Re: What kind of error in client-cert using EAP?
I don't know if my chiming in will make a difference or not. But windows can authenticate with a machine certificate or a user certificate If you're doing the machine certificates, please say so, I'm a little confused as to what exactly you are doing now. -Bob Thibault Le Meur wrote: Hello Alan, Alan DeKok schrieb: No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem. Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks. Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it. I have a similar configuration working (EAP-TLS for XP and TinyCA generated certs). I found out that the way certificates are created is important. Can you check the following procedure (something I have already posted this to you in this list, sorry for reposting it ;-) ). - * Create a certificate per host: - cn must contain the Netbios name of the PC - the extension SubjectAltName must contain the Netbios name of the PC (I think) - The field Extended Key Usage must contain the option 'TLS Web Client Authentication' (OID 1.3.6.1.5.5.7.3.2) - Note that the Radius server's certificate must contain the 1.3.6.1.5.5.7.3.1 extension - The certificate can be exported into a PKCS12 file .p12 (this includes the private key). The certificate MUST be installed in the HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 'mmc' and Add the Snap-in 'CertificateLocal Computer', then in the private folder import the .p12 file and in the Trusted Root CA the CA certificate). Can you check the Netbios names and CN correspondance ? I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ? On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the trusted certification centers tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs. This is ok, but are the certificates _exactly_ generated in the same way ? Can you post 2 certificates: one which is working, another the is not ? Could you also check the certs validity date and System Time of your hosts ? HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius dies, on certificate verification
Just as a follow up, this has solved my issue. Alan DeKok wrote: Robert Myers [EMAIL PROTECTED] wrote: I got the following when running radiusd -X with openssl .0.9.7c on gentoo, radius 1.1.1-r1 1.1.3 was released a few weeks go. Try it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius dies, on certificate verification
I'm wondering if anyone else has seen this. My setup is as follows, Seimens controller doing .1x auth, EAP-TLS Both requests are from different users, and what I have now, is set max_requests_per_server to 300 Doesn't seem to have helped, as radwatch is reporting that another radiusd died Could this simply be an error with the specific certificates? I haven't looked at it long enough to determine if the same two or three requests are killing radiusd... I got the following when running radiusd -X with openssl .0.9.7c on gentoo, radius 1.1.1-r1 modcall[authorize]: module sql returns notfound for request 14091 modcall: leaving group authorize (returns updated) for request 14091 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14091 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler *** glibc detected *** free(): invalid pointer: 0x0b415350 *** Aborted I had thought that perhaps this was an error with openssl , so I recompiled, with 0.9.8 openssl on gentoo, radiusd 1.1.1-r1 and now I get this. modcall[authorize]: module sql returns notfound for request 13856 modcall: leaving group authorize (returns updated) for request 13856 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13856 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 0297], Certificate Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius dies, on certificate verification
Alan, Thanks, I will do that. Do you think this is just a quirk in 1.1.1? -Bob Alan DeKok wrote: Robert Myers [EMAIL PROTECTED] wrote: I got the following when running radiusd -X with openssl .0.9.7c on gentoo, radius 1.1.1-r1 1.1.3 was released a few weeks go. Try it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding VLAN attributes
I realize this is about a month later. But I pass down vlan id with Tunnel-Private-Group-Id = int, where int is the vlan id. I dunno if that'll help you or not. :) -Bob radhika putty wrote: Hi.. When we use VLAN tunneled attributes how do we send the VLAN id value. For ex if i give a vlan group 10 when configuring the switch how do i pass that attribute in my program.In the value field I need to set it as 10 or VLAN10 Yahoo! Messenger with Voice. Make PC-to-Phone Calls http://us.rd.yahoo.com/mail_us/taglines/postman1/*http://us.rd.yahoo.com/evt=39663/*http://voice.yahoo.com to the US (and 30+ countries) for 2¢/min or less. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CRL not working....
