Re: not to proxy accounting
kevin wrote: I want to make an option not to proxy accounting but log locally. What option can I take? Should I make a preproxy code for this function? Remove any instance of the module realm (it's named suffix in the default config file) from the section preacct. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specific realm accounting
Chuck wrote: Is there a way to have only 2 particular realms get entered into our local accounting database? See http://freeradius.org/radiusd/doc/Acct-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy when module_accounting rejects the request
Alan DeKok wrote: I think there are some cases when there is a need to do both logging and proxying. (for example if the server and the proxy belong to different ISP) Sure, but we don't want to *force* that, either. I agree, although for now I don't know how we could make that user-defined. Perhaps this could work: if Proxy-To-Realm is set and Acct-Type is not set, then skip accounting section. pre-proxy may require User-Name re-writing, which really belongs in the same function module for authentication accounting. Post-proxy is pretty useless for accounting, though. Thanks for your responses: I was a little lost with all this accounting proxy stuff. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy when module_accounting rejects the request
I noticed that accounting requests are proxied anyway even if a module of the accounting section rejected the request. I don't know whether this is the expected behaviour or not. In other words: is this a bug or feature ? :-) Perhaps there are reasons to always proxy an accounting request, but I'm thinking the action might be: Return valueProxy Drop -- RLM_MODULE_REJECT X RLM_MODULE_FAIL X RLM_MODULE_OK X RLM_MODULE_HANDLEDX RLM_MODULE_INVALIDX RLM_MODULE_USERLOCK X RLM_MODULE_NOTFOUND X RLM_MODULE_NOOP X RLM_MODULE_UPDATEDX -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy when module_accounting rejects the request
Alan DeKok wrote: If preacct says that the request should be proxied, we probably shouldn't even run accounting at all. I think there are some cases when there is a need to do both logging and proxying. (for example if the server and the proxy belong to different ISP) In those cases logging could be done in pre-proxy section instead of accounting, but currently not all the modules have a method for both accounting and pre-proxy. (for example rlm_sql can do accounting only) I've never understood why we have pre-proxy and post-proxy for accounting requests. As it is now, everything done in pre-proxy can be done in accounting, too. And post-proxy is meaningless since Accounting-Response packets are empty. That will let people log local accounting data only for requests that are handled locally. For now that can be achieved using Acct-Type stanzas. That sounds reasonable, except for FAIL. If we fail to log accounting data, it's even more useful to proxy it. I understand your reasons. The logs of the proxy may be incoherent, but that's probably better than to have nothing at all. And most of those return codes don't make sense for accounting requests. Since accounting just does logging, the return codes should be: FAIL, OK, HANDLED, INVALID, NOOP. I agree. It should be the same for preacct modules, too. REJECT doesn't make sense. USERLOCK doesn't make sense, and I'm not sure what UPDATED means. Comments in modules.h says UPDATED is OK (pairs modified). However if a module returns REJECT or USERLOCK, it just means the module is seriously broken. It's unclear whether the packet should be proxied in this case. If something that shouldn't happen actually happens, I would vote to drop the packet. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: request-proxy request-proxy_reply
Massimiliano Liccardo wrote: I should write a module that strips/modifies AV pairs from a proxy reply according to the AV pairs prior sent into the originated request. Perhaps you don't need a module. You could test the AV pairs from the request in section authorize and set the variable Post-Proxy-Type. Then you can run different modules to modify the proxy reply in section post-proxy. post-proxy { Post-Proxy-Type post-proxy-1 { attr_rewrite_1 } Post-Proxy-Type post-proxy-2 { attr_rewrite_2 } } -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Gunther wrote: I'd suggest Debian, because several members of the project are developping or testing FreeRADIUS under Debian. Moreover the Debian package is directly maintained by one the developpers who regularly adds the major bugfixes into the Debian package between two releases of FreeRADIUS. Thanks! Not too familiar with Debian, but I don't think it is a different world to all the other Linux distributions. I thought FreeBSD might be a candidate since it is more focusing on networking and services. I run several web hosting packages with FreeBSD, Fedora FC4, Redhat 9, SuSE ... I was actually more looking from the user point of view and not the developers. (sorry for that ;-) I was talking about the user point of view: the users are assured that FreeRADIUS is regulary tested under Debian, and the Debian package is up-to-date. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which Operating System is best for freeRADIUS
Gunther wrote: Building my FR server, I have the choice of a number of operating system for my FreeRADIUS server. Anybody with a suggestion which operating system is best suited for FR? I'd suggest Debian, because several members of the project are developping or testing FreeRADIUS under Debian. Moreover the Debian package is directly maintained by one the developpers who regularly adds the major bugfixes into the Debian package between two releases of FreeRADIUS. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expr in SQL not working
Alan DeKok wrote: Gunther [EMAIL PROTECTED] wrote: Tue Oct 4 00:53:46 2005 : Debug: rlm_sql_mysql: query: SELECT phs_radgroupreply.radgroupreply_id,phs_radgroupreply.radgroupreply_groupname ,phs_radgroupreply.radgroupreply_attribute,phs_radgroupreply.radgroupreply_v alue,phs_radgroupreply.radgroupreply_op FROM phs_radgroupreply,phs_usergroup WHERE phs_usergroup.usergroup_username = 'gunther' AND phs_usergroup.usergroup_groupname = phs_radgroupreply.radgroupreply_groupname ORDER BY phs_radgroupreply.radgroupreply_id Tue Oct 4 00:53:46 2005 : Debug: radius_xlat: '=' That last line doesn't look right. Yes, it looks like bug #242. (and #245) http://bugs.freeradius.org/show_bug.cgi?id=242 http://bugs.freeradius.org/show_bug.cgi?id=245 The problem should be fixed in 1.0.5. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Where to start and where to get the righ answer
Gunther wrote: I found out the hard way that documentation is not a pet project of FR. The only up-to-date documentation I found so far is reading the source code for hours, days, weeks ... There are lots of features I could not find anywhere in any kind of documentation, but in the source code, e.g. positional parameters for the SQL nas table. You're right, the documentation isn't up-to-date. As you said, this is free software, and any patch against the documentation will be greatly appreciated. Volunteers can submit their patches here: http://bugs.freeradius.org/ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy of Accounting Requests
