RES: Setting Acct-Interim-Interval for all users

[Nataniel Klug]

Thank you Alan.

--


> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Alan
> DeKok
> Enviada em: terça-feira, 31 de janeiro de 2012 04:37
> Para: FreeRadius users mailing list
> Assunto: Re: Setting Acct-Interim-Interval for all users
> 
> Nataniel Klug wrote:
> > Is it possible to setup this parameter as a default
> > for all clients using my Radius?
> 
>   See raddb/acct_users
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Setting Acct-Interim-Interval for all users

[Nataniel Klug]

    Hello all,

    I recently went through a problem concerning
Acct-Interim-Interval that, for some reason, was not been set for some of my
clients. The result was catastrophic inside my network. Hopefully and been
helped by Fajar A. Nugraha (which I thank for the time spent) I was able to
identify the problem but I am not been able to solve the problem for good.

    Sometimes my Freeradius send information about a client from
radgroupreply and sometimes, for the same client, it send from radreply. The
problem is in this trick when it send from radreply it was not sending
Acct-Interim-Interval because it was not there. I am changing my software
(not freeradius) to update my SQL tables correctly but, to solve this
problem, I wish I could set a DEFAULT value for Acct-Interim-Update that
would work as a backup plan in cases like this.

    Is it possible to setup this parameter as a default for all
clients using my Radius?

--
Regards,

Nataniel Klug



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Problems using SQL IP Pool

[Nataniel Klug]

Fajar,

I found the problem... It's Acct-Interim-Time that is not set for
some groups and I can't find why... I am solving the problem now... Thank
you for your help!

--



> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Fajar A.
> Nugraha
> Enviada em: segunda-feira, 30 de janeiro de 2012 09:53
> Para: FreeRadius users mailing list
> Cc: Agner Vainer [ CNett ]
> Assunto: Re: Problems using SQL IP Pool
> 
> On Mon, Jan 30, 2012 at 8:47 PM, Nataniel Klug 
> wrote:
> >> And what does freeradius debug log say?
> >
> > [Nataniel Klug] This is a production server and I can't run it in
> > debug mode
> > (-X) and as it's not been a common problem it appear just once or
> > twice during a day I can't be monitoring it all the time. Is there any
> > other way to make the debug mode?
> 
> Try "man radmin", look for "debug". That's assuming you setup
control-socket
> correctly (i.e. edit the file, symlink to sites-enabled, etc).
> 
> Last time I check the output is slightly different (e.g. you can't see
request
> attributes), so if you can't make it work with that then your only option
is to run
> FR in debug mode. It's important because it can tell whether the attribute
came
> from sqlipool, or whether some other module overwrite it (e.g. files,
sql), or
> whether FR is sending the correct ip address, but the client simply
ignores it.
> 
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Problems using SQL IP Pool

[Nataniel Klug]

> And what does freeradius debug log say?
> 
> --
> Fajar

[Nataniel Klug] I've set my debug_level to 2 and now it's recording in
radius.log. I will look into it when the problem appears.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Problems using SQL IP Pool

[Nataniel Klug]

Hello Fajar,

Thank you for your reply. I will answer bellow:

> So you have ONLY one instance of sqlipool, backed by postgresql?
> 
> If you don't use mysql for sqlpipool then it's not relevant for this
discussion.
> Focus on what you use for sqlippool

[Nataniel Klug] It's true, I just use PostgreSQL for ippool:

- /etc/raddb/sql.conf -
sql sqlps {
database = "postgresql"
driver = "rlm_sql_${database}"
server = "186.251.144.XX"
port = 5432
login = "radius"
password = "XX"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 30
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}

sql sqlmy {
database = "mysql"
driver = "rlm_sql_${database}"
server = "186.251.144.XX"
port = 3306
login = "radius"
password = "XX"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 60
connect_failure_retry_delay = 60
lifetime = 0
max_queries = 0
readclients = no
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}

- /etc/raddb/sqlippool.conf -
sqlippool {
sql-instance-name = "sqlps"
ippool_table = "radippool"
lease-duration = 720
pool-key = "%{NAS-Identifier}-%{NAS-Port}"
$INCLUDE sql/postgresql/ippool.conf
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
 sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
 sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
 (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
 sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
 sqlippool_log_nopool = "No Pool-Name defined \
  (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
}

> And what does freeradius debug log say?
> 
> --
> Fajar

[Nataniel Klug] This is a production server and I can't run it in debug mode
(-X) and as it's not been a common problem it appear just once or twice
during a day I can't be monitoring it all the time. Is there any other way
to make the debug mode?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: RES: How to use radacct in two different databases

[Nataniel Klug]

Phil,

Thank you, I will test the configuration and I will make a try in
real world with that. Hope it work!

Regards,

Nataniel Klug

--


> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Phil
> Mayers
> Enviada em: quarta-feira, 23 de novembro de 2011 17:56
> Para: freeradius-users@lists.freeradius.org
> Assunto: Re: RES: How to use radacct in two different databases
> 
> On 11/23/2011 08:42 PM, Nataniel Klug wrote:
> > I think I did not made my self clear. I need to store radacct data
on
> > MySQL and all the rest in PostgreSQL. I was reading about multiple
> 
> Ok, that's clear.
> 
> > instances of SQL (for redundant purposes) and I think it can be used.
> > So in my sites-enable/client file I would have something like "sql" on
> > Authorization section (and this instance would be a PostgreSQL) and a
> > sql1 on Accounting section (this would be a MySQL). In sqlippool.conf
> > I can set it to run over "sql" instance (using PostgreSQL).
> >
> > Is this possible? I need to acces just the data on radacct over
> > MySQL.
> 
> Yes. The config you've described should work. sqlippool will talk to your
> postgres install, and accounting will go into your mysql install.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: How to use radacct in two different databases

[Nataniel Klug]

I think I did not made my self clear. I need to store radacct data
on MySQL and all the rest in PostgreSQL. I was reading about multiple
instances of SQL (for redundant purposes) and I think it can be used. So in
my sites-enable/client file I would have something like "sql" on
Authorization section (and this instance would be a PostgreSQL) and a sql1
on Accounting section (this would be a MySQL). In sqlippool.conf I can set
it to run over "sql" instance (using PostgreSQL).

Is this possible? I need to acces just the data on radacct over
MySQL.

--


> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Phil
> Mayers
> Enviada em: quarta-feira, 23 de novembro de 2011 15:47
> Para: freeradius-users@lists.freeradius.org
> Assunto: Re: How to use radacct in two different databases
> 
> On 11/23/2011 06:04 PM, Nataniel Klug wrote:
> >   Hello all,
> >
> > I am having a problem. The problem is I was trying to use MySQL and
> > SQLIPPOOL but I had many problems with IP allocation and release so I
> > choose to try PostgreSQL and it worked really fine in every aspect.
> > The problem is: I use a software made by a third part company that can
> > only read MySQL tables (they use some kind of a socket to connect to
> > database) and I need to measure my clients usage and show it to the
> > clients so they have a web PHP/Java page where my client can see his
> usage.
> >
> > So, as I am using PostgreSQL this become impossible so, is there any
> > way to use PostgreSQL for authentication and MySQL for accounting? Is
> > this possible?
> 
> IP allocation requires that the database is accessed both during
> authentication and accounting usually. So no - it's probably not possible
to do
> this.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Trying to solve a Simultaneous-Use problem

[Nataniel Klug]

Marinko,

I didn't know how to ask for "stalled sessions" and I searched for
Sim-Use and found nothing useful... So, if you do not want to help, do not
answer...

