Re: Add LDAP groups as extra attributes
On Fri, Mar 15, 2013 at 2:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) Did you check the control list (config item tuple)? As far as I can tell, the module only provides the request packet, request-packet-vps It does however update the config if provided from the module function. -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: That'd be the LDAP-UserDN attribute… I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 11:06, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/13/2013 07:45 PM, Robin Helgelin wrote: First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be a pain. You might have to fall back on one of the scripting language modules, as Arran says. Yes, I ended up writing a small python script, works very nicely :) The only thing missing is if it's possible for the ldap module to set an attribute with the users full dn to be available for the python module. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add LDAP groups as extra attributes
Hi! I want to add the LDAP-users current groups as extra attributes to the authentication reply. Is it possible? I'm having a hard time finding documentation about this. Thanks! Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have magic behaviour hooks. Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0). Thanks, we're using the memberof overlay, and that might be working. First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 mar 2013, at 20:52, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? Ignores what? If you're talking about an xlat query, then yes, it'll only provide the first result. Yes, and there are no workarounds to that? More than editing the code I guess :) Would it be possible to another post-auth module to do this instead? As the ldap module itself seems not quite what I'm trying to do here. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dial up error and freeraius is down
Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Actually, I think I have enough bandwidth to handle 500 users request. But I can't understand what reason due to the problem and report these info in log. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Mark Holmes Sent: Friday, April 01, 2011 11:23 PM To: FreeRadius users mailing list Subject: RE: Dial up error and freeraius is down Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac.uk@lists.freerad ius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Saturday, April 02, 2011 1:58 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down Hi, - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. almost always because your backend didnt answer in time. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, Thanks your suggestion. I will clean records from radacct and check my reporting system if it effect freeradius operations. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Saturday, April 02, 2011 10:41 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down On Sat, Apr 2, 2011 at 9:20 AM, Robin freerad...@itpm.net wrote: Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? I don't understand what you mean by my freeradius for some reason has slowed due to response behind time, but like Alan said, the cause of that log is usually because your backend (mysql?) didn't return timely response which cause the NAS to re-send the request. When FR received the duplicate request, it discards the request since it detects it's still processing the old one. Things you might want to check: - is there a bottleneck in your MySQL? Sometimes a reporting query locks the tables so other queries (like select/insert from FR) can't be processed. - how big is your radacct table? When unmaintained, it can have millions of records, and some FR feature (like sqlcounter, or simultaneous use checking) reads entries in radacct - how efficient is your sql schema? Having lots of indexes can speed up certain select queries, but it can kill write (insert/update/delete) performance. In other words, get a DBA, check your MySQL setup. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radkill
You should read below link firstly. http://wiki.freeradius.org/index.php/FAQ#radkill Robin _ From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of john decot Sent: Monday, December 20, 2010 10:41 AM To: freeradius-users@lists.freeradius.org Subject: Radkill Hi, I have problem with some user not being terminate even logout. After googling I came know about radkill. Can anyone post some howto about radkill. Thank you, Rgds, John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Hi , I find issue user who use MPPE128 method all. (In my RouterOS, login user's encoding is MPPE128 statefull) Can I set freeradius to disable MPPE128 or other encryption method? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, December 13, 2010 1:28 AM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: Actually after I switch freeradius authentication to RouterOS, the issue will disappear. Well... the RADIUS server never talks to the PPPoE server after the Access-Accept. So *anything* that happens after that is the responsibility of the PPoE server. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. The only way the SQL sockets affect users is *during* the login process. If FreeRADIUS can't access the DB because all of the sockets are in use, it will reject the user. If the user gets an Access-Accept, it doesn't matter if there were 50 SQL sockets, or 50,000 SQL sockets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL connection setup
Hi Friends, There is a configuration in SQL.conf. Num_sql_socks= I would like to know if this value is set to smaller, fx. 20, can it cause breaking stream or disconnecting for DSL users? If I set it to larger, can it cause MySQL problem of “Too many connection”. I can’t find details information about this setting in SQL.conf file. I want to know what policy of setting numbers is. Thank you very much. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Dear Alan, Actually after I switch freeradius authentication to RouterOS, the issue will disappear. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. I think that I still need monitor these issue users consistently. But I can't understand why it has to be like this. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, December 12, 2010 11:34 PM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: When I only use Mikrotik RouterOS as PPPoE server to authenticate my DSL users, all is ok. But when I add FreeRaiuds as radius server and RouterOS as pppoe server, I find some users of using p2p video on demand will break stream of lost connection. At the time, user has to disconnect the DSL link manually and re-dial to network. When user log in again, about 1-2 minutes, user will break stream of lost connection again. Is it because I don’t set Freeradius correctly? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Hi Alan, I set an interval of 5 minutes in pppoe server to send user's acctsessiontime etc. to Freeradius. Does it mean after login process, pppoe server and freeradius still communicate each other? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, December 13, 2010 1:28 AM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: Actually after I switch freeradius authentication to RouterOS, the issue will disappear. Well... the RADIUS server never talks to the PPPoE server after the Access-Accept. So *anything* that happens after that is the responsibility of the PPoE server. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. The only way the SQL sockets affect users is *during* the login process. If FreeRADIUS can't access the DB because all of the sockets are in use, it will reject the user. If the user gets an Access-Accept, it doesn't matter if there were 50 SQL sockets, or 50,000 SQL sockets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Break Stream disconnecting when use freeradius authentication.