Ashwin Gobind wrote: I want to proxy accounting requests originating from certain hosts to another server, how can I do this. You could add something like this in file acct_users: DEFAULT Client-IP-Address == 10.0.0.1, Proxy-To-Realm := realm1 DEFAULT Client-IP-Address == 10.0.0.2, Proxy-To-Realm := realm2 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with radzap
Andoni Ayala wrote: I have experienced with freeradius, but i updated to 1.0.1 on Fedora Core 3 and when i use radzap i get this error: Error: There appears to be another RADIUS server running on the authentication port 1812 It looks like bug #185. http://bugs.freeradius.org/show_bug.cgi?id=185 Upgrade to the newest version of FreeRADIUS and it should be fine. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separate accounting to two modules based on NAS-IP-Address
Ilia Chipitsine wrote: how can I organize radiusd.conf in order to put accounting coming from nas1 to one module and from nas2 to another module ? You might try to add these lines in file acct_users: DEFAULT NAS-IP-Address == 10.0.0.1, Acct-Type := acct.nas1 DEFAULT NAS-IP-Address == 10.0.0.2, Acct-Type := acct.nas2 And in radiusd.conf: accounting { Acct-Type acct.nas1 { module1 } Acct-Type acct.nas2 { module2 } } -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault when running radiusd -X
Jose Simoes wrote: I am using Free Radius 1.0.1 and i get the following output when i try to run the server. Any ideias? You should really upgrade. See http://www.freeradius.org/security.html Can it be anything within the confguration files? I can't tell with the debug output. Please install version 1.0.5 and try again. If it still segfaults, send us the backtrace from gdb, as explained here: http://freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mssql and authenticate_query
Duane Cox wrote: Why we're at it, why not change the example mssql.conf file to remove all references to FreeTDS... That should resolve _a lot_ of confusion... As always, patches are welcome. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mssql and authenticate_query
Duane Cox wrote: Why we're at it, why not change the example mssql.conf file to remove all references to FreeTDS... That should resolve _a lot_ of confusion... As always, patches are welcome. Is there a mantis page or bug tracker? There is a bugzilla here: http://bugs.freeradius.org/ Please make the diffs against latest version of mssql.conf. http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/raddb/mssql.conf -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
Jean-Francois Gobin wrote: From the preceding, preceding mail, you should have seen that %{User-Name} is equal to something like uid=P0..., o=nrb, c=be ... which is what I want to have checked against the LDAP. For now, when I implement your suggestion, I just come out with checking for dn=o=nrb,c=be, (uid=uid), which corresponds to the truncating of my requesting DN. I indeed found a bug in function ldap_escape_func(). However, after fixing the function I get the following line in my logs, which is still an invalid LDAP filter. rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with filter (uid\3dP06227\2cou\3dpeople\2co\3dnrb\2cc\3dbe) This is not a bug: user supplied strings are escaped from unsafe characters. In your case, I'd suggest to rewrite the User-Name to P06227 with the module rlm_attr_rewrite and use the filter (uid=%{User-Name}) in rlm_ldap. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Small patch for proxy code - listen.c
Michael Mitchell wrote: When the proxy reply comes back, only the cl-ipaddr is checked against the reply source address, however it is possible to configure cl-acct_ipaddr differently to cl-ipaddr (ie different auth and acct home servers for a single realm entry), and thus the active status and last reply time may never be updated for an accounting home server. Thanks for spotting this. This is a problem indeed. Can you please fill a bug report on the bugzilla, so your patch doesn't get lost? http://bugs.freeradius.org/enter_bug.cgi -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar wrote: OS: FreeBSD4.11 p10 Freeradius: 1.0.5 from 1.0.4 - compilation OK.. but still to patch rlm_rewrite just like 1.0.4 - starting radiusd seems fine - but when trying to authenticate.. then it will core dumped.. as below debug log.. Please post the backtrace from gdb. The following link explains how to do that. http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.5 + rlm_sql_mysql: Segmentation fault
Thomas Krause (Webmatic) wrote: I want to setup a new server with FreeRadius using MySQL as backend. OS is FreeBSD 5.4, DB Mysql 4.1.13. I've compiled FreeRadius from source (not from ports). Without sql all is doing fine. With sql enabled, the daemon dies with Segmentation fault (core dumped) A similar error was reported by a user who had a broken installation of MySQL on his system: the version of the hearders mismatch the binary librairies. Please check if this is your case, too. http://lists.freeradius.org/pipermail/freeradius-users/2005-September/046882.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay taking too long
Apu islam wrote: I have an accounting data file (1 GB) that I am pushing off to a server running freeradius 1,0 w pgsql-voip. It has been three days but the data is still not done populating the tables. I see it progressing, but the speed is horrible. Anyone knows how I can make this fast ? You may look at new radrelay mechanism in CVS. Get a nightly CVS snapshot and look at the radrelay.conf(5) manpage. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PW_NAS_IP_ADDRESS ?
Iandc Davies wrote: Using an example ip address of 213.137.69.38, this converts to d5 89 45 26 (hex). Is it OK to split the above hex into 8 bits so that it can fit into the vp-strvalue format or is there another way ? The IP addresses are usually stored in vp-lvalue. I note the easiest way to assign values is to use the function pairparsevalue() in src/lib/valuepair.c -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 segmentation fault
Konstantin Kubatkin wrote: I'm use Debian/Sarge AND64 and Debian/Sarge I386 If it is used Crypt-Password that freeradius finishes work with segmentation fault Please get version 1.0.5 and build the Debian package with this command line: $ DEB_BUILD_OPTIONS=noopt nostrip fakeroot dpkg-buildpackage -b -uc Install the new package, and enable core dumps: $ ulimit -c unlimited When freeradius core dumps, do: $ gdb /path/to/executable /path/to/core/file And then in 'gdb', do: (gdb) bt Copy the output, and mail it to the list. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile error with 1.0.5
Duane Cox wrote: Can someone help me out and tell me what I am missing or doing wrong to get this error. I do not have openSSL installed on this server and would like to not install it. Delete the directory src/modules/rlm_x99_token from the buildtree if you don't use this module. Just run make again after that, it should be fine. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 segmentation fault
Konstantin Kubatkin wrote: With the given correction works normally Thanks for the patch, it has been added to the CVS. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
Jean-Francois Gobin wrote: rlm_ldap: - authorize rlm_ldap: performing user authorization for uid=P06227,ou=people,o=nrb,c=be radius_xlat: '(uid)' radius_xlat: ' ' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in , with filter (uid) rlm_ldap: ldap_search() failed: Bad search filter: (uid) What is your filter in section ldap of radiusd.conf ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: line too long error in /usr/local/etc/raddb/users ?