--


> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de
> Marinko Tarlac
> Enviada em: segunda-feira, 10 de outubro de 2011 17:59
> Para: FreeRadius users mailing list
> Assunto: Re: Trying to solve a Simultaneous-Use problem
> 
> We discuss at least once per week about stalled sessions... Search before
> you ask...
> 
> 
> 
> On 10/10/2011 10:49 PM, Arran Cudbard-Bell wrote:
> >
> >> So, my question is: how can I use Simultaneous-Use in
> >> this scenario? Should I make a script that test if the NAS is online
> >> every 10 seconds and if not list all clients connect and stop that
> >> connections? Should this work? Is there anyone with the same scenario
> >> that can share the solution for the problem?
> >
> > --, Yes, Yes, --
> >
> > You can use radclient to send fake accounting stop packets to clear up
> > the stale sessions.
> >
> > Arran Cudbard-Bell
> > a.cudba...@freeradius.org 
> >
> > Betelwiki, Betelwiki, Betelwikihttp://wiki.freeradius.org/ !
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Ok... Thank you Ivan. I can't change my system but I can make scripts in 
my Linux Box that could make this happens.


t...@kalik.net escreveu:

Or fill with a single sql statement:

INSERT INTO radcheck (username, op attribute, value) SELECT value, ':='
AS op, Cleartext-Password (or Auth-Type) AS attribute, that fixed
password (or Accept - if you don't want to check mac passwords and opt
for auth type) AS value FROM radcheck WHERE
attribute='Calling-Station-Id'

probably should add ON DUPLICATE blah, blah in order to prevent
duplication of mac-as-user entries.

Nataniel, populating this is trivial stuff. You should really put your
effort into creating a proper user database. If you AP is going to ask
for user nicknames and mac addresses as usernames, your database should
provide them - as usernames.

Ivan Kalik
Kalik Informatika ISP

Dana 16/12/2008, "Alan DeKok"  piše:

  

Nataniel Klug wrote:


I would like to have this easy configuration but this is not possible at
the moment. Lazy = spend a lot of money...
  

 Nonsense.  A short Perl script could walk through your existing DB,
and re-write entries into another table, or add new entries to an
existing table.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Now someone who could help... hehehehehe... Perl script is that I don't 
know how to make but I will learn it.


Alan DeKok escreveu:

Nataniel Klug wrote:
  

I would like to have this easy configuration but this is not possible at
the moment. Lazy = spend a lot of money...



  Nonsense.  A short Perl script could walk through your existing DB,
and re-write entries into another table, or add new entries to an
existing table.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Ivan,

Thank you. I will try to think about how can I do this.

t...@kalik.net escreveu:

Look, you can make a solution that will work for this specific case. And
then you get a new AP that sends the mac address with different
delimiters. Or even worse - no delimiters at all. What then?

Don't go the route that will fail you in the future. Create a solution
that will work. Every time and with every equipment. That means creating
additionl user entry where username will be mac address; mac address in
the database shouldn't have delimiters (both as usernames and ones
stored as calling station ids in user profile); you should rewrite mac
adress format(s) matching usernames and calling station ids and strip
out delimiters from them in hints file. That's what you should do.

Ivan Kalik
Kalik Informatika ISP

Dana 16/12/2008, "Nataniel Klug"  piše:

  

Leigh and Ivan,

I have a system that works on my WISP and this program is not hackable
(economic reasons -- this would cost too much to alter). As I already
have all my clients MAC address into radcheck table (as a value for
Calling-Station-Id) why can't I use this MAC to authenticate it in my
NAS/AP? This is my question. Why can't I look for the MAC in another
colum besides "Username" colum? There should be some way cheaper to me...

Leigh Martell escreveu:


I completely agree with you! I am still curious to why adding a user
is not an option though. Hopefully we will be "enlightened" as to why
it is not an option.

2008/12/15 mailto:t...@kalik.net>>

- hack your radius server?

- hack your user admin application?

It is credit to the quality and flexibility of Freeradius that messing
with the radius server comes up as an option at all.

Ivan Kalik
Kalik Informatika ISP


  

--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

I would like to have this easy configuration but this is not possible at 
the moment. Lazy = spend a lot of money... yes I am lazy... ;)


t...@kalik.net escreveu:

I can't possibly imagine that there can be any reason for not adding mac
address as another user apart from being lazy.

Ivan Kalik
Kalik Informatika ISP


Dana 16/12/2008, "Leigh Martell"  piše:

  

I completely agree with you! I am still curious to why adding a user is not
an option though. Hopefully we will be "enlightened" as to why it is not an
option.

2008/12/15 



To be fair, there probably is a way to create an unlang hack (are we
going to advocate unlang auth now) that can tie up mac address from the
user entry with the one in the mac auth request (regexp check if
username is mac address; if it is see if there is such mac address in
the database and force Auth-Type Accept; there was some mention of the
password, but that can be sorted as well) without breaking everything
else on the server.

But why? If you can create user entry and add mac address as an attribute
value it requires minimal effort on user admin side to create an entry
with mac address as username value at the same time. A simple additional
insert. Even if it is a closed code solution that you can't change, you
can always make two entries - one for the user as username and one with
mac address as username.

Be honest, if your user admin application can't do what you want, should
you:

- hack your radius server?

- hack your user admin application?

It is credit to the quality and flexibility of Freeradius that messing
with the radius server comes up as an option at all.

Ivan Kalik
Kalik Informatika ISP

Dana 15/12/2008, "Leigh Martell"  piše:

  

Well thats not entirely true; you can create an association table(if thats
the right term) which has id,username, mac and then edit your query with
some joins and additional magic...I would not suggest this but it is
possible just very messy. I would highly recommend doing this the
traditional way...at least if you value your sanity ;-).

--
Leigh

On Mon, Dec 15, 2008 at 4:22 PM,  wrote:



In my case I can't look for MAC in Username field and I have to look


for
  

that mac in Value field. Hope that have a way to make this happens.



You don't seem to get the problem. You have set up your AP to do mac
authentication. When you do that, mac address is sent in the username
filed. If you don't want that, don't set your AP to do mac auth. Set
it to do user authentication. When you are doung user auth, mac address
should appear as Calling-Station-Id (should).

There is *nothing* you can do in freeradius that will make your AP do
this. You have to configure the AP to do that.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Leigh and Ivan,

I have a system that works on my WISP and this program is not hackable 
(economic reasons -- this would cost too much to alter). As I already 
have all my clients MAC address into radcheck table (as a value for 
Calling-Station-Id) why can't I use this MAC to authenticate it in my 
NAS/AP? This is my question. Why can't I look for the MAC in another 
colum besides "Username" colum? There should be some way cheaper to me...


Leigh Martell escreveu:
I completely agree with you! I am still curious to why adding a user 
is not an option though. Hopefully we will be "enlightened" as to why 
it is not an option.


2008/12/15 mailto:t...@kalik.net>>

- hack your radius server?

- hack your user admin application?

It is credit to the quality and flexibility of Freeradius that messing
with the radius server comes up as an option at all.