Hi Friends, I find a strange issue. When I only use Mikrotik RouterOS as PPPoE server to authenticate my DSL users, all is ok. But when I add FreeRaiuds as radius server and RouterOS as pppoe server, I find some users of using p2p video on demand will break stream of lost connection. At the time, user has to disconnect the DSL link manually and re-dial to network. When user log in again, about 1-2 minutes, user will break stream of lost connection again. P.S. If user uses download software, the issue will not appear. Is it because I don’t set Freeradius correctly? Thank you. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to avoid to be disconnected as Lost-Carrier?
Hi, I have 200 users in a small area network (PPPoE, LAN network). I use Mikrotik RouterOS as PPPoE server use Freeradius as Radius server. I find that some “Lost-Carrier” issue due to lost connection (around 8%-10% users). I judged that cable had been interfered intermittently. But I would like to keep connection instead of disconnection when the issue happened. What do I set Freeradius that increase intervals or times of checking communication? Because it were, users will avoid to disconnect and not be ware of cable interfering when it happen really. Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lost package after use FreeRadius
Hi, About address/ip pool/pppoe users setting configuration, I had used these profiles to a small area network (PPPoE, LAN network) successfully. Under the circumstances, I met the problem too. After I changed line from user house to my switch, it's ok. Now I'm using FreeRadius with same configuration in other small area network (PPPoE, DSL network). Even if I changed telephone line from user house to my DSL concentrator, these issues of lost package still is exist. At this time, I find one of reason of user offline is lost-Carrier in FreeRadius radacct table. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Marinko Tarlac Sent: Saturday, November 20, 2010 5:23 PM To: FreeRadius users mailing list Subject: Re: Lost package after use FreeRadius Strange situation but you should check default profile which is set on Mtik. It should contain valid DNS server(s), valid Local Address, valid Remote Address (ip pool for pppoe users) and that pool must exist on Mtik (IP - Pool). Of course, all addresses which you have in ip pools must be properly routed. On 11/19/2010 5:00 PM, Robin wrote: Dear Freeradius, At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? P.S When I change RouterOS to pppoe and radius server again (disable freeradius), it will all be ok. Thank you very much. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lost package after use FreeRadius
Dear Freeradius, At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? P.S When I change RouterOS to pppoe and radius server again (disable freeradius), it will all be ok. Thank you very much. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lost package after use FreeRadius
Dear Alan, Actually, only about 5-10% users have this problem. If it's access-accept attributes issue, why will not all users lose package or not visit website? Where can I find any documents about this? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, November 20, 2010 12:30 AM To: FreeRadius users mailing list Subject: Re: Lost package after use FreeRadius Robin wrote: At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? Make FreeRADIUS send back an Access-Accept containing the same attributes as sent by Access-Accept by the Mikrotik server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to raise numbers of request/sec in Freeradius
Hi Alan, Thanks your reply firstly. I use Mysql to authentication. When I use a PPPOE client to call FreeRADIUS one time,that’s all ok. I create 200 pppoe accounts as dialing client in Mikrotik server. When I use them to call FreeRADIUS at the same time, I find only about 5-20 successful logins by sec. I don’t know how to increase the numbers? If you have any details information, I can provide to you. Expect to your help. Thank you very much! Robin -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, October 22, 2010 5:18 PM To: FreeRadius users mailing list Subject: Re: How to raise numbers of request/sec in Freeradius Robin wrote: I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? When authentication is from the users file, the server can do 10K requests/s. The issue isn't FreeRADIUS. It's something else. So... what are you doing with the authentication requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to raise numbers of request/sec in Freeradius