Drew Weaver wrote: /usr/local/etc/raddb/acct_users[1]: line too long This is the line: abdacd Auth-Type = Unix any clue? - Add a carriage return at the end of the line. - Don't post HTLM to the mailing list. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting file with belkin 54g wireless router
Michael Ding wrote: I rememeber a while back when I browsing this thread, someone mentioned that no every router sends accounting data to radius. Is this right? That's true. If so, what are the router sent acct data? If no, what do I need to do to get the acct data? Ask the NAS's vendor. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Receivin a full DN in a radius request
En réponse à Jean-Francois Gobin : For now, I got a problem : radiusd strips everything after the first =, leaving me with a username of uid ... Where does the string come from? Is it truncated in the RADIUS packet or in the LDAP entry? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems when using Cisco-AVPairs[*]
Admin wrote: I need some help with Cisco AVPAirs, I am using freeradius + postgresql. When I have the following entries in my radreply table - database=# SELECT * from radreply where username='test' order by id; id | username | attribute | op | value +--+--++ 72 | test | Cisco-AVPair | = | ip:inacl#1=deny tcp any any eq 25 73 | test | Cisco-AVPair | += | ip:inacl#1=permit ip any any 74 | test | Cisco-AVPair | += | ip:outacl#2=deny tcp any any eq 25 75 | test | Cisco-AVPair | += | ip:outacl#2=permit ip any any the access list works. Indeed. That's how it's documented in doc/rlm_sql. However, when I modify the entries database=# SELECT * from radreply where username='test' order by id; id | username |attribute| op | value +--+-++ 76 | test | Cisco-AVPair[0] | = | ip:inacl#1=deny tcp any any eq 25 77 | test | Cisco-AVPair[1] | = | ip:inacl#1=permit ip any any 78 | test | Cisco-AVPair[2] | = | ip:outacl#2=deny tcp any any eq 25 79 | test | Cisco-AVPair[3] | = | ip:outacl#2=permit ip any any none of the Cisco-AVPairs are passed to the Cisco NAS ( I can see that in the /var/log/radacct/{NAS-IP}/reply-detail file ). This syntax is not supported in a SQL database. Please let us know if the documentation is inaccurate. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql connections - segmentation fault
Andreas M. wrote: thanks for answering, i downloaded FR 1.0.5, made Debian packages and installed it, but no success, also fragmentation faults after first connection. I can't reproduce the problem, therefore it's difficult to find the bug. Can you please build the Debian package with this command line? $ DEB_BUILD_OPTIONS=noopt nostrip fakeroot dpkg-buildpackage -b -uc And then run FreeRADIUS with valgrind. (a memory debugger) # valgrind freeradius -f Please post the output of valgrind to the bugzilla. (bug #271) Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: status of rlm_python in 1.1.0 release
Ilia Chipitsine wrote: When that module will become non-experimental ? It has not been changing for years, maybe it can become regular module in 1.1.0 ? The module rlm_python is still experimental. There are known issues with this module. http://bugs.freeradius.org/show_bug.cgi?id=227 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql connections - segmentation fault
Andreas M. wrote: i´ve installed FR 1.0.4, now when i start the server, during the connection to a mysql database, after the first one there is a segmentation fault. It is working with just one connection , but i can´t find the reason for this. It looks like your problem is the same as bug #271. http://bugs.freeradius.org/show_bug.cgi?id=271 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup-Name
Jonathan De Graeve wrote: Is it possible to specify multiple huntgroup names in sql? Lets say sqlgroup IT can connect to devices in the huntgroup vpn and ras (something like Huntgroup-Name == vpn,ras in sql??) Huntgroup-Name =~ ^(vpn|ras)$ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: huntgroups and bad_logins
Jonathan De Graeve wrote: What I want to do is the following: NAS1: 10.1.1.1 NAS2: 10.1.1.2 SQL usergroups: patients, it IT may connect to NAS12, patients only to NAS2. I've been looking on the internet how to do this but didn't found it. In your case, I'd suggest you try the following: 1. In your SQL database, add a field NASIPAddress to the tables radcheck, radreply... 2. Then insert one row for each attribute of the users allowed to log on NAS2, and two rows for attributes of the users allowed to log on both NAS1 and NAS2. 3. In the file sql.conf, add AND NASIPAddress = '%{NAS-IP-Adresse}' in the WHERE clause of the authorize_* queries. I also have problems with the bad_login perlscript. When I run this script, it doesn't do anything (just hangs with no given output) I think the script is just waiting for new requests to be received. I note you may also use a post-auth query to log failed login in a SQL database. (it has already been explained many times on the mailing list) -- Nicolas Baradakis PS: HTML is forbidden on the mailing list, please follow the house-rules http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Handling Radius Events with Client
Ali Koyuncu wrote: Hi to all, Did you read the rules before subscribing? http://www.freeradius.org/list/users.html HTML is forbidden on the mailing list, and moreover it's difficult to distinguish your message from spam: X-XS4ALL-Spam-Score: 3.454 (***) HTML_40_50, HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_RED, HTML_MESSAGE, MSGID_FROM_MTA_HEADER, RCVD_IN_SPEWS, X_MSMAIL_PRIORITY_HIGH, X_PRIORITY_HIGH Let's say we have a switch and two (free) Radius servers backing up each other. I want to implement a client, that listens to the call-related events (such as accest-accept, call started, call finished, failed, and etc.) received from the target Radius server, and process these data based on some rules. Here comes my questions: 1. Is it possible to handle Radius call-relaed events over UDP or TCP? -- because i am newbie to the subject, please excuse me if i am asking something stupid. 2. If it's, how? Any sample source code can be provided? You can run a client program each time FreeRADIUS receives a request with the module rlm_exec. Look for examples in radiusd.conf. You may also be interested in modules rlm_perl or rlm_python. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius timeout
Callis wrote: I see a lot of radius timeout on my cisco router while the ping times is 10ms and my radius timeout is set to 50. Is there any error message in file radius.log ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject some users from radius - ldap ?