Ivan Kalik
    Kalik Informatika ISP




--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Ivan,

In my case I can't look for MAC in Username field and I have to look for 
that mac in Value field. Hope that have a way to make this happens.


t...@kalik.net escreveu:

I am not wanting to do MAC filtering from the ap.. That is why it is not in
the username FIELD




Ahem:

rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3,
length=69

   User-Name = "00:19:79:0F:98:3D"
   User-Password = "cnett1298"
   NAS-IP-Address = 172.30.0.165
   NAS-Port = 0

So what is in the username field then? You might not want to - but your
NAS does. You are doing MAC authentication (or filtering if you like
that term better). When you do that, mac address is sent as username.
Perhaps you should read your NAS manual and learn how to use the
equipment.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

And how many time I have to say: I CAN'T PUT MAC IN USERNAME FIELD!

You are always helping people here but, if you can't, don't answer being 
rude!


t...@kalik.net escreveu:

I can just throw it away... and I still need this to work. There should
be someway to make this happens...




How many times does someone need to tell you: PUT MAC ADDRESS AS USERNAME
IN RADCHECK TABLE!

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MAC Auth (new problem)

[Nataniel Klug]

Ivan,

I can just throw it away... and I still need this to work. There should 
be someway to make this happens...


t...@kalik.net escreveu:


Lets try again: put the mac address in to the radcheck table as UserName
field. Without that mac authentication is not going to work. If your
"adminstartion system" has something against it, throw it away and
write another one youself. Or use dialup admin (comes with the server)
or something like daloRadius.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Two servers using virtualization

[Nataniel Klug]

Ivan,

This is not possible becouse of an administrative system that I use. I 
have to set two separeted radius servers for this.


t...@kalik.net escreveu:
   My problem is that I need to control my clients MAC address that 
will connect into my APs. My AP will send it package like this to radius:


Mon Dec 15 14:38:25 2008 : Auth: Login incorrect: 
[00:15:AF:6B:E0:E2/password] (from client ap2000 port 0)


   MAC address I already have into my mysql tables and password is the 
same for every mac. I just need to run another FreeRadius server on the 
same machine listening on another port (for auth and acco) and this new 
server should use another SQL instance.



Why. Just put those mac addresses as usernames in your radcheck table. No
need for another radius or sql server instance.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MAC Auth (new problem)

[Nataniel Klug]

   Hello all,

   A new problem on my Radius tryout... Now I cant authorize my MAC 
clients. This is how it gets into my server:


Listening on authentication address 172.30.0.27 port 1812 as server ppp
Listening on accounting address 172.30.0.27 port 1813 as server ppp
Listening on authentication address 172.30.0.27 port 1814 as server proxim
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3, 
length=69

   User-Name = "00:19:79:0F:98:3D"
   User-Password = "cnett1298"
   NAS-IP-Address = 172.30.0.165
   NAS-Port = 0
server proxim {
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "00:19:79:0F:98:3D", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql_ap2000]expand: %{User-Name} -> 00:19:79:0F:98:3D
[sql_ap2000] sql_set_user escaped user --> '00:19:79:0F:98:3D'
rlm_sql (sql_ap2000): Reserving sql socket id: 4
[sql_ap2000]expand: SELECT id, username, attribute, value, 
op   FROM radcheck   WHERE value = 
'%{SQL-User-Name}'   ORDER BY id -> SELECT id, username, 
attribute, value, op   FROM radcheck   WHERE value = 
'00:19:79:0F:98:3D'   ORDER BY id
[sql_ap2000]expand: SELECT groupname   FROM 
usergroup   WHERE username = '%{SQL-User-Name}'   ORDER 
BY priority -> SELECT groupname   FROM usergroup   WHERE 
username = '00:19:79:0F:98:3D'   ORDER BY priority

rlm_sql (sql_ap2000): Released sql socket id: 4
[sql_ap2000] User 00:19:79:0F:98:3D not found
++[sql_ap2000] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.

++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

Failed to authenticate the user.
Login incorrect: [00:19:79:0F:98:3D/cnett1298] (from client ap2000 port 0)
} # server proxim
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 3 to 172.30.0.165 port 6001
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +29
Ready to process requests.

   This user (MAC) exists and its in radcheck like this:

mysql> SELECT * FROM radcheck WHERE Username="marmatec";
+--+--+++---++--+
| id   | UserName | Attribute  | op | Value | numero 
| obs  |

+--+--+++---++--+
|  796 | marmatec | Cleartext-Password | := | 654321| 00923  
|  |
| 1886 | marmatec | Calling-Station-Id | == | 00:19:79:0F:98:3D | 00923  
| NULL |

+--+--+++---++--+

   On mysql/sql/ap2000.conf (copy of dialup.conf file) I just changed 
this on authorize section:


 WHERE value = '%{SQL-User-Name}' \

   I really don't know how to make this work. Can someone help me?

--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Two servers using virtualization

[Nataniel Klug]

Hello all,

Just to tell that I had this working. I was not reading sites-avaible as I
should. Now it is working... Now I will start editing mysql/dialup.conf to
use my system... Thanks all!

2008/12/15 Nataniel Klug 

>   Hello all,
>
>   Am using freeradius as my network AAA. For now it is working fine but now
> I get into a need that I could not solve. I have an small WISP and I use
> radius do authenticate/account my PPPoE/Hotspot clientes. This works fine
> using MySQL.
>
>   My problem is that I need to control my clients MAC address that will
> connect into my APs. My AP will send it package like this to radius:
>
> Mon Dec 15 14:38:25 2008 : Auth: Login incorrect:
> [00:15:AF:6B:E0:E2/password] (from client ap2000 port 0)
>
>   MAC address I already have into my mysql tables and password is the same
> for every mac. I just need to run another FreeRadius server on the same
> machine listening on another port (for auth and acco) and this new server
> should use another SQL instance.
>
>   Is this possible?
>
> --
> Att,
>
> NATANIEL KLUG
> n...@cnett.com.br
>
> LEIA O DIA-A-DIA DO NATA
> http://nataklug.blogspot.com/
>
> Cyber Nett - Internet Banda Larga
> www.cnett.com.br
> (42) 3635-2957
> Rua Diogo Pinto, 1046, Centro
> Laranjeiras do Sul - PR
> Brasil - 85301-290
>
> "... também os sábios possuem coração tangível e podem, por vezes, usar da
> ciência como meio de demonstrar impressões sentimentais de que muitos não os
> julgam suscetíveis."
> Visconde de Taunay
>
>


-- 
Atenciosamente,

Nataniel Klug
n...@cnett.com.br
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Two servers using virtualization

[Nataniel Klug]

   Hello all,

   Am using freeradius as my network AAA. For now it is working fine 
but now I get into a need that I could not solve. I have an small WISP 
and I use radius do authenticate/account my PPPoE/Hotspot clientes. This 
works fine using MySQL.


   My problem is that I need to control my clients MAC address that 
will connect into my APs. My AP will send it package like this to radius:


Mon Dec 15 14:38:25 2008 : Auth: Login incorrect: 
[00:15:AF:6B:E0:E2/password] (from client ap2000 port 0)


   MAC address I already have into my mysql tables and password is the 
same for every mac. I just need to run another FreeRadius server on the 
same machine listening on another port (for auth and acco) and this new 
server should use another SQL instance.