Hi, I use Freeradius2 to authenticate user login. I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Details of attrbiutes in SQL Table
Hi, I already installed run FreeRADIUS in my server successfully (FreeRADIUS with CenterOS, Mikrotik RouterOS). I knew usage of some attributes in SQL tables. For example, Insert into TABLE radgroupcheck, add a group name and attribute - Simultaneous-Use:=1 to limit only 1 user to login. Etc. In wiki or manuals or configuration files (sql.conf/dialup.conf/scheme.sql), I haven’t found details of instructions, how many attributes can be used and how do it write? I wish to know how to do, for example as below: - How to add a record to “radreply” table to set any attributes? (ex. Set timeout length to user) - How to add a record to “”radcheck” table to set any attributes? (ex. Set poolname to user) …. Thank you very much! Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with PAM authentication
Can anyone help me to configure PAM authentication with freeradius ? can anyone have step by step guide for pam authentication or suggest me the tutorials to follow Any tips and guide on this issue will be highly appreciated. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Server and Ldap-Group
Hi ya,
Today I have installed the *new* Freeradius 2.0 release and tested the
virtual server setup.
I was just wondering what will be the best solution to check on LDAP Groups.
(Ldap-Group)
Check them (as before) in the users file, or somewhere in the virtual server
configuration with a switch/case statement.
..
switch %{control:Ldap-Group} {
case WebUsers {
update reply {
NS-User-Group = WebUsers
}
}
case MailUsers {
update reply {
NS-User-Group = MailUsers
}
}
case ... {
}
}
...
Kind regards,
--
Robin Gruyters
Network and Security Engineer
Betronic Nederland B.V.
I: http://yirdis.com
I: http://betronic.nl
P: +31 (0)20 5659191
F: +31 (0)20 5659190
pgpe6Vzfcjnb5.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication
Thanks Pshem for your quick answer.
I expect answer like folowing
rlm_ldap: user jjeep authorized succesfully
modcall[authorize]: module ldap returns ok
But I got
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 0
Thanks
Robin
Pshem Kowalczyk wrote:Freeradius expects exactly one answer:
rlm_ldap: object not found or got ambiguous search
result
kind regards
Pshem
On 22/05/07, xuebin gong [EMAIL PROTECTED] wrote:
Hi, All,
I am new user and want to integrate freeradius v1.1.6 and
openLADP v2.3.32 for authorization and
authentication. Our operating system is Fedora 5
Linux.
(1)Install freeRadius-1.1.6
After following the instruction of installation in
http://.freeradius.org,
install freeRadius-1.1.6 on Fedora Linux 5, run radius
server in debug mode
radiusd -X
..
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
FreeRadius was installed succeefully.
(2)Configure freeRadius-1.1.6
(2.1) Configure radiusd.conf
(2.1.1) LDAP module
ldap{
server = 10.0.0.118
identity = cn=Manager,dc=mtcable,dc=net
password = mtncnl1970
basedn = dc=mtcable,dc=net
filter =
uid=%{Stripped-User-Name:-%{User-Name}}
start_tls = no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
(2.1.2) authorize module
uncomment ldap line
authorize{
..
ldap
..
}
(2.1.3) authenticate module
uncomment block ldap block:
authenticate{
..
Auth-Type LDAP {
ldap
}
..
}
(2.2) edit /usr/local/etc/raddb/users
Uncomment the following lines:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
(3)Install openLDAP
(4)Configure openLDAP
(5)Add one LDAP entry for testing
dn: uid=jjeep, ou=radius, rccd=AAA3140018f,
dc=mtcable,dc=net
userPassword:: aabbccdd
cn: jeep
uid: jjeep
radiusAuthType: local
radiusSimultaneousUse: 1
homeDirectory: //
objectClass: top
objectClass: posixAccount
objectClass: radiusprofile
uidNumber: 7012
gidNumber: 100
After add this entry to LDAP, we reset the password to
88
(5)Test
After run test command line
radtest jjeep 88 localhost 1 testing123
The following is information from running Radiusd -X:
..