Frank Bonnet wrote: I use freeradius with ldap to manage wi-fi users ( thru chillispot ) everything works well but I would like to know if it is possible to exclude some users with radius ? My purpose is to forbid wi-fi access BUT let use the wired LAN access to the considered users. I'm doing this with MySQL on my site, but perhaps the following approach may work with LDAP: 1. Define huntgroups wifi and wired in raddb/huntgroups. 2. In LDAP, provision the attribute radiusHuntgroupName with the values wifi or wired (or both) in all the radiusprofile entries. 3. In the section ldap{} of raddb/radiusd.conf, modify the filter like that: filter = ((uid=%{User-Name})(radiusHuntgroupName=%{Huntgroup-Name})) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: linux newby attempts freeradius (unsuxesfull)
Fred Zinsli wrote: Rather that tell me what I an doing wrong (apart from attempting this) can someone point me to where I can find out what I need to know. Firstly, HTML is forbidden on the list. Did you read the rules before subscribing? http://www.freeradius.org/list/users.html Scenario: Debian sarge installed (no probs or errors) on i386 machine. If you're using Debian, the quickest way is to install the Debian package of FreeRADIUS. As root, run the following command: # apt-get install freeradius Given I am NOT familiar with linux at all, and have ventured into this reluctently, can someone point me to some really bullet proof documentation that doesn't assume people already have an extensive knowledge of linux before they start. The FreeRADIUS mailing list isn't the appropriate place to ask general questions about Linux. For example, you could start reading the documentation from Debian http://www.debian.org/doc/ and ask questions on http://lists.debian.org/debian-user/ Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require realm suffix
Ben Thompson wrote: I have set up FreeRADIUS so that I am using the relam format [EMAIL PROTECTED] I have succesfully got this working by adding the relevent realm to proxy.conf and setting authhost and acchost to LOCAL. Currently when someone logs without specifying a realm, they are still authenticated and I would like to know if it is possible to change this behavoir so that users must specify the realm suffix. Perhaps you could uncomment the realm NULL in proxy.conf and add in the users file: DEFAULT Realm == NULL, Auth-Type := Reject -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I add extra fields to the radius accounting database?
Miguel Angel Quiles wrote: I've got freeradius 1.0.2 on a SUSE 9.3. I was thinking if I could add a new field to the radius accounting. I'm using mysql. I already added the field to the radacct table in the radius database. And I've tried to modify the sql.conf file in the raddb directory. When I restart the service the freeradius won't start because off an error. Posting the error messages would help a lot. I've created the field TunnelType, and I added the values in the different queries, such as: accounting_update_query_alt = INSERT into ${acct_table1} (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, TunnelType) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Tunnel-Type:0}') ^^ Did you try %{Tunnel-Type} ? (without the digit for the tag) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-mysql-clid
Sam Njenga wrote: I have downloaded the latest freeradius and compiled ok. I have tested it and it works fine. I would like to authenticate calls based on Caller-Id. What do I have to have in the tables. A small example will be highly appreciated. These links may help: http://www.freeradius.org/radiusd/doc/rlm_sql http://www.frontios.com/freeradius.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't start freeradius - auth bind error
NECTIS NetVoice Sales wrote: can not start freeradius: Starting RADIUS server: Tue Sep 6 13:08:47 2005 : Info: Starting - reading configuration files ... auth bind: Address already in use [FAILED] It looks like there is another instance of FreeRADIUS already running, or another program using the same port as FreeRADIUS. PS: HTML is forbidden on the list. Please follow the rules here: http://www.freeradius.org/list/users.html -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL logging options
[EMAIL PROTECTED] wrote: I currently have freeradius 1.04 working with mysql. It logs successful connections to the 'radpostauth' table, and accouting information to the 'radacct' table. Is it possible to configure freeradius to log more data to the mysql database, such as unsuccessful connections with bad passwords/certificates etc? You can run a SQL query for a failed connection by adding the module sql in the stanza Post-Auth-Type REJECT. See http://freeradius.org/radiusd/doc/Post-Auth-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure freeradius to answer on two IP addresses
Stefan A. wrote: How may I advice freeradius, to bind to two IP addresses? I tried the Listen option and the bind_address by separating my ip addresses with an whitespace, a colon or a semicolon... Delete bind_address and port from radiusd.conf, and use multiple listen {} stanzas for each IP address. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A cluster of freeradius servers
Angel L. Mateo wrote: I want to deploy the next configuration: I have a proxy radius server (freeradius) who redirect its requests to another freeradius server. I have another freeradius server with the same configuration as this last one. What I want is to configure the proxy radius to proxy requests to one of these servers. It this fail, then it should ask to the other one. If this posible with freeradius? How do I do it? Look at the examples in raddb/proxy.conf. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4: SEGMENTATION FAULT
Alan DeKok wrote: Richard Cotrina [EMAIL PROTECTED] wrote: (gdb) display mysql_sock 1: mysql_sock = (rlm_sql_mysql_sock *) 0x5f6c7173 That's bad. That's very bad. It's the ASCII string sql_, interpreted as a pointer on an x86 machine. No wonder it crashes. The short answer is that there appears to be some memory corruption. Can you print out the contents of sqlsocket, too? Both the structure contents, and the *hex* contents of that area of memory. It looks like the sqlsocket pointer that's being passed is bad. The infringing pointer mysql_sock contains the return value of a malloc three lines above. Perhaps something messed up the memory so badly that malloc returns garbage. It's not easy to find out where the problem is : on my system (Debian), I can run radiusd in valgrind with num_sql_socks = 20 and I get no errors from valgrind. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error compiling cvs-snapshot on FreeBSD 5.4-RELEASE