I'm having some odd troubles here with the check_crl = yes I've added what I think is the appropriate config file directives, I must be missing something. Here is the debug output, any help would be much appreciated -Bob rad_recv: Access-Request packet from host 192.168.2.169:1038, id=37, length=208 Framed-MTU = 1480 NAS-IP-Address = 192.168.2.169 NAS-Identifier = PU-5300 User-Name = rmyers-cmd Service-Type = Administrative-User Framed-Protocol = PPP NAS-Port = 13 NAS-Port-Type = Ethernet NAS-Port-Id = A13 Called-Station-Id = 00-13-21-ba-14-00 Calling-Station-Id = 00-11-11-64-a1-e6 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x0206000f01726d796572732d636d64 Message-Authenticator = 0xab51b4a66e5e063bf6ecb0244e478fd6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = rmyers-cmd, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 6 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched entry DEFAULT at line 157 users: Matched entry DEFAULT at line 188 modcall[authorize]: module files returns ok for request 5 radius_xlat: 'rmyers-cmd' rlm_sql (sql): sql_set_user escaped user -- 'rmyers-cmd' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'rmyers-cmd' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'rmyers-cmd' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): User rmyers-cmd not found in radcheck radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'rmyers-cmd' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'rmyers-cmd' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'rmyers-cmd' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'rmyers-cmd' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): User rmyers-cmd not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 37 to 192.168.2.169:1038 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010700060d20 Message-Authenticator = 0x State = 0x011fcb927c106af30a76bf45e031e026 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.169:1038, id=38, length=291 Framed-MTU = 1480 NAS-IP-Address = 192.168.2.169 NAS-Identifier = PU-5300 User-Name = rmyers-cmd Service-Type = Administrative-User Framed-Protocol = PPP NAS-Port = 13 NAS-Port-Type = Ethernet
Sending Access-Accept for everyone.
Is there a way to send access-accept all of the time? I've tried to do the DEFAULT in username, but that didn't seem to work for me. -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TNC Compliance
Is FreeRadius TNC compliant? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set Tunnel Private Group ID based on OU in certificate?
What I'm doing to set these, is via the rlm_sql module. The tables are pretty straight forward, and could be manipulated programmatically. The sql tables are setup just like the users file, and has group support and all. Maybe when you issue the cert, you could do some inserts into the DB? -Bob Carl Wahlin wrote: Hello, Quite new to radius, so this might be a stupid question. Although I have been searching google for the last 2 hours trying to find the answer without any luck... So, we are testing ciscos new Airespace wlan controller and would like to map users based on OrganizationalUnit (or something else) in the certificate to a specific VLAN. Cisco calls this feature of changing default values with radius AAA override. There are a few more things you can change (QoS profile etc), but we are only interested in the VLAN for now. I have managed to get it working for all EAP authentications but that does not at all serve my needs more than that I see that my wlan controller interprets the radius message correctly. DEFAULT Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 So how can I get selective and change the Group-Id based on stuff in the certificate? /Carl W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set 'Tunnel Private Group ID' based on OU in certificate?
Well, you'd approach it the same way you'd do group authentication in the users file. Check out the users file documentation, then just understand that rlm_sql is just another users file. -Bob Carl Wahlin wrote: What I'm doing to set these, is via the rlm_sql module. The tables are pretty straight forward, and could be manipulated programmatically. The sql tables are setup just like the users file, and has group support and all. Maybe when you issue the cert, you could do some inserts into the DB? -Bob Sounds like something I should take a look at. I don't think I would need a separate entry for each cert. I would need one for each group of users belonging to ie. an OU. Not sure if I would be able to do this with the rlm_sql module, but I'll take a look. /Carl Carl Wahlin wrote: Hello, Quite new to radius, so this might be a stupid question. Although I have been searching google for the last 2 hours trying to find the answer without any luck... So, we are testing ciscos new Airespace wlan controller and would like to map users based on OrganizationalUnit (or something else) in the certificate to a specific VLAN. Cisco calls this feature of changing default values with radius AAA override. There are a few more things you can change (QoS profile etc), but we are only interested in the VLAN for now. I have managed to get it working for all EAP authentications but that does not at all serve my needs more than that I see that my wlan controller interprets the radius message