rad_recv: Access-Request packet from host
127.0.0.1:32771,
id=192, length=57
User-Name = jjeep
User-Password = 88
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok
for request 0
modcall[authorize]: module chap returns noop for
request 0
modcall[authorize]: module mschap returns noop for
request 0
rlm_realm: No '@' in User-Name = jjeep, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for
request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for
request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module files returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jjeep
radius_xlat: 'uid=jjeep'
radius_xlat: 'dc=mtcable,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.118:389,
authentication 0
rlm_ldap: bind as cn=Manager,dc=mtcable,dc=net/mtncnl1
970 to 10.0.0.118:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mtcable,dc=net, with
filter uid=jjeep
rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound
for req
uest 0
rlm_pap: WARNING! No known good password found for
the use
r. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request0
modcall: leaving group authorize (returns ok) for
request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login
Re: Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication
Thanks Pshem for your quick answer.
I expect answer like folowing
rlm_ldap: user jjeep authenticated succesfully
modcall[authenticate]: module ldap returns ok
But I got
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 0
Thanks
Robin
Pshem Kowalczyk wrote:
Freeradius expects exactly one answer:
rlm_ldap: object not found or got ambiguous search
result
kind regards
Pshem
On 22/05/07, xuebin gong [EMAIL PROTECTED] wrote:
Hi, All,
I am user and want to integrate freeradius v1.1.6 and
openLADP v2.3.32 for authorization and
authentication. Our operating system is Fedora 5
Linux.
(1)Install freeRadius-1.1.6
After following the instruction of installation in
http://.freeradius.org,
install freeRadius-1.1.6 on Fedora Linux 5, run radius
server in debug mode
radiusd -X
..
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
FreeRadius was installed succeefully.
(2)Configure freeRadius-1.1.6
(2.1) Configure radiusd.conf
(2.1.1) LDAP module
ldap{
server = 10.0.0.118
identity = cn=Manager,dc=mtcable,dc=net
password = mtncnl1970
basedn = dc=mtcable,dc=net
filter =
uid=%{Stripped-User-Name:-%{User-Name}}
start_tls = no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 1
}
(2.1.2) authorize module
uncomment ldap line
authorize{
..
ldap
..
}
(2.1.3) authenticate module
uncomment block ldap block:
authenticate{
..
Auth-Type LDAP {
ldap
}
..
}
(2.2) edit /usr/local/etc/raddb/users
Uncomment the following lines:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
(3)Install openLDAP
(4)Configure openLDAP
(5)Add one LDAP entry for testing
dn: uid=jjeep, ou=radius, rccd=AAA3140018f,
dc=mtcable,dc=net
userPassword:: aabbccdd
cn: jeep
uid: jjeep
radiusAuthType: local
radiusSimultaneousUse: 1
homeDirectory: //
objectClass: top
objectClass: posixAccount
objectClass: radiusprofile
uidNumber: 7012
gidNumber: 100
After add this entry to LDAP, we reset the password to
88
(5)Test
After run test command line
radtest jjeep 88 localhost 1 testing123
The following is information from running Radiusd -X:
..
rad_recv: Access-Request packet from host
127.0.0.1:32771,
id=192, length=57
User-Name = jjeep
User-Password = 88
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok
for request 0
modcall[authorize]: module chap returns noop for
request 0
modcall[authorize]: module mschap returns noop for
request 0
rlm_realm: No '@' in User-Name = jjeep, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for
request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for
request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module files returns ok for
request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jjeep
radius_xlat: 'uid=jjeep'
radius_xlat: 'dc=mtcable,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.0.0.118:389,
authentication 0
rlm_ldap: bind as cn=Manager,dc=mtcable,dc=net/mtncnl1
970 to 10.0.0.118:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mtcable,dc=net, with
filter uid=jjeep
rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound
for req
uest 0
rlm_pap: WARNING! No known good password found for
the use
r. Authentication may fail because of this.
modcall[authorize]: module pap returns noop for
request0
modcall: leaving group authorize (returns ok) for
request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by jjeep with password
88
radius_xlat: 'uid=jjeep'
radius_xlat: 'dc=mtcable,dc=net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn
Wiki
Is it possible to get a wiki going on the freeradius site, or at least a link to an official-unofficial wiki. I know that people have pdf's and notes on various sites, but it would be great if the people in charge were willing to designate an official place for wiki. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Wed, 23 Nov 2005, Alhagie Puye wrote: I have followed the steps in the howto and everything seems to work fine but FreeRADIUS is ignoring MS-CHAP. I'm using ntradpingmaybe that's a wrong utility for this instance. I don't think you can properly test this with NTRadPing, but I have not been able to figure it out. I have set my wireless access point to use radius and the results I am getting are very different. I would suggest testing a tool that more closely resembles your production gear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote: A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf This is a god-send. I have one debian specific error rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. it seems that the shared object is not shipped when I did apt-get install freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote:
Hi list,
A lot of people on this list would like to integrate Active Directory with
FreeRADIUS in order to provide a transparent user authentication login
process.