Valeriy V. Peshkoff wrote: I'm still unable to compile CVS version of freeradius on Freebsd [...] gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS -c dict.c -fPIC -DPIC -o .libs/dict.o In file included from ../include/libradius.h:38, from dict.c:42: /usr/include/sys/socket.h:243: error: redefinition of `struct sockaddr_storage' It seems to me the bug is either in autoconf or in FreeBSD headers. I don't know what could be done in FreeRADIUS to work around it. You could possibly try: 1. Install the latest autoconf version and run a make configure. 2. If it still doesn't work, try to use CFLAGS=-DHAVE_STRUCT_SOCKADDR_STORAGE -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4: SEGMENTATION FAULT
BugBuster wrote: I compiled with '--disable-shared' but on Debian Linux FreeRADIUS does not work with MySQL. On Debian, compile FreeRADIUS with the command dpkg-buildpackage. This will prior check whether all the necessary packages are installed on your system. $ cd freeradius-1.0.4 $ fakeroot dpkg-buildpackage -b $ sudo dpkg -i ../freeradius_1.0.4-0_i386.deb -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error compiling cvs-snapshot on FreeBSD 5.4-RELEASE
Valeriy V. Peshkoff wrote: In file included from ../include/libradius.h:38, from dict.c:42: /usr/include/sys/socket.h:243: error: redefinition of `struct sockaddr_storage' It seems to me the bug is either in autoconf or in FreeBSD headers. I don't know what could be done in FreeRADIUS to work around it. You could possibly try: 1. Install the latest autoconf version and run a make configure. 2. If it still doesn't work, try to use CFLAGS=-DHAVE_STRUCT_SOCKADDR_STORAGE But i've compile 1.0.4 version on this server without any problem Version 1.0.4 uses autoconf 2.13, lastest CVS uses autoconf 2.59. Did you try to regenerate configure with the autotools from the FreeBSD port ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius denies auth when Framed-IP-Address set
Gerret Apelt wrote: I am now trying to have FreeRadius also assign IP Address and Netmask to a subset of the user accounts, and that's where I'm getting stuck. [...] This issue goes away as soon as I delete rows with id 1343 and 1344 below: mysql select id, username, attribute, value, op from login_accounts where username='gerret'; +--+--+---++---+ | id | username | attribute | op | value | +--+--+---++---+ | 414 | gerret | User-Password | == | testme| | 1343 | gerret | Framed-IP-Address | == | 65.166.58.202 | | 1344 | gerret | Framed-IP-Netmask | == | 255.255.254.0 | +--+--+---++---+ When running in full debug mode, FreeRadius outputs the exact queries it fires at the database. I have run these queries manually: the 'authorize_check_query' returns the three rows listed above. All other queries return the empty set. 'Framed-IP-Address' is a reply item and should be in the authreply_table table. (and not authcheck_table) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: best place for logic - users file or custom module?
Tariq Rashid wrote: i'd like some advide on the best place to implement this logic. for example - a common scenario is for a request to come from A, and the reply to A contains instructions to extend a tunnel to a second device B. A second query from B is then received. Use huntgroups to distinguish the NASes, and edit the SQL schema and the SQL queries to use the Huntgroup-Name. Then you could get different reply attributes for A and for B from SQL with no overhead. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database field lengths for radacct and radpostauth
Thor Spruyt wrote: I've reported bug 266 with a patch for postgresql http://bugs.freeradius.org/show_bug.cgi?id=266 You don't know the maximum length of the username and password of your roaming partners, but you need to store those as well into the database. Added, thanks. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR suddenly doesn't respond any more and eats all cpu
Benedikt Panzer wrote: Also I tested the switch -s and just the same, the error doesn't occur then. Back in normal mode (without -x or -s) FR crashes again, with one of both switches it doesn't. Strange to me. Is this normal for you experts? I have no idea what's causing the problem. You might try with the option '-f' too, like in bug #100. http://bugs.freeradius.org/show_bug.cgi?id=100 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.4 crashing when getting Request
Sebastian Mauer wrote: I have a little problem with setting up FreeRADIUS with MySQL Support properly. My Linux Distro is Debian Sarge 3.1. I installed all necessary libraries and compiled FreeRadius with MySQL enabled. Then I installed all necessary MySQL tables and configured FreeRadius to do EAP-TLS with MySQL as backend. All seems to work nice until the server finally recieves a first request. The server segfaults and that's the end. I have no idea what could have gone wrong Does someone of you have an idea what to do? Please post the gdb output. Follow the instructions at: http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson wrote: The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? You could test the variable Client-IP-Address in the users file. testuser Client-IP-Address == 10.0.0.1, Password := azerty Tunnel-Private-Group-ID:1 := 1, Fall-Through = Yes testuser Client-IP-Address == 10.0.0.2, Password := azerty Tunnel-Private-Group-ID:1 := 2, Fall-Through = Yes -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User-Name - Reg Expr - auth-type accept
Michael Poser wrote: The regular expression match with the Mac-Address, but 4 lines behind it, the log says: auth: No authenticate method (Auth-Type) configuration found for the request: I am confused, in the users file is the statement Auth-Type := Accept,. What is wrong? All the check items should be on the first line. --8-- DEFAULT User-Name =~ ^([0-9a-fA-F]){6}-([0-9a-fA-F]{6})$, Auth-Type := Accept Reply-Message = Hallo Regulaerer Ausdruck `%{User-Name}` --8-- -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + MySQL not working after upgrade from 1.0.1
[EMAIL PROTECTED] wrote: I now have two servers with the same freeradius configuration (minus minor changes from the upgrade) and the same MySQL database with one running version 1.0.1 (which works) and the other running 1.0.4 (which does not work). Comparing the logs produced by radiusd -X, I see that the only substantial difference is the X-Ascend-Data-Filter Attributes. It could be the bug #242. http://bugs.freeradius.org/show_bug.cgi?id=242 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more debug?