   Is this possible?

--
Att,

NATANIEL KLUG
n...@cnett.com.br

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Making each virtual server have their own sql.conf file

[Nataniel Klug]

   Hello all,

   Here I am again. I need to make that every virtual server I have 
running look for it's data on different mysql database and tables. For 
this I need to set up each virtual server too look into it's own 
sql.conf... I could not find any doc about this.


PS.: Why even if a client gets reject from the server the still sends 
reply like this:

Sending Access-Reject of id 138 to 127.0.0.1 port 44881
  Mikrotik-Rate-Limit = "100k/200k 200k/400k 80k/160k 180/180 8 
60k/120k"


   Waiting for some tips...

--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?

[Nataniel Klug]

Ok... Thank you Ivan.

[EMAIL PROTECTED] escreveu:

Yes. Create multiple sql instances. List the name of the instance you
want to use in place of "sql" in appropriate sections (authorize,
accounting, post-auth, etc.).

Ivan Kalik
Kalik Informatika ISP


Dana 9/9/2008, "Nataniel Klug" <[EMAIL PROTECTED]> piše:

  

Thanks Ivan.

Another question: is there any way to have one database for each virtual
server?




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ***SPAM*** Re: How to modify dialup.conf for each virtual server?

[Nataniel Klug]

Thanks Ivan.

Another question: is there any way to have one database for each virtual 
server?


[EMAIL PROTECTED] escreveu:

Can't I change the way it's look into MySQL table? Even this comming
with User-Name I can't look for the value in another field? This is a
MySQL query, not the way it came... i hope... :)




You have three options:

- fill your database with (useless) data and try to change rlm_sql code
and queries in order to match up requests and data. Don't expect much
help there - if you want to customize the database you should know what
you are doing. It is quite likely that this will render that sql
instance (and possibly whole sql module) useless for any other request
apart form mac auth.

You will need to:

rewrite value of User-Name into Calling-Station-Id

pull new User-Name from the database (WHERE
Attribute='Calling-Sattion-Id' and Value='%{User-Name})

fix code in rlm_sql where this brakes it

or:

- authenticate with a special script (perl or such). Adjust queries for
this type of authentication as much as you like without affecting other
authentication types. You can use multiple queries to match up data and
request. Easier and more sensible than above.

or:

- fill your database with correct data - what you expect to come in
User-Name field should be used as UserName etc. No adjustments needed.
mac auth works together with other authentication types.

Take your pick.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to modify dialup.conf for each virtual server?

[Nataniel Klug]

Can't I change the way it's look into MySQL table? Even this comming 
with User-Name I can't look for the value in another field? This is a 
MySQL query, not the way it came... i hope... :)


[EMAIL PROTECTED] escreveu:

Well, you don't have much say in this because NAS sends it that way:

rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1,
length=69
   User-Name = "00:19:79:0f:98:3d"
   User-Password = "wireless"
   NAS-IP-Address = 172.30.0.142
   NAS-Port = 0

You see what is in the User-Name field? That's how mac authentication
works.

Ivan Kalik
Kalik Informatika ISP


Dana 8/9/2008, "Nataniel Klug" <[EMAIL PROTECTED]> piše:

  

Ivan,

I can't use User-Name as MAC becouse this is being used by another
systema I run... I just need to change some settings in dialup.conf to
meet my requirements, all said in other message.

[EMAIL PROTECTED] escreveu:


In mac authentication mac address is sent as User-Name not
Calling-Station-Id. You don't have to make any changes to dialup.conf -
just use database properly:

username: AA:AA:AA:AA:AA:AA
attribute: Auth-Type
op: :=
Value: Accept or Reject

Ivan Kalik
Kalik Informatika ISP
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to modify dialup.conf for each virtual server?

[Nataniel Klug]

Ivan,

I can't use User-Name as MAC becouse this is being used by another 
systema I run... I just need to change some settings in dialup.conf to 
meet my requirements, all said in other message.


[EMAIL PROTECTED] escreveu:

In mac authentication mac address is sent as User-Name not
Calling-Station-Id. You don't have to make any changes to dialup.conf -
just use database properly:

username: AA:AA:AA:AA:AA:AA
attribute: Auth-Type
op: :=
Value: Accept or Reject

Ivan Kalik
Kalik Informatika ISP


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to modify dialup.conf for each virtual server?

[Nataniel Klug]

   Hello again,

   Now I have the other question I told in the post before. I have some 
equipament (wireless) that authenticate the wireless client using MAC 
over my radius database. I want that in one of my virtual servers I have 
this kind of authentication. I need it to check MAC address that is, 
already, in my radcheck table. this is a common user setup into radcheck 
table:


+--+--+++---++--+
| id   | UserName | Attribute  | op | Value | numero 
| obs  |

+--+--+++---++--+
| 1613 | nataniel | MD5-Password   | := | X  | 
01046  |  |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046  
| NULL |

+--+--+++---++--+

   So, MAC Address is set as "Calling-Station-Id". This is ok for my 
PPPoE setup but for my access points this is not ok. I need my access 
point to verify if this MAC here is well listed and not bloked. I use 
this to blok:


+--+--+++---++--+
| id   | UserName | Attribute  | op | Value | numero 
| obs  |

+--+--+++---++--+
| 1613 | nataniel | MD5-Password   | := | X  | 
01046  |  |
| 1656 | nataniel | Calling-Station-Id | == | AA:AA:AA:AA:AA:AA | 01046  
| NULL |
| 1657 | nataniel | Auth-Type  | := | Reject| 01046  
| NULL |

+--+--+++---++--+

   I have to change dialup.conf to meet this options and returno to my 
access point. This is a common query comming from on of my APs:


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.0.142 port 6001, id=1, 
length=69

   User-Name = "00:19:79:0f:98:3d"
   User-Password = "wireless"
   NAS-IP-Address = 172.30.0.142
   NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
   rlm_realm: No '@' in User-Name = "00:19:79:0f:98:3d", looking up 
realm NULL

   rlm_realm: No such realm "NULL"
++[suffix] returns noop
   expand: %{User-Name} -> 00:19:79:0f:98:3d
rlm_sql (sql): sql_set_user escaped user --> '00:19:79:0f:98:3d'
rlm_sql (sql): Reserving sql socket id: 4
   expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '00:19:79:0f:98:3d'   ORDER 
BY id
   expand: SELECT groupname   FROM usergroup   
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -> 
SELECT groupname   FROM usergroup   WHERE username = 
'00:19:79:0f:98:3d'   ORDER BY priority

rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User 00:19:79:0f:98:3d not found
++[sql] returns notfound
rlm_pap: WARNING! No "known good" password found for the user.  
Authentication may fail because of this.

++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user

auth: Failed to validate the user.
 Found Post-Auth-Type Reject
 WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform 
requested action.

Sending Access-Reject of id 1 to 172.30.0.142 port 6001
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 1 with timestamp +274
Ready to process requests.


   So, where I see "WHERE username = '00:19:79:0f:98:3d' " it should be 
Attribute. But I need to be sure that this client is not rejected 
somewhere in the database.


   Can someone help me? I am not a guru of mysql but I can try some 
changes... ;)



--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unknown value specified for Post-Auth-Type

[Nataniel Klug]

Can't understand what you mean? Copy what? Copy Where?

