue and if I should click that button Thank you in advance (radiusd log follows) --- Auth: Multiple logins (max 1) [MPP attempt]: [myu...@mynet.org] (from client xyz port 45118 cli 00:15:6D:5E:0A:82) --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Packet of Disconnect PHP
If you're using Mikrotik, you can use Mikrotik API for this...
It works very good...
Especially if you need to disconnect all users
On 8/3/2011 8:50 AM, Marius Pesé wrote:
I didn't even know there were Radius functions in PHP...
Anyway, I did do my POD with PHP:
First get all the information you need from the database:
SELECT
`radcheck`.`username`,
`radcheck`.`attribute`,
`radcheck`.`value`*1024*1024*1024,
`radacct`.`framedipaddress`,
`radacct`.`xascendsessionsvrkey`,
`radacct`.`nasipaddress`,
`radacct`.`acctstoptime`,
`radacct`.`realm`
FROM
`radcheck`
CROSS JOIN
`radacct`
ON
`radcheck`.`username` = `radacct`.`username`
WHERE
.
Then you can use this to pipe it through radclient, assuming your web server
hosting this script is the same as your Radius server this is quite easy:
$disconnect=exec('
echo User-Name = '.$row[0].', Framed-IP-Address =
'.$row[3].', X-Ascend-Session-Svr-Key = '.$row[4].', NAS-IP-Address = '.$row[5].' |
radclient -x NAS.IP.ADD.RESS:PORT disconnect SECRET
');
This way I am iterating through a list of accounts returned by the query (do
some calculations) and then kick them off the network.
Maybe not the most sophisticated method but it does the trick.
Hope this helps
Kind regards
Marius Pesé
Mindspring Computing
-Original Message-
From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org
[mailto:freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Wednesday, August 03, 2011 8:21 AM
To: FreeRadius users mailing list
Subject: Re: Packet of Disconnect PHP
Its possible... IIRC (and this was a long long time a go) type is just an
integer value http://www.php.net/manual/en/function.radius-create-request.php
and also though there are two constants defined, it can actually be *any*
integer value, so just use type 40 for POD.
You'll need to make sure you have the right combination of attributes to
identify the user, some NAS are *VERY* picky.
-Arran
PS I think the RADIUS stuff is an extension, so you'll need to install it using
PECL.
On 3 Aug 2011, at 01:03, mark fennema wrote:
Hello, I'm working on getting a hotspot set up, and I need the ability
to have a user log themselves out, so that they can connect on another
computer. I have it set up so that the user can enter their
information and have it log them out, but it doesn't disconnect them
from the router, so they can continue using the internet until they
disconnect from the wireless, so I need to send a packet of
disconnect. Is there a way to do this in php?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Mysql Queries
One of the servers I maintain has 18 qps average and the load is 0.62,0.54,0.63 (1min, 5min, 15min) Beside the database and radius, that server is used for hundred other things and it works perfectly (1GB of RAM, dual core CPU) The point is not how much queries per second do you have. You can have a 2 qps who can overload the server.. On 06/07/2011 05:54 AM, OzSpots - Carl Sawers wrote: Thanks for the advice everyone! I have removed scripts which caused the VERY slow queries and have now had the slow query log on for a few days. It is still showing loads of entry's but http access performance is not noticeably slow(on occasion there is a small delay). The slow queries appear to be mostly coming from radacct and radcheck when a wireless user is trying to authenticate... Phpadmin states that there have been 30 queries in only 25 hours which is 3 per second. (there is 4 database's including an analytics database also which will be included in this) 20% of the queries are from the 'change db' query. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Slow Mysql Queries
Check this link and the described tools http://www.serveradminblog.com/2011/03/tuning-mysql-performance-howto-part-1/ Turn the slow query log ON so you can see the slow queries. Also, check the disk(s). Is write cache enabled? Do you have any external scripts for auth/acc ? They can be the reason for this... You can notice this problem with # ps ax|grep radiusd and search for radiusd defunct On 06/04/2011 12:47 PM, OzSpots - Carl Sawers wrote: Hi All, I have a freeradius server which has some slow mysql queries and some errors like the below happen now and again(daily). We have actually just upgraded to this server and have imported all the MYsql data into the new server (it was working fine on the older quite similar server). One thing I have noticed; the server boots with around 280mb of ram used but after an hour or two is closer to 400mb used and stays around this point until rebooted again. My research says that the tables need to be indexed but it seems I would have to manually do this and I don't know which ones would need it anyway... and why would this be the case when it wasn't needed previously. The other thing that I