N White wrote: Is there any way to get the debug to tell me more. For example: freeradius -XX In some parts of the server you can get more debug messages with radiusd -xxx -l stdout but unfortunately not in rlm_sqlcounter. I'd like to see exactly what rlm_sqlcounter is doing(sql query, file checking, etc). I've been stuck on trying to get sqlcounter to work for over a week now, and more debug is never bad. At this point, I'd suggest to look directly at the source code. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6
gennaro amelio wrote: can i send IPv6 packets to FreeRadius(i use 1.0.2)? No, but you could try the CVS snapshot. (it can have IPv6 clients) -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with using rlm_sql for accounting only
John Donagher wrote: If the SQL server is inaccessible (i.e. down, or locked), freeradius rejects all radius requests. In my case, since the SQL database is being used only for accounting, this is not desired behavior. The link below explains how to control the flow of modules in FreeRADIUS. http://www.freeradius.org/radiusd/doc/configurable_failover There is an example which looks like what you want to do for accounting. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout zero value
Rashad Rustamoff wrote: What method will be correct to reject user when Session-Timeout are exhausted. Just set Auth-Type := Reject. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No accounting replies to NAS'es!
Erling Paulsen wrote: realm student.X.Y { type= radius authhost= studentserv.X.Y:1812 accthost= LOCAL secret = some secret nostrip } Setting accthost to LOCAL for handling the accounting. The problem is that the NAS'es never recieves any accounting reply and I don't understand why? It's a known bug of 1.0.x versions of FreeRADIUS. Try to replace the file src/main/acct.c in the source tree by the file you can download there: http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radiusd/src/main/acct.c?rev=1.30.2.2 Then rebuild the server and try your setup again. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting - respose from freeradius, and forward
Tariq Rashid wrote: we'd like freeradius to reply to accounting requests (start, stop, interim) with acknowledgements, but also to forward the accounting request to a backend radius server but to ignore the response from this prozy behaviour. this means that the querying NAS equipment doesn't spend time and resources waiting for a backend reply to an accounting request. however, the backend radius (possibly belionging to a 3rd party organisation) will need to see the accounting packets - we just ignore/drop their repsonse. You could use radrelay. See the radrelay(8) manpage in 1.0.x version or radrelay.conf(5) manpage in CVS version. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
vicky wrote: Thanks for your answer. About the empty database 'radius' I had already done that. This morning I ran the script 'db_mysql.sql' you talked about. Now I can see the tables in my database radius but I still have the same segmentation fault error. I have reconfigured, recompiled (with make clean) and reinstalled. That didn't help. Do you have any other ideas? Please post the gdb output. Follow the instructions at: http://www.freeradius.org/radiusd/doc/bugs -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault
vicky wrote: Nicolas, Here is the output of gdb. Thanks a lot for your help! [...] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 12678)] 0x400633a2 in lt_dlsym (handle=0x8118398, symbol=0x8116698 rlm_sql_mysql) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) It's bug #98. Please look at: http://bugs.freeradius.org/show_bug.cgi?id=98 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Erling Paulsen wrote: Only that, if there is a 'Stripped-User-Name' attribute in the request, it seems that the server automatically uses this instead of 'User-Name' when proxying. Ah, yes. I didn't know the server does that. Question for Alan: in src/main/proxy.c should we check the value of realm.striprealm before overwriting the User-Name with the Stripped-User-Name? I fixed it a little dirty by rewriting the stripped username to the 'Hint' attribute - using %{Hint} in the ldap filter, and then 'User-Name' can be used in all its full glory for EAP proxy to the remote server. If I ever must use the Hint attr I will remake a better solution. You could add an additional attribute at the end of /etc/raddb/dictionnary for that purpose. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple question about adding own attribute to proxy reply
Valeriy V. Peshkoff wrote: Using attr_rewrite i can add reply-message to any packet. But i want add Reply-Message only to the Access-Reject packet or use different Reply-Message to Accept and Reject. How can i do it? See http://www.freeradius.org/radiusd/doc/Post-Auth-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple question about adding own attribute to proxy reply
Valeriy V. Peshkoff wrote: Can you help me giving example on how to do it? I have this in radius.conf post-auth { Post-Auth-Type REJECT { Reply-Message } } When i create attr_rewrite Reply-Message { attribute = Reply-Message # may be packet, reply, proxy, proxy_reply or config searchin = proxy_reply ^^^ I think it should be reply the module is called from post-auth. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with User-Name/Stripped-User-Name
Erling Paulsen wrote: Is it possible to have the stripped username stored somewhere, even if I set 'nostrip' for a realm in proxy.conf? You can create the attribute Stripped-User-Name with an other module than rlm_realm. For example, you could have in radiusd.conf: modules { attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchin = packet searchfor = replacewith = %{User-Name} } attr_rewrite strip.user-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = @.*$ replacewith = max_matches = 1 } ... } authorize { copy.user-name strip.user-name ... } -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple question about adding own attribute to proxy reply
Valeriy V. Peshkoff wrote: But why developer doesn't do equal things for ACCEPT =) Post-Auth-Type ACCEPT { Reply-Message-Accept } Doesn't work If I understand correctly what you are trying to do, it should be written like this: post-auth { Reply-Message-Accept Post-Auth-Type REJECT { Reply-Message } } -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on sql.conf - accounting_start_query - accounting_start_query_alt
Andreas Engler wrote: So now for me remains in which case won't an Insert work but the alternate Update, or what for is accounting_start_query_alt. INSERT may fail if your SQL schema defines a unique index to prevent insertion of duplicate accounting records. With MySQL 4.1 you could use the ON DUPLICATE KEY UPDATE clause instead of an accounting_start_query_alt query. mysql INSERT INTO radacct [...] ON DUPLICATE KEY UPDATE [...]; Another question a little bit of another topic. In may you wrote, that the functions of radsqlrelay will be an integral part of an next freeradius version. You talked about a few weeks here radius server and sql server http://lists.freeradius.org/pipermail/freeradius-users/2005-May/043936.html. Ok it belongs to cvs head. Could you tell me the stand of development or where i can find the information? You'll find manpages in the CVS head. Please read rlm_sql_log(5) and radsqlrelay(8). -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting to certain users only
[EMAIL PROTECTED] wrote: I´m using freeradius with mysql. I´m want to permit that certain users connect without the server add registers on the radact table. How can I do accounting only for some user? See http://freeradius.org/radiusd/doc/Acct-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database
Nirmal wrote: i have installed freeradius 1.0.4 on linux 7.3 with postgresql i m getting following error !! [...] rlm_sql: Failed to create the pair: Unknown attribute User-Password ^^ I guess FreeRADIUS complains about the extraneous space you have mistakenly added when provisioning the database. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and MySQL 4.1.12-1
Didier Wintgens wrote: How update the MySQL client version of freeradius to 4.1 protocol ? Don't use the RPM package and rebuild FreeRADIUS from source against MySQL 4.1 client library. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Raddb missing
Sharina Ibrahim wrote: I just started installing freeradius from the Debian package. I'm quiet confused because after I installed the package, I can't found raddb , does raddb exist only when we install Freeradius from source and not from the debian package? The config files are in /etc/freeradius when you install FreeRADIUS from the Debian package. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple realm proxying based on huntgroup.