[EMAIL PROTECTED] escreveu:

Virtual servers included with the server *do* have post-auth type Reject
which filters out reply attributes. Copy it into yours.

Ivan Kalik
Kalik Informatika ISP


Dana 8/9/2008, "Nataniel Klug" <[EMAIL PROTECTED]> piše:

  

   Hello all,

   I am running new 2.0.5 freeradius with mysql... This is running 
fine. I am trying to configure virtual servers but this is another 
question. I am testing this new version and I found this log (using 
radiusd -X):


auth: Failed to validate the user.
 Found Post-Auth-Type Reject
 WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform 
requested action.

Sending Access-Reject of id 138 to 127.0.0.1 port 44881
   Mikrotik-Rate-Limit = "100k/200k 200k/400k 80k/160k 180/180 8 
60k/120k"


   This only occurs when my client tries to authenticate using wrong 
password. The Mikrotik-Rate-Limit should only be sent when a client uses 
right calling-station-id, username and password. Anyone know how to make 
this option do not be sent when there is an error in client password?


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraçăo tangível e podem, por vezes, usar da cięncia 
como meio de demonstrar impressőes sentimentais de que muitos năo os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unknown value specified for Post-Auth-Type

[Nataniel Klug]

   Hello all,

   I am running new 2.0.5 freeradius with mysql... This is running 
fine. I am trying to configure virtual servers but this is another 
question. I am testing this new version and I found this log (using 
radiusd -X):


auth: Failed to validate the user.
 Found Post-Auth-Type Reject
 WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform 
requested action.

Sending Access-Reject of id 138 to 127.0.0.1 port 44881
   Mikrotik-Rate-Limit = "100k/200k 200k/400k 80k/160k 180/180 8 
60k/120k"


   This only occurs when my client tries to authenticate using wrong 
password. The Mikrotik-Rate-Limit should only be sent when a client uses 
right calling-station-id, username and password. Anyone know how to make 
this option do not be sent when there is an error in client password?


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ***SPAM*** Re: Two radius server on same machine

[Nataniel Klug]

Hoggins,

So I was looking for the worng word... it is virtualization... I will 
look for it.


Hoggins! escreveu:

Hello.

If I'm right, there's a 2.x.x feature that allows to run several 
virtual servers on the same machine. So you can configure the same 
service to listen on different ports and to behave differently. I 
believe it is well documented, though.


Nataniel Klug a écrit :

   Hello all,

   I am trying to find some info about running two freeradius servers 
(on different ports) in the same machine. Can someone help me? I 
couldn't find any info...





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Two radius server on same machine

[Nataniel Klug]

   Hello all,

   I am trying to find some info about running two freeradius servers 
(on different ports) in the same machine. Can someone help me? I 
couldn't find any info...


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]

LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/

Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NAS restart without proper client logout on radius (mysql)

[Nataniel Klug]

Hi Ivan,

Now you get where I want to... I use Mikrotik RouterOS as NAS... What do 
you do when you need to reboot your Mikrotik?


[EMAIL PROTECTED] escreveu:

I don't think things like Mikrotik and Chillispot send such packets.
I've never seen one from our Mikrotik which is rebotted once every week
or two. I've never seen one from our Cisco either but that's because
it hasn't been rebooted in last 18 months ;-)

Ivan Kalik
Kalik informatika ISP


Dana 16/7/2007, "Hugh Messenger" <[EMAIL PROTECTED]> piše:

  

[EMAIL PROTECTED] said:


Dana 16/7/2007, "Nataniel Klug" <[EMAIL PROTECTED]> piše:

  

   Hello all,

   I have a question: when a nas restart without sending client logout
to the freeradius server the clients stay connected in radacct table
(AcctStopTime=0). What can I do to solve this kind of problem? What
could happen is that when a nas reboot my clients keep logged and when
the nas start again they will get "You are already logged in"
(simultaneous-use).



If they are getting that message then nastype in clients.conf is set to
"other" which disables checkrad script and the checks are made only
against the database. Change the nastype to the vendor of your NAS (if
it is supported). Or simply delete all open entries older that the time
your NAS rebooted.
  

Shouldn't the NAS send one or both of accounting off/on, which (if the
accounting_onoff_query is defined correctly) should set the AcctStopTime to
"now()" (or %S depending on flavor)?



Ivan Kalik
Kalik Informatika ISP
  

  -- hugh



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0


  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coraça~o tangível e podem, por vezes, usar da cie^ncia 
como meio de demonstrar impresso~es sentimentais de que muitos na~o os julgam 
suscetíveis."
Visconde de Taunay


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NAS restart without proper client logout on radius (mysql)

[Nataniel Klug]

Hello all,

I have a question: when a nas restart without sending client logout 
to the freeradius server the clients stay connected in radacct table 
(AcctStopTime=0). What can I do to solve this kind of problem? What 
could happen is that when a nas reboot my clients keep logged and when 
the nas start again they will get "You are already logged in" 
(simultaneous-use).

-- 
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da 
ciência como meio de demonstrar impressões sentimentais de que muitos não os 
julgam suscetíveis."
Visconde de Taunay


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius MySQL -> Logs (where they are?)

[Nataniel Klug]

Thanks Alan,

I found the solution.

Alan DeKok escreveu:

Nataniel Klug wrote:
  

Yes, I know that this kind of log is put in /var/log/radius/radius.log.
The problem is that they are not been logged there.



  If the server starts, it prints text to that file.  If the file is
empty, the server isn't running as a daemon.

  If you're running in debugging mode, all output goes to the screen.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0


  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius MySQL -> Logs (where they are?)

[Nataniel Klug]

Hello Alan,

Yes, I know that this kind of log is put in /var/log/radius/radius.log. 
The problem is that they are not been logged there. It's a configuration 
in radiusd.conf? I could not find this... Can you tell me what tag?


Alan DeKok escreveu:

Nataniel Klug wrote:
  
I have configured my FreeRadius server to auth my clients over a 
MySQL table. The problem is that I do not have any more logs (like wrong 
login attempts). The detailed log is been done into a MySQL table named 
radacct (and works fine to bloqs simultaneous use) but the problem is 
that I cant see anymore why a login attempt gets rejected.


Can someone tell me where to look?



  The logs are put in the file "radius.log", not in SQL.  See radiusd.conf.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0


  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da ciência 
como meio de demonstrar impressões sentimentais de que muitos não os julgam 
suscetíveis."
Visconde de Taunay


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius MySQL -> Logs (where they are?)

[Nataniel Klug]

Hello all,

I have configured my FreeRadius server to auth my clients over a 
MySQL table. The problem is that I do not have any more logs (like wrong 
login attempts). The detailed log is been done into a MySQL table named 
radacct (and works fine to bloqs simultaneous use) but the problem is 
that I cant see anymore why a login attempt gets rejected.

Can someone tell me where to look?

-- 
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290

"... também os sábios possuem coração tangível e podem, por vezes, usar da 
ciência como meio de demonstrar impressões sentimentais de que muitos não os 
julgam suscetíveis."
Visconde de Taunay


--
Esta mensagem foi verificada pelo antivirus e antispam
e acredita-se nao se tratar de nenhum dos dois.