There are at least 2 ways to integrate AD: LDAP and NTLM.
I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth).
The Windows supplicants are configured to work with PEAP and MSCHAPv2.
You can download it from here:
http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf
thanks for this. I change to use the /dev/random as per your tutorial but
radiusd hangs. When I change the random_file back to the original then it
works
random_file = ${raddbdir}/certs/random
In my tls section of eap.conf I have
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/random
}
But when I run radiusd -X it just hangs there after getting to the
following.
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/freeradius/certs/cert-srv.pem
tls: certificate_file = /etc/freeradius/certs/cert-srv.pem
tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/freeradius/certs/dh
tls: random_file = /dev/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
And Strace shows
13519 open(/etc/freeradius/certs/demoCA/cacert.pem,
O_RDONLY|O_LARGEFILE) = 6
13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=1350, ...}) = 0
13519 open(/etc/freeradius/certs/cert-srv.pem, O_RDONLY|O_LARGEFILE) = 6
13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0
13519 open(/etc/freeradius/certs/cert-srv.pem, O_RDONLY|O_LARGEFILE) = 6
13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0
13519 stat64(/dev/random, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8),
...}) = 0
13519 open(/dev/random, O_RDONLY) = 6
[EMAIL PROTECTED] /usr/lib/ssl ]# ls -la /dev/random
crw-rw-rw- 1 root root 1, 8 Nov 2 12:02 /dev/random
[EMAIL PROTECTED] /usr/lib/ssl ]# ls -la /dev/urandom
cr--r--r-- 1 root root 1, 9 Nov 2 12:02 /dev/urandom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote: Hi list, A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I think everything is very close, but all I have to test with is NTRadPing. Would it be possible if someone can comment on the fields that I need to fill in for NTRadPing in order to test my AD account properly. I have already gotten NTRadPing to work against a hard coded user, as well as a unix account, but I have no idea which options I need to set to test the AD account. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tool for testing machine authentication
On Wed, 23 Nov 2005, Johan Ramm-Ericson wrote: contribute to improve it. A while back there was a thread on the mailinglist to the effect of setting up a Wiki. Has this seen any progression? If not, I'll be glad to put in some effort to get this done. Also, I'm willing to pitch in on writing the documentation, however my freeradius experience is so recent that I'd probably only be able to do any good with well-defined tasks... I would love to see a wiki for this project. I am not an expert either, but I am doing trial and error, and would like to see a place where people are documenting their success. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tool for testing machine authentication
On Mon, 21 Nov 2005, Konne wrote: Hi Norbert, i use the programm NTRadTest... on Windows machine and start freeradius with freeradius -X, for debug i just did a google on NTRadTest, but found nothing. Where can I download NTRadTest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: tool for testing machine authentication
On Mon, 21 Nov 2005, Cris Boisvert wrote: NTRADPING It's a windows tool that does exactly what your looking for. ok that seems to work. I can authenticate using a local unix account. Now I need to find documentation on how to connect my freeradius to AD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless+freeradius+AD
On Mon, 21 Nov 2005, King, Michael wrote:
Oh, excellent. I just joined this list hoping to query the
members on finding more information on doing
wireless+activedirectory+freeradius,
unfortunately I could not find any good postings, or web
toots/examples.
Hi Robin, Welcome to the club.
I would need to use Microsoft IAS. Is this false ?
Yes, That particular example used Microsoft IAS, but it is not
required.
Are people
using Active Directory successfully ?
Yes. Besides myself, there are many people on this list that are.
I have a linux box that
is currently acting as a tacacs server while authenticating
using winbind etc, and was hoping to make it a radius server as well.