Roy D. Hockett wrote: I am trying to figure out a way to have different groups of realm proxies for different NAS/huntgroups. For example, for a VPN resouces I don't want realms, but for wireless/wired 802.1x I want to be able to forward to other realms. In the users file: DEFAULT Huntgroup-Name == wireless, Proxy-To-Realm := other.com I don't understand your response. Are you saying on a per users basis set this? Please read the users(5) manpage. The keyword DEFAULT matches any usernames. In this case it's the Huntgroup-Name variable which is used to match the incoming request. DEFAULT Huntgroup-Name == wired, Proxy-To-Realm := realm1.net DEFAULT Huntgroup-Name == wireless, Proxy-To-Realm := realm2.com The hungroups have to be defined in /etc/raddb/huntgroups and the realm servers in /etc/raddb/proxy.conf. Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius performance cpu usage
Fechete Raul wrote: what bothers me is that the freeradius is handling such a small amount of authorizations, and keeping the processor usage below 10%. (?!) why doesn't it take 90% and do in the mean time more work? Perhaps the client doesn't send enough requests to make the server busy. How do you make your tests? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple realm proxying based on huntgroup.
Roy D. Hockett wrote: I am trying to figure out a way to have different groups of realm proxies for different NAS/huntgroups. For example, for a VPN resouces I don't want realms, but for wireless/wired 802.1x I want to be able to forward to other realms. In the users file: DEFAULT Huntgroup-Name == wireless, Proxy-To-Realm := other.com -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting and LOCAL realm (freeradius dont send Accounting-Response)
Victor wrote: Ok, so how can i stop processing accounting with NULL or any other realm in my situation? Try to replace the file src/main/acct.c in the source tree by the file you can download there: http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radiusd/src/main/acct.c?rev=1.30.2.1 Then rebuild the server and try your setup again: cancelling proxy of accounting with Proxy-To-Realm := LOCAL should work now. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying with Calling-Station-Id
Stylianos Stylianou wrote: I am trying to configure freeradius to proxy requests to another radius based on the Calling Station Id. Can anyone help me how to configure my radius server to do this? In the users file: DEFAULT Calling-Station-Id == 0102030405, Proxy-To-Realm := realm1.net DEFAULT Calling-Station-Id == 0506070809, Proxy-To-Realm := realm2.com -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS TABLE
Velikanov wrote: I used freeradius-1.0.2 and Oracle with table NAS in Oracle. Everything was OK. But in freeradius-snapshot-20050624 I got such error: ... rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 14 rlm_sql (sql): nasname of length 19 is greater than the allowed maximum of 3 Thanks for the report. There is indeed a problem in generate_sql_clients() function. It should be fixed now, thus you can update the CVS or download a new CVS snapshot tomorrow. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Invalid operator for item Suffix: reverting to '=='
[EMAIL PROTECTED] wrote: Now it's something different. But it's not telling me where it's at. I checked the users file and they are all == The attrs have some that have =* in them. The log files and the radiusd -xx are not telling me enough where to look or what to look for. [...] Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Check the file raddb/hints. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q] Access-Reject logging
Andrey Panin wrote: I have rlm_perl module which performs some checks of Access-Request and if rlm_perl returns RLM_MODULE_REJECT freeradius sends Access-Reject, but this Access-Reject doesn't appear in detail log. is there any way to log Access-Reject's generated in authorize section ? See http://www.freeradius.org/radiusd/doc/Post-Auth-Type -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q] Access-Reject logging
Andrey Panin wrote: I have rlm_perl module which performs some checks of Access-Request and if rlm_perl returns RLM_MODULE_REJECT freeradius sends Access-Reject, but this Access-Reject doesn't appear in detail log. is there any way to log Access-Reject's generated in authorize section ? See http://www.freeradius.org/radiusd/doc/Post-Auth-Type Been here, done that. It doesn't help, looks like Access-Reject's generated during authorize phase are never passed to post_auth phase. Are you using the latest release of FreeRADIUS? It was a bug in version 1.0.2 and earlier. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q] Access-Reject logging
Andrey Panin wrote: I have rlm_perl module which performs some checks of Access-Request and if rlm_perl returns RLM_MODULE_REJECT freeradius sends Access-Reject, but this Access-Reject doesn't appear in detail log. is there any way to log Access-Reject's generated in authorize section ? See http://www.freeradius.org/radiusd/doc/Post-Auth-Type Been here, done that. It doesn't help, looks like Access-Reject's generated during authorize phase are never passed to post_auth phase. Indeed. I didn't read carefully enough, but you said the request was rejected in 'authorize' phase, therefore neither 'authenticate' nor 'post-auth' phases will be run. I think you could catch the reject in 'authorize' using a 'group' stanza. authorize { group { my_perl { ok = return reject = 1 } my_detail } } -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stressing freeradius
Lucas Aimaretto wrote: I'm willing to know how does my radius behave under high load requirements. Any body knows which application to use ? Install a CVS snapshot of FreeRADIUS on the machine which runs the client. New options -p and -n have been added to radclient to respectively send 'p' packets in parallel or 'n' packets per second. It's very convenient to run stress tests on the server. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting and LOCAL realm (freeradius dont send Accounting-Response)