Sistema de email Cyber Nett - v2.0

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + MySQL - Crypt-Passwrd in radcheck table

[Nataniel Klug]

Hi Alan,

This is me again asking for help and you are here to help. So you think 
that plain text is not unsecure? I was thinking about it and if my SQL 
system is secure, so my tables will be secure too. But, when a client 
sends a package in my network, someone else can see this with a spoofing 
software?


So using version 1.1.4 I could not compile it to use MySQL. It always 
says that there is no rlm_sql library. I tryied many times, but 
nothing... Unfurtunately the documentation is mostly useless or spare...


Thank you for your time.

Alan DeKok escreveu:

Nataniel Klug wrote:
  

Into radcheck table I have:

mysql> SELECT * FROM radcheck;
++--+++--+
| id | UserName | Attribute  | op | Value|
++--+++--+
|  1 | teste| Crypt-Password | == | 42cbf4730aeac1d645324d4818104826 |
++--+++--+



  Use ':=', not '=='.  See the rlm_sql documentation for why.

  
The password was encrypted using PHP MD5 command and should be 8872. 
But when I use a radtest command the respose of my Radius is:



  Hmm.. Crypt-Password is for Unix crypt'd passwords, not MD5 hashed
passwords.

  
I made the same in debug mode and radius just not get the password. 
I think it is not testing the 8872 password to see if it matches de MD5 
crypt. I tryed with "42cbf4730aeac1d645324d4818104826" as a password and 
it returned OK for the request. How can I do this work? I need that into 
MySQL table I have a crypted password (for security reasons)



  I disagree, but that's another story.

  
and I need 
that my clients can put a simple text password.



  In 1.1.4, you can put this into SQL:

Password-With-Header := "{md5}42cbf4730aeac1d645324d4818104826"

  That should work with the default config.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  


--
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius + MySQL - Crypt-Passwrd in radcheck table

[Nataniel Klug]

Hello people,

I am using freeradius-1.0.1-3.RHEL4.3 and 
freeradius-mysql-1.0.1-3.RHEL4.3 on a CentOS 4.4 server but I am sutcked 
into a problem. I have made my FreeRadius works great using MySQL but I 
could not make it uses Crypt-Password.

Into radcheck table I have:

mysql> SELECT * FROM radcheck;
++--+++--+
| id | UserName | Attribute  | op | Value|
++--+++--+
|  1 | teste| Crypt-Password | == | 42cbf4730aeac1d645324d4818104826 |
++--+++--+
1 row in set (0.00 sec)

The password was encrypted using PHP MD5 command and should be 8872. 
But when I use a radtest command the respose of my Radius is:

Sun Feb 18 17:23:56 2007 : Auth: Login incorrect: [teste/8872] (from 
client localhost port 1812)

I made the same in debug mode and radius just not get the password. 
I think it is not testing the 8872 password to see if it matches de MD5 
crypt. I tryed with "42cbf4730aeac1d645324d4818104826" as a password and 
it returned OK for the request. How can I do this work? I need that into 
MySQL table I have a crypted password (for security reasons) and I need 
that my clients can put a simple text password.

Can someone give me a hit?

-- 
Att,

NATANIEL KLUG
[EMAIL PROTECTED]


Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius not stable on my server

[Nataniel Klug]

Hi Alan,

Thank you again for helping me, I will try to explain myself bellow:

Alan DeKok escreveu:

Nataniel Klug <[EMAIL PROTECTED]> wrote:
  
I am having a problem: sometimes my freeradius 
get a little crazy and close some connections and other times it just 
says that the client is still connected and block the client to use 
(becouse of max login set to 1) like in this two situatios:



  FreeRADIUS doesn't close connections.  If it blocks users, it's
because it thinks the user is still logged in.

  
Sometimes my NAS send a disconnect for the radius (I have remote logging 
and I am monitoring every step of the NAS(es) and the radius) and, for 
some reason that I could not know, this request for disconect do not get 
into the FreeRadius. I really dont know if the radius is not receiving 
the message (for network reasons or something) or its is comming to the 
radius server but the program (radiusd) is not able to process this request.


This way the client keep logged in and, if the same client, trys to 
connect it is rejected.
What can I do to make my radius system more stable? Migrate it to a 
MySQL solution? I have about 200 login records in most usage time and a 
average of 80 all day.



  It's stable.  Migrating to MySQL won't help.  A load of 80 logins
per day is tiny, and isn't a problem.
  
I know this is very low busy for freeradius... But the problem is 
killing me.

  I think the problem is that you're not clear why the server is
behaving the way it is.  Please explain *why* you think it's
"unstable" when someone tries to log in twice, and it rejects the
second attempt.  Why do you think the server "closes connections"?
  
I am not sure what is making the problem. Thats why I came here, I need 
to know what tools can I use to identify where is the problem. The 
request from NAS to Radius I know that is coming throw my netowork and 
it is registered in my logger server. This is my network topology:


router - ns1 (logger/gw) --> nas1 (gw-int1) <--> nas2
   ns2 (radius) nas3

All the nases are sending their logs to ns1 and it logs every single try 
to disconect a client that nas sends but some of them do not get into 
radius server.

  And the "no login record" issue is the fault of the NAS.  FreeRADIUS
is just logging what the NAS sends it.  See the FAQ.
  
No logging record does not mean that the NAS send a message to remove 
some client from the "connected" and the radius look for the client but, 
when it can not be found, the radius log this message?


Thank you again.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




  
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius not stable on my server

[Nataniel Klug]

   Hello all,

   I am using FreeRadius to authenticate my PPPoE clients. This is the 
version I am using:


[EMAIL PROTECTED] radius]# radiusd -v
radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 20 2006 at 
08:14:50

Copyright (C) 2000-2003 The FreeRADIUS server project.

   My system uses the /etc/passwd and /etc/shadow to look for a login 
and them let that client connect to the PPPoE concentrator. I have 4 
PPPoE concetrators and I am having a problem: sometimes my freeradius 
get a little crazy and close some connections and other times it just 
says that the client is still connected and block the client to use 
(becouse of max login set to 1) like in this two situatios:


=== NO LOGIN RECORD ===
Fri Oct 27 08:45:37 2006 : Auth: Login OK: [pauloperez] (from client ns3 
port 2846 cli 00:4F:62:02:96:00)
Fri Oct 27 08:47:09 2006 : Error: rlm_radutmp: Logout for NAS ns3 port 
2827, but no Login record
Fri Oct 27 08:47:23 2006 : Auth: Login OK: [maquiagro] (from client ns3 
port 2847 cli 00:4F:62:09:E8:BB)


Fri Oct 27 08:52:13 2006 : Auth: Login OK: [joilce] (from client ema 
port 14413 cli 00:4F:62:04:D9:5D)
Fri Oct 27 08:52:15 2006 : Error: rlm_radutmp: Logout for NAS ns3 port 
2698, but no Login record
Fri Oct 27 08:52:29 2006 : Auth: Login OK: [paulogava] (from client ns3 
port 2860 cli 00:4F:62:09:E7:8F)



=== MAX LOGIN===
Fri Oct 27 08:09:00 2006 : Auth: Multiple logins (max 1) : [carine] 
(from client ns3 port 2769 cli 00:06:F4:0A:D6:76)

Fri Oct 27 08:09:06 2006 : Auth: rlm_unix: [carine]: invalid password
Fri Oct 27 08:09:06 2006 : Auth: Login incorrect: [carine/] (from client 
ns3 port 2770 cli 00:06:F4:0A:D6:76)

Fri Oct 27 08:09:19 2006 : Auth: rlm_unix: [carine]: invalid password


   What can I do to make my radius system more stable? Migrate it to a 
MySQL solution? I have about 200 login records in most usage time and a 
average of 80 all day.