correctly. DEFAULT Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 So how can I get selective and change the Group-Id based on stuff in the certificate? /Carl W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Does this only apply if the supplicant uses a server cert during eap/tls? The reason I ask, is that I'm using a client cert signed by my CA to do eap/tls, and it's working. I have not implemented the server cert as of yet. -Bob Alan DeKok wrote: Dave Huff [EMAIL PROTECTED] wrote: For EAP-TLS to work, the client certs have to be signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Looks like that's set in the users file. As the entry for that email says DEFAULT. Dave Huff wrote: I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. I've got PEAP-EAP-MSCHAPV2 working with just password authentication. I noted this http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ 1873393.html but was unable to figure out where the DEFAULT EAP-TLS-Require-Client-Cert := Yes should be set. Relative Linux/Freeradius noob, FC4/2.6.15-1.1831 Freeradius 1.0.4 Thanks, Dan H - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco EAP/TLS not working
I'm having a problem with my Cisco 2950 and EAP/TLS...I've already configured this to work on my HP 5300, so I'd assume that everything on the freeradius end is proper... However I am receiving this from the debug log: rad_recv: Access-Request packet from host 192.168.2.161:1812, id=9, length=116 NAS-IP-Address = 192.168.2.161 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = client Called-Station-Id = 00-09-7C-3E-92-0C Calling-Station-Id = 00-11-11-64-A1-E6 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x Message-Authenticator = 0x21afff778d4fa2ead6e802a75517 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = client, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: Got EAP_START message modcall[authorize]: module eap returns handled for request 0 modcall: group authorize returns handled for request 0 Sending Access-Challenge of id 9 to 192.168.2.161:1812 EAP-Message = 0x0101000501 Message-Authenticator = 0x Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 9 with timestamp 43fc4990 Nothing to do. Sleeping until we see a request. Then this from the switch: 43: *Mar 1 01:16:24: %DOT1X-5-ERR_INVALID_AAA_ATTR: Got invalid AAA attribute settings from RADIUS server My question is, for anyone who has set this up, what must I do in the Cisco world to make this work? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
I've not done PEAP yet, but I have done EAP/TLSthere is a good document on the main web page for EAP/TLS and maybe it will shoot you in the right direction. check out the news items from Oct 5, 2004, and 11 May 2004, I've used both and they are extremely helpful. -Bob Gilmour, Scott wrote: Hi, I am setting up PEAP authentication and am using Windows 2003 Server Active Directory. I am unable to authenticate using PEAP with user Authentication but not with Machine Authentication. Is there something else I need to setup on FreeRadius to get this to work? Also is there a setup document somewhere where I can go through and double check my setup. I have searched online and have been unable to find anything to help me with this. Thanks, Scott Gilmour Software Engineer ENET, ENSRT Enterasys Networks Phone: 978-684-1236 Email:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth from LDAP, then add reply via SQL
I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth from LDAP, then add reply via SQL
Sorry, this would be the radreply table, not the radcheck table, as the radcheck is for checking attributes. :) My bad. :) -Bob Robert Myers wrote: I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth from LDAP, then add reply via SQL
Well, I sorted my mistake. What I was trying to do was, have a user in the 'users' file with a password set. Then check the sql radreply table. I'm guessing this won't work, as the sql tables mimic the users file, and are mutually exclusive. And there really wouldn't be a need to have a user in the 'users' file, as you could just put them in the radcheck table with the appropriate local password I was able to authenticate via EAP, then from the radcheck table, find my user, then from the radreply table get the appropriate attributes. -Bob Robert Myers wrote: I must be missing this in the documentation. If I authenticate via the users file/LDAP/SQL , is there a way to add replies from the radcheck table in sql? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Authentication flow.
I'm trying to understand how to send dynamic replies based on user. If I authenticate via LDAP or some other mechanism, I can authorize via the sql tables? Is that right? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Authentication flow.
So let me ask you this, this allows me to set specific replies for each user. How would I go about setting replies for groups of users, when I don't know the specific usernames? Like if I'd want to assign a specific reply based on an LDAP group? -Bob Alan DeKok wrote: Robert Myers [EMAIL PROTECTED] wrote: If I authenticate via LDAP or some other mechanism, I can authorize via the sql tables? Yes. All of the modules are completely independent of each other. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Authentication flow.