You are already 3/4 of the way there, since the trickest part of my
freeradius setup was getting winbind to talk to activedirectory
Depending on your Linux distribution, you will just have to install
freeradius. (Some distributions like Debian require a -disable-shared)
Go thru the radiusd.conf and the eap.conf files, it's clearly commented
on what you need to configure.
You'll see a section marked:
ntlm_auth = /path/to/ntlm_auth (Trimmed)
You might need to modify this to:
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Don't hesitate to ask questions. There is a good Howto (unfortuantly, I
don't have my bookmarks with me) but some others on the list hopefully
will post it.
Yes winbind kerberos stuff works well, and I got it previously working to
enable TAC_PLUS to do active directory authentication.
If anyone knows the site with a good howto I would greatly apprecieate it.
Otherwise I am chugging along.
I have gotten the windows program NTRadPing to authenticate non CHAP with
a local UNIX account. I am not sure what fields I must enter to get
MS-CHAP to test, or if there is even a difference between CHAP and
MS-CHAP?
Anyways I fuddled around with a bunch of different combinations and always
get this in the logfile
Auth: Login incorrect (rlm_chap: Clear text password not available):
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireless+freeradius+AD
On Sun, 20 Nov 2005, Alan DeKok wrote: Laker Netman [EMAIL PROTECTED] wrote: You're completely down the wrong path. AD is a database. It's a directory. Using anonymous bind, there is very little data you can get from it. Stop talking about solutions, as you don't know how the technology works. Instead, talk about your goals, independent of the underlying technology. My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data If you're talking about non-freeradius web sites, go complain to them. I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list. Let me be perfectly clear: No one will be able to help you if you cannot describe what you want in a manner they understand. So far, you've made it clear you're confused about the terminology, and you haven't articulated what you want to do. If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't. Part of helping you is asking you for information you haven't supplied. That information is needed to help you. If your response is to get upset, then everyone can only conclude you don't want to solve your problem. I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome? For people who get angry when I ask for more information, insults. You choose which group you fall into. I don't have time to care what you think about me. Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples. I made a trip to my local bookstore and just read in the oreilly 802.11 book on building wireless infrastructure that I would need to use Microsoft IAS. Is this false ? Are people using Active Directory successfully ? I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well. If anyone has any good links with an explanation on how to do this I would greatly appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi everyone, Finally, have it working.. I did not comment out the radutmp in radius.conf for the session database. I had uncommented sql, although lots of good that did. Thanks again, Robin At 03:26 PM 8/16/2005, you wrote: Robin [EMAIL PROTECTED] wrote: The detail files appear to be fine with start, alive and stop packets being listed, but radius.log and radwtmp and radutmp are empty. If radutmp is empty, the debug log will tell you why. Is it possible, I inadvertently set everything to log to the db only? Certainly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi,,, Once again, I apologize for my lack of understanding. I have been trying to read all debug messages and start radiusd with -X however the only files which get populated are ones created in the radacct directory. The detail files appear to be fine with start, alive and stop packets being listed, but radius.log and radwtmp and radutmp are empty. Is it possible, I inadvertently set everything to log to the db only? Sorry for testing your patience... I think once I get up this curve a bit, I should not have to ask these bad questions. Thank you, Robin At 05:09 PM 8/15/2005, you wrote: Robin [EMAIL PROTECTED] wrote: I still see no output in the radutmp file, even though during loading it says, A few problems: 1) If the server does not receive accounting packets, nothing will go into radutmp, OR into SQL. 2) if you configure Simultaneous-Use counting via SQL, you don't need radutmp When I have an account start time and end time in the radacct, does that not mean simul checking should be working? Why ask questions when you can read the debug log, and see exactly what the server is doing, and why? We don't know how you've configured your system, you've only given summaries. YOU know how you've configured your system. READ the debug logs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi again,
I have been doing reading on the Simultaneous-use with the radutmp module
and sql. I was hoping someone could help clarify some confusion I
have. Using the Sql notes I inserted the Simultaneous attribute to the
radgroupcheck table, although I did change the dialup attribute to dynamic
as that is the group my login belongs to. Using the sql.conf I uncommented
the simul_count_query (simul_verify_query was already uncommented).