Att,

Nataniel Klug .'.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)

[Nataniel Klug]

Hoercher,

Thank you so much for your time. I really think that it is a problem 
over my pppoe-server but it is something I cant change (its enbeded into 
a system box). The configuration to radius autentication are very limited.


To solve the problem I made a script into my linux box that get info 
using net-snmp about the pppoe-users connected to the remote server. 
With this info I use "radwho" to tell me witch users are into radius 
database as "online" so with this two information I can make a script to 
diferentiate the files and tell me wich user is still logged in (in 
freeradius) that is not anymore online into pppoe-server. So I use 
radzap to drop the connection and allow the same login to get online 
again (I use simultaneous use = 1).


This is not the best option, but it is working for now... ;)

Att,

Nataniel Klug .'.

Hi,

ok, sorry about that bit of levity. I meant "missing in action" in
respect of your not connected users. As I said, freeradius doesn't
keep some state of "connected users", if they really aren't serviced
anymore due to whatever circumstances, it doesn't know so unless told
by something (looks like the mentioned PPPoE server here).

As you didn't provide much detail I'm left to guessing around. So I
talked about the accounting function of freeradius as something which
might be seen as coming near to having a state by recording
information it *gets*.

So, if you cannot find suitable inforamtion in the documentation,
please consider asking more specifically and provide as much
information about your problem as possible.

best regards
K. Hoercher
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)

[Nataniel Klug]

Hoercher,

I could not understand what you mean with this MIA. I will look for more 
info into my PPPoE-Server.


Att,

Nataniel Klug

K. Hoercher escreveu:

There is no such thing as "user remains connected into my radius
server". It's the client's (here PPPoE Server?) responsibility to act
accordingly. In particular it should eventually update the accounting
if a "client"/user is MIA. That might be near to the problem you are
refering to.

Best regards
K .Hoercher
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Droping clients from radius (they are connected into radius but they are not connected in their houses)

[Nataniel Klug]

   Hello all,

   I am with a very big problem. I have a system that uses PPPoE server 
to authenticate my clients into an FreeRadius server. The server is 
running ok but when something not expected happens in my clients (like a 
enery blackout or something like that) the user remains connected into 
my radius server. There is anyway I could make a test to see if the user 
is not online and them drop it?


Att,

Nataniel Klug
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing connection on Freeradius

[Nataniel Klug]

Alan,

I am using version freeradius-1.0.1-1. I will try to update this software.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Sunday, February 19, 2006 3:06 PM
Subject: Re: Managing connection on Freeradius


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] ~]# radzap -d /etc/raddb -p 1813 -r 127.0.0.1 '' nataniel
> > Sun Feb 19 09:02:13 2006 : Info: Starting - reading configuration files
...
>
>   Upgrade to 1.1.0.  The version you're using doesn't work.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Managing connection on Freeradius

[Nataniel Klug]

Alan,

I have readed the manual and tryed to use radzap before. All docs are very
small and do not show how to use it, I tryed this:

[EMAIL PROTECTED] ~]# radzap
Usage: radzap [-d raddb] [-p acct_port] [-r servername|serverip] termserver
[port] [user]
Options:

  -d raddbSet the raddb directory (default is /etc/raddb)
  -p acct_portAccounting port on radius server
  -r radserverRadius server name or IP address
  termserver  Terminal Server (NAS) name or IP address to match, can be
'' for any
  [port]  Terminal Server port to match
  [user]  Login account to match
[EMAIL PROTECTED] ~]# radzap -d /etc/raddb -p 1813 -r 127.0.0.1 '' nataniel
Sun Feb 19 09:02:13 2006 : Info: Starting - reading configuration files ...
[EMAIL PROTECTED] ~]# radwho
Login  Name  What  TTY  When  From  Location
pmlseng  PPP   S0   Sun 08:53 200.163.2 200.140.222.130
nataniel PPP   S1   Sun 08:53 200.163.2 200.140.222.131
[EMAIL PROTECTED] ~]#

But as you can see user "NATANIEL" is still conected when I use radwho.

Att,

Nataniel Klug


- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Saturday, February 18, 2006 12:14 PM
Subject: Re: Managing connection on Freeradius


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > There is any tool to make it easier?
>
>   radzap.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Managing connection on Freeradius

[Nataniel Klug]

Hello all,

I am quite new to freeradius and I am with a doubt. I have a
PPPoE-Server that authenticate the users into my FreeRadius server. The
problem is that if a client, by some reason, get lost of connection the
freeradius mantain the log about that connection and, if the client try to
connect again, it say that siomultaneos use is not allowed.

So I have to delete radutmp and radwtmp, restart radius, and lost the
track of connections.

There is any tool to make it easier? Or some configuration that if there
is no package coming from the cliente for 60 seconds it will disconect the
client?

Att,

Nataniel Klug

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Min,

I have instaled FreeRadius from a RPM. I amd running FreeRadius as user
radiusd and group root.

Att,

Nataniel Klug

- Original Message - 
From: "Min Qiu" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Thursday, January 26, 2006 7:16 PM
Subject: RE: Problems System Auth with FreeRadius (/etc/shadow)


> You may read the doc wrong.  The group you should look for is
> "radiusd".  When you create user "radiusd", the group "radiusd"
> should also be created if you use adduser command to do the job.
> You don't what user "radiusd" belong to group "root".  Do
> "chgrp radiusd /etc/shadow".
>
> Min
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > freeradius.org
> > [mailto:freeradius-users-bounces+mqiu=globalinternetworking.co
> > [EMAIL PROTECTED] On Behalf Of Nataniel Klug
> > Sent: Thursday, January 26, 2006 3:57 PM
> > To: FreeRadius users mailing list
> > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
> >
> >
> > Alan,
> >
> > Now you have gived me a tip... At my Fedora there is no group
> > shadow, so I
> > put radius to run as group "root" so it could read
> > /etc/shadow only if I set
> > +r to group at shadow files.
> >
> > Att,
> >
> > Nataniel Klug
> >
> > - Original Message - 
> > From: "Alan DeKok" <[EMAIL PROTECTED]>
> > To: "FreeRadius users mailing list"
> > 
> > Sent: Thursday, January 26, 2006 3:37 PM
> > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
> >
> >
> > > "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > > > I just have installed the package from Fedora Core 3,
> > nothing else.
> > >
> > >   Then look at the configuration file.  See how it's different from
> > > what is shipped with FreeRADIUS.
> > >
> > >   And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the
> > > single worst thing you can do to your system.  EVER.  Rather than
> > > doing that, read raddb/radiusd.conf, it talks about issues with
> > > reading /etc/shadow, and describes suggested fixes won't
> > destroy your
> > > system.
> > >
> > >   Honestly, I don't understand why it's so hard to read the
> > > configuration files.
> > >
> > >   Alan DeKok.
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Alan,

The server is running as user radiusd and group root.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Thursday, January 26, 2006 8:26 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > Now you have gived me a tip... At my Fedora there is no group shadow
>
> $ vi /etc/group
>
>   add "shadow" ??
>
> >  so I put radius to run as group "root" so it could read /etc/shadow
> > only if I set +r to group at shadow files.
>
>   It's usually better to *not* run the server as root.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Alan,