The documentation is how I found out what questions to ask. :) Thanks for the point in the right direction. -Bob Alan DeKok wrote: Robert Myers [EMAIL PROTECTED] wrote: How would I go about setting replies for groups of users, when I don't know the specific usernames? Like if I'd want to assign a specific reply based on an LDAP group? You would read the documentation for the LDAP module, and see how to use LDAP groups. The server *does* come with documentation, and many examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Root Certificate via ADS
This is probably really a question for a windows mailing list. :) You can install the root certificates via GPO Under Computer Configuration - Windows Settings - Security Settings - Public Key policies. The problem you're going to run into is configuring the 802.1x client on all 300 machines, it's quite a manual process. :) Good luck and HTH -Bob Armin Krämer wrote: Hi, im planing to install my generated root Certifikate via W2k ADS to the Clients. How can i do this via AADS? What do i have to do in ADS and Group Policies? The second question ist that i will have to set a mark onto my certifikate at the Trusted RootCertifikate Field at the network Connection (hoe you understand what i mean) . How can i do this? Intall Root Certifikate and set this mark that i can use EAP-TLS wit Freeradius? I dont want to put it on 300 clients per hand :-) Thank Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS work but with errors
You can also add the following to a file called xpextensions RPM-vmware ssl # cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Then when you sign the cert, you add -extfile = xpextensions That should get rid of the error, I believe I found all of this in the EAP-TLS howto, right off the main page of the freeradius site. -BOb Alan DeKok wrote: =?ISO-8859-15?Q?Frank_B=FCttner?= [EMAIL PROTECTED] wrote: When a client try to log in with an valid certificate it works. But I get this error: TLS_accept:error in SSLv3 read client certificate A Ignore it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending radius attributes....
Is there any way to send back specific radius attributes based on a sql query? So, say I have a user, and then I want to sernd back a specific attribute based on some other information. Is this a case for a custom module? -Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
postgres sql accounting....
Anyone seen this? I'm getting some strange errors from postgres, it's almost as if my queries aren't filled in the whole way. What am I missing? Is my switch just not returning all of the proper accounting info? -Bob --- Walking the entire request list --- Cleaning up request 2 ID 87 with timestamp 43e8bcea Waking up in 2 seconds... rad_recv: Access-Request packet from host 192.168.2.160:1045, id=90, length=70 User-Name = root User-Password = something NAS-IP-Address = 192.168.2.160 NAS-Identifier = HP5304 NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module chap returns noop for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = root, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 5 users: Matched entry DEFAULT at line 157 modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_unix: [root]: invalid password modcall[authenticate]: module unix returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 88 with timestamp 43e8bcec Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 90 to 192.168.2.160:1045 Waking up in 2 seconds... rad_recv: Accounting-Request packet from host 192.168.2.160:1050, id=91, length=99 Acct-Session-Id = 00070009 Acct-Status-Type = Stop Service-Type = NAS-Prompt-User Acct-Authentic = Local Acct-Delay-Time = 15 NAS-IP-Address = 192.168.2.160 NAS-Identifier = HP5304 Calling-Station-Id = 192.168.2.152 Acct-Terminate-Cause = User-Request Acct-Session-Time = 29 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 6 modcall[preacct]: module preprocess returns noop for request 6 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.2.160,NAS-IP-Address = 192.168.2.160,Acct-Session-Id = 00070009,' rlm_acct_unique: Acct-Unique-Session-ID = e8b7a55267489b1f. modcall[preacct]: module acct_unique returns ok for request 6 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[preacct]: module suffix returns noop for request 6 modcall[preacct]: module files returns noop for request 6 modcall: group preacct returns ok for request 6 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 6 radius_xlat: '/var/log/radius/radacct/192.168.2.160/detail-20060207' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.2.160/detail-20060207 modcall[accounting]: module detail returns ok for request 6 modcall[accounting]: module unix returns noop for request 6 radius_xlat: '/var/log/radius/radutmp' radius_xlat: '' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 6 radius_xlat: '' radius_xlat: 'UPDATE radacct ??SET AcctStopTime = (now() - '15'::interval), ??AcctSessionTime = NULLIF('29', '')::bigint, ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '15', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '00070009' AND UserName = '' ??AND NASIPAddress = '192.168.2.160' AND AcctStopTime IS NULL' radius_xlat: '/var/log/radius/sqltrace.sql' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_postgresql: query: UPDATE radacct ??SET AcctStopTime = (now() - '15'::interval), ??AcctSessionTime = NULLIF('29', '')::bigint, ??AcctInputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctOutputOctets = (('0'::bigint 32) + '0'::bigint), ??AcctTerminateCause = 'User-Request', AcctStopDelay = '15', ??FramedIPAddress = NULLIF('', '')::inet, ConnectInfo_stop = '' ??WHERE AcctSessionId = '00070009'