have noticed is what appear to be doubled up entries in radius.log, (check the times) Anyone know what this could be? Fri Jun 3 19:40:30 2011 : Auth: Login incorrect: [E4-CE-8F-85-A5-E4/password] (from client localhost port 3 cli E4-CE-8F-85-A5-E4) Fri Jun 3 19:40:31 2011 : Auth: Login incorrect: [E4-CE-8F-85-A5-E4/password] (from client localhost port 3 cli E4-CE-8F-85-A5-E4) Fri Jun 3 19:40:31 2011 : Auth: Login incorrect: [E4-CE-8F-85-A5-E4/password] (from client localhost port 3 cli E4-CE-8F-85-A5-E4) Fri Jun 3 19:40:31 2011 : Auth: Login incorrect: [E4-CE-8F-85-A5-E4/password] (from client localhost port 3 cli E4-CE-8F-85-A5-E4) Fri Jun 3 19:40:32 2011 : Auth: Login incorrect: [E4-CE-8F-85-A5-E4/password] (from client localhost port 3 cli E4-CE-8F-85-A5-E4) --- Here are the server errors: Fri Jun 3 19:39:40 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 210 due to unfinished request 5001 Fri Jun 3 19:39:40 2011 : Error: WARNING: Unresponsive child (id 2995579792) for request 5008 (in component accounting module rlm_sql) Fri Jun 3 19:39:40 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 211 due to unfinished request 5009 Fri Jun 3 19:39:40 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jun 3 19:39:41 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jun 3 19:39:41 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jun 3 19:39:41 2011 : Error: Discarding duplicate request from client localhost:2048 - ID: 32 due to unfinished request 5008 Fri Jun 3 19:39:43 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 210 due to unfinished request 5001 Fri Jun 3 19:39:43 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 211 due to unfinished request 5009 Fri Jun 3 19:39:44 2011 : Error: Discarding duplicate request from client localhost:2048 - ID: 32 due to unfinished request 5008 Fri Jun 3 19:39:46 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 210 due to unfinished request 5001 Fri Jun 3 19:39:46 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 211 due to unfinished request 5009 Fri Jun 3 19:39:46 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jun 3 19:39:47 2011 : Error: Discarding duplicate request from client localhost:2048 - ID: 32 due to unfinished request 5008 Fri Jun 3 19:39:47 2011 : Error: WARNING: Unresponsive child (id 2985089936) for request 5009 (in component accounting module rlm_sql) Fri Jun 3 19:39:49 2011 : Error: Discarding duplicate request from client localhost:61924 - ID: 211 due to unfinished request 5009 Fri Jun 3 19:39:49 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Fri Jun 3 19:39:50 2011 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Regards Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
Simultaneous-Use op should be := and not = On 05/24/2011 10:32 AM, Fajar A. Nugraha wrote: On Tue, May 24, 2011 at 3:20 PM, john decotjohnde...@yahoo.com wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--++-++ | id | username | attribute | value | op | +-+--++-++ | 384 | bob| Cleartext-Password | bob | := | | 385 | bob| Simultaneous-Use | 1 | = | | 386 | bob| Expiration | 25 Jun 2011 | := | +-+--++-++ 3 rows in set (0.00 sec) That is odd. What happens when you remove Simultaneous-Use record for bob? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about FreeRadius+radiusmanager+mikrotik
I'm not a magician and I don't have a crystal ball, but I suppose you have a problem with stalled sessions. Why ? I don't know. Maybe you have a bad connection between radius server and NAS, maybe your DB is overloaded and accounting updates and stop packets aren't executed so your users stays logged in inside database and they aren't on NAS... , Also, as I know, RadiusManager is a commercial product so you should ask them about your problem. On 05/04/2011 11:50 PM, Alexander Clouter wrote: Tanjil Ahmedtan...@tanjil.net wrote: after few mins he can able to login.. pls help me to solve this problem! ...only if you help us to help you. http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#But_it_worked_with_another_RADIUS_server.21 You so far have not: * shown any signs of reading the documentation * shown any signs of reading the FAQ * shown any signs of doing any research into your problem * produce any *useful* debug after being asked What might be handy for us is: * what your NAS sends in an Access-Request * what you are expecting to send back as a reply * the debug output for a successful request * your config file(s) You are so far doing the same as a regular end user shouting DOES NOT WORK FIX IT NOW!!?!? and refusing to provide any information at all about: 1. what are you trying to do (Access-Accept looks like?) 2. how are you trying to do it (config/debug) 3. what are you expecting to happen (where you think the debug goes wrong, SQL, LDAP, files queries) 4. what is actually happening (RADIUS response, if any) Please, throw is a freeking bone here...try starting with the documentation, Google and the FreeRADIUS mailing list archives. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