Now you have gived me a tip... At my Fedora there is no group shadow, so I
put radius to run as group "root" so it could read /etc/shadow only if I set
+r to group at shadow files.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Thursday, January 26, 2006 3:37 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > I just have installed the package from Fedora Core 3, nothing else.
>
>   Then look at the configuration file.  See how it's different from
> what is shipped with FreeRADIUS.
>
>   And setting "a+rw" on /etc/passwd and /etc/shadow is probaby the
> single worst thing you can do to your system.  EVER.  Rather than
> doing that, read raddb/radiusd.conf, it talks about issues with
> reading /etc/shadow, and describes suggested fixes won't destroy your
> system.
>
>   Honestly, I don't understand why it's so hard to read the
> configuration files.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Alan,

I just have installed the package from Fedora Core 3, nothing else.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Wednesday, January 25, 2006 8:58 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > Ok, it disagrees but I am SURE that I have set the password to user
nata.
> > How can this FreeRadius deny? where it is looking? Why when I install
> > Cistron Radius it works fine?
>
>   Because FreeRADIUS is more configurable than Cistron, so there's
> more potential for misconfiguration.
>
>   You didn't say how you configured the "unix" module.  But in the
> default config, that error message occurs *only* when the password is
> incorrect.
>
>   If you've edited the configuration for the "unix" module, then all
> bets are off.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Mark,

I tryed using just read option, did not work. I had to set rw permission in
both files... But now it is working and I am very happy... hehehe... Thanks.

Att,

Nataniel Klug

- Original Message - 
From: "Mark Tunnell" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Wednesday, January 25, 2006 9:54 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> I'm glad it's working but it's not necessary to give radius write
> permissions to either of those files.  All radius needs to be able to
> do is read them.
>
> Mark
>
> Nataniel Klug wrote:
> > Mark,
> >
> > It works! Thanks...
> >
> > I set a+rw permission on the files passwd and shadow.
> >
> > Att,
> >
> > Nataniel Klug
> >
> > - Original Message - 
> > From: "Mark Tunnell" <[EMAIL PROTECTED]>
> > To: "FreeRadius users mailing list"

> > Sent: Wednesday, January 25, 2006 5:25 PM
> > Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)
> >
> >
> >> I had the same issue.  My problem turned out to be that radius didn't
> >> have read access to the shadow password file.
> >>
> >> Mark
> >>
> >> Alan DeKok wrote:
> >>> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> >>>> rlm_unix: [nata]: invalid password
> >>>>   modcall[authenticate]: module "unix" returns reject for request 1
> >>> ...
> >>>> I could not understand what is going on. The password is correct for
> > this
> >>>> user.
> >> -
> >> List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Mark,

It works! Thanks...

I set a+rw permission on the files passwd and shadow.

Att,

Nataniel Klug

- Original Message - 
From: "Mark Tunnell" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Wednesday, January 25, 2006 5:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> I had the same issue.  My problem turned out to be that radius didn't
> have read access to the shadow password file.
>
> Mark
>
> Alan DeKok wrote:
> > "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> >> rlm_unix: [nata]: invalid password
> >>   modcall[authenticate]: module "unix" returns reject for request 1
> > ...
> >> I could not understand what is going on. The password is correct for
this
> >> user.
> >
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Alan,

Ok, it disagrees but I am SURE that I have set the password to user nata.
How can this FreeRadius deny? where it is looking? Why when I install
Cistron Radius it works fine?

Please, give me an answer not only what I already know.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Wednesday, January 25, 2006 4:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > rlm_unix: [nata]: invalid password
> >   modcall[authenticate]: module "unix" returns reject for request 1
> ...
> > I could not understand what is going on. The password is correct for
this
> > user.
>
>   The code running on your machine disagrees.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Mark,

Finaly something that could be happening for sure!

I will try to set up permission on this file. Thanx!

Att,

Nataniel Klug

- Original Message - 
From: "Mark Tunnell" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Wednesday, January 25, 2006 5:25 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> I had the same issue.  My problem turned out to be that radius didn't
> have read access to the shadow password file.
>
> Mark
>
> Alan DeKok wrote:
> > "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> >> rlm_unix: [nata]: invalid password
> >>   modcall[authenticate]: module "unix" returns reject for request 1
> > ...
> >> I could not understand what is going on. The password is correct for
this
> >> user.
> >
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Alan,

I tryed it in full debug mode, returns this:

rad_recv: Access-Request packet from host 127.0.0.1:32773, id=46, length=62
Service-Type = Login-User
User-Name = "nata"
User-Password = "nata0405"
NAS-IP-Address = 200.163.208.4
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "nata", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
users: Matched DEFAULT at 152
users: Matched DEFAULT at 216
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_unix: [nata]: invalid password
  modcall[authenticate]: module "unix" returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.
Login incorrect: [nata/nata0405] (from client localhost port 0)
Sending Access-Reject of id 46 to 127.0.0.1:32773
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 46 with timestamp 43d7232a
Nothing to do.  Sleeping until we see a request.



I could not understand what is going on. The password is correct for this
user.

Att,

Nataniel Klug

- Original Message - 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, January 24, 2006 3:21 PM
Subject: Re: Problems System Auth with FreeRadius (/etc/shadow)


> "Nataniel Klug" <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] radius]# tail radius.log -n 2
> > Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password
>
>   Nice.  Is there any particular reason you're refusing to run the
> server in debugging mode, as suggested in the README, FAQ, and
> INSTALL?
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problems System Auth with FreeRadius (/etc/shadow)

[Nataniel Klug]

Hello,

I am having a big problem with FreeRadius server. It doesnt authenticate
my clients using /etc/shadow and /etc/passwd. When I try to use "radlogin"
or "radtest" this are the messagens I get:

=== radlogin ===
[EMAIL PROTECTED] radius]# radlogin
($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $)
-
Linux 2.6.13.4 (ns2.cnett.com.br) (port 0)
-

login: nata
Password:
RADIUS: Authentication failure
local: Authentication failure

[EMAIL PROTECTED] radius]# tail radius.log -n 2
Tue Jan 24 01:24:02 2006 : Auth: rlm_unix: [nata]: invalid password
Tue Jan 24 01:24:02 2006 : Auth: Login incorrect: [nata/1234] (from client
localhost port 0)

=== radtest ===
[EMAIL PROTECTED] radius]# radtest nata 1234 localhost:1812 0 local
Sending Access-Request of id 126 to 127.0.0.1:1812
User-Name = "nata"
User-Password = "1234"
NAS-IP-Address = ns2.cnett.com.br
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=126, length=20
[EMAIL PROTECTED] radius]# tail -n 2 radius.log
Tue Jan 24 01:26:41 2006 : Auth: rlm_unix: [nata]: invalid password
Tue Jan 24 01:26:41 2006 : Auth: Login incorrect: [nata/1234] (from client
localhost port 0)


I tryed everything I know and it still not working. If I compile and
install Cistron Radius it works just fine, but I dont want Cistron...

freeradius-1.0.1-1
Fedora Core 3 - Kernel 2.6.13.4 (compiled from source)

    Waiting for help.

Att,

Nataniel Klug

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html