Victor wrote: Ok, so how can i stop processing accounting with NULL or any other realm in my situation? There're two workarounds: 1. Give up accounting proxying and use radrelay. 2. Remove instances of the 'realm' module in 'preacct' section and write something like this in 'acct_users' file: # Proxy this one DEFAULT User-Name =~ foo\.net$, Acct-Type := acct.foo, Proxy-To-Realm := foo.net # Handle this one locally DEFAULT User-Name =~ bar\.com$, Acct-Type := acct.bar -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Protection of accounting files
Karl-Jose Filler wrote: The file protection of the radius accounting files is currently 0600 [948] ll /var/log/radius/radacct/135.246.192.119/ total 24 -rw---1 radiusd radiusd 2595 Jun 13 15:25 detail-20050613 -rw---1 radiusd radiusd 5193 Jun 14 15:33 detail-20050614 -rw---1 radiusd radiusd 6018 Jun 15 15:06 detail-20050615 -rw---1 radiusd radiusd 3477 Jun 16 15:38 detail-20050616 Is there a parameter in one of the config files to change this protection ? Look for detailperm in rlm_detail(5) manpage. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.4
Paul Hampson wrote: Could you also get 1.0.4 ready? It should be released soon, and I've been busy... 1.0.4's autoconf'd and tagged in CVS as release_1_0_4, and I believe is ready to ship. (Only build-tested with Debian by me, bug reports welcome. ^_^) Is it too late now to include in 1.0.4 the clients.conf(5) manpage added recently in CVS head ? -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4
Paul Hampson wrote: On Thu, Jun 16, 2005 at 03:29:05PM +1200, Andrew Thompson wrote: I maintain the FreeRADIUS port for FreeBSD and am holding off upgrading from 1.0.2 due to the imminent release of 1.0.4 (06 June). There doesn't seem to be any discussion on the mailing lists, is 1.0.4 due soon or should I upgrade to 1.0.3 in the interim? Sorry about the delay. I'm just about to go prep and tag it, so a release in the next few hours, I hope. People can get and try the version in CVS before it's officially released. As always, bug reports are welcome. $ cvs -d :pserver:[EMAIL PROTECTED]:/source login CVS password: anoncvs $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 radiusd -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.0.4
Paul Hampson wrote: Is it too late now to include in 1.0.4 the clients.conf(5) manpage added recently in CVS head ? Only if Alan's already taken a snapshot to tarball. I've just imported and tagged it for release_1_0_4. Thankyou, it was added very quickly. I also noted a small-tiny-minor thing in debian/control. In Debian stable the default version of MySQL is now 4.0.24-10, therefore I think we could ask for libmysqlclient12-dev instead of libmysqlclient10-dev. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian .deb Installation Version 1.0.2 Ca.all dosn' exist
Michael Langer wrote: i read some HowTo's for installing FreeRadius/PEAP and they have used the CA.all script to create the certificats. But i can't find this script after installing FreeRadius deb version 1.0.2 on my PC. I have to install other packets ? Openssl is already installed. (After installing Freeradius) It's not an issue of the Debian packet. It's just that script/Makefile doesn't install CA.all. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging SQL queries to logfile
Lucas Aimaretto wrote: Is there any way of logging the MSSQL queries ( with values ) to the radius.log file ? Read rlm_sql(5) manpage and search for the sqltrace option. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performance tweaking and testing.
[EMAIL PROTECTED] wrote: I will try some more tweaking, but I would like to have a test tool first. So I could see the differences. Install a CVS snapshot of FreeRADIUS on the machine which runs the client. New options -p and -n have been added to radclient to respectively send 'p' packets in parallel or 'n' packets per second. It's very convenient to run stress tests on the server. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install - File format not recognized
Christopher Cover wrote: /usr/local/src/radius/freeradius-1.0.3/install-sh -c -m 755 -s radwho /usr/local/bin strip: /usr/local/bin/#inst.31097#: File format not recognized [...] Does anyone have a clue about this? It was reported many times on the mailing list... Try to replace the src/main/Makefile.in file with this file: http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radiusd/src/main/Makefile.in?rev=1.27.2.5 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd -C
Carl Davis wrote: Is there another good option for checking the conf files before doing an HUP? There is no such option in FreeRADIUS. However, there is a script named check-radiusd-config in the source tarball. (unfortunately this script is broken in version 1.0.2, you have to use a CVS snapshot) Nicolas Baradakis -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting annoying in email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius make ERRORS
Maxo Benalal wrote: Thanks Nicolas, 1. I've gone to the directory where I downloaded the .gz 2. I did the tar xzf freeradius-1.0.2.tar.gz. 3. I did the cd freeradius-1.0.2. 4. When I do the fakeroot I get an error message saying: dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting Read more carefully the output of dpkg-buildpackage: it tells you which packages are missing on your system. PS: Please send messages to the list and not to my personal address. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius make ERRORS
Maxo Benalal wrote: The unmet dependencies are: libltld3-dev, libsasl2-dev, libsnmp4.2-dev, libiodbc2-dev, libtool1.4, snmp autotools-dev That means you have to install these packages (with apt-get) before you can build FreeRADIUS on your system. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging in radpostauth
Lorel hardy wrote: I would like to know and to do something like log more information in the table radpostauth. Maybe it will be usefull to have mac address of the client and the reply message send by radius ? It's straight forward: add more fields in your SQL table and edit the postauth_query in raddb/sql.conf. Is somebody think or do something about it ? There is a general purpose example provided in FreeRADIUS. If you want something specific to your site, I don't think anybody is going to do it in your place. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html