I still see no output in the radutmp file, even though during loading it says,
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = no
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
radacct has lots of details,
|65 | 0090274649581b0d | 37805f4083612f79 | robyn| |
69.67.164.218 | 0 | Ethernet| 2005-08-15 15:45:00 | 2005-08-15
15:47:06 | 126
| | | | 704551
|55748 | 00-90-0E-00-B2-72 | 00-90-27-46-49-58 |
Session-Timeout| ||
10.59.1.2 | 0 | 0 |
When I have an account start time and end time in the radacct, does that
not mean simul checking should be working?
Sorry for my lack of understanding on this process, I have read lots of
docs, I think it's just going to take me a little longer to get it. :)
Thank you again for all your help,
Robin
At 12:21 PM 8/11/2005, you wrote:
Robin [EMAIL PROTECTED] wrote:
Is there anyway to test for Simultaneous use without checkrad?
Yes. The server already does this.
As I said, the server maintains a database. The only purpose of
checkrad is to catch corner cases.
I have read past posts about using an sql only method and I
understand this has it's own problems. However, if anyone has any
docs which could help me out it's appreciated.
The server comes with documentation for Simultaneous-Use, which
includes documentation on configuring it via the radutmp module, and
in SQL. Please read the documentation.
Ideally I would like to have checkrad speak to the AP and it's
probably possible except snmpwalk'ing the device does not appear to
provide user login information.
Then there's no use in having checkrad talk to the NAS, is there?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi again, Is there anyway to test for Simultaneous use without checkrad? I have read past posts about using an sql only method and I understand this has it's own problems. However, if anyone has any docs which could help me out it's appreciated. Ideally I would like to have checkrad speak to the AP and it's probably possible except snmpwalk'ing the device does not appear to provide user login information. Thanks again for all the help, Robin At 03:04 PM 8/10/2005, you wrote: Robin [EMAIL PROTECTED] wrote: I'm not sure what is the best way to handle this. I can snmpwalk the device however the output does not appear to have information regarding logins. The manufacturer does not respond to queries so I'm hoping someone else may have worked with this device. The simplest way to deal with this is to set nastype = other. This will make the server believe it's database, and will not run checkrad. checkrad isn't necessary, but it can help catch some corner cases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with auth Mac addresses
I'm new at this and I was wondering if anyone can help me out configuring
free radius for mac address authentication
I have linux fedora 3 and one lan wifi.
I need to install a server freeradius for mac address authentication (only,
without certificates).
I have a LAN with servers windows and with servers linux with dinamic
IP.It's a LAN ethernet (switches Cisco 10/100/1000).
I have windows clients with wifi and I need autentificación for mac (only).
You can help me to configure the server
Thank you
I add in clients.conf
client 192.168.0.6 {
secret = passecret
shortname = ap
nastype = other
}
and in users
000F20-93DD75 Auth-TYPE := Local, User-Password == passecret
in the linux server :
radiusd -Xy
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Hotspot snmp problem
Hello, A couple of us at work have been playing with a hotspot controller (Internet Subscriber Server II ISS-4000) using freeradius and mysql for authentication. We are having problems with checkrad (totally to do with the AP not being nice). I'm not sure what is the best way to handle this. I can snmpwalk the device however the output does not appear to have information regarding logins. The manufacturer does not respond to queries so I'm hoping someone else may have worked with this device. Any help is appreciated, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with mac address authentication
I have linux fedora 3 and one lan wifi. I need to install a server freeradius for mac address authentication (only, without certificates). You can help me to configure the server Thank you _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Authentication
Hi everyone, I have just started using freeradius and have managed to setup access by username/password to my hotspot controller with mysql as the backend. It works fine and even sends back the session-timeout (1 hour for testing) so my controller forces users to re-authenticate. I created a few perl scripts for managing my customers, removing users from the rad tables after their time expires or else people could just login again and get another hour. Is this a correct way to manage users, or is there a method using accounting modules to prevent people from logging in after their time has expired? Thank you for any assistance, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco voip accounting
Hello,
I was following src/billing/README to set up accounting for Cisco VoIP
and came to this line.
* In /etc/raddb/radiusd.conf add pgsql-voip to the accounting { section
just after the line detail
When I entered pgsql-voip into the accounting section I get the
following.. Is the README up to date?
Error: ERROR: Cannot find a configuration entry for module pgsql-voip.
Thanks,
Robin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius accounting for gnugk
Hello,
I'm running freeradius 0.9.3, using pgsql-voip.conf for recording
accounting records. Have no problem using it with either Cisco or
Quintum gateways, but when gnugk trys to send accounting records, I'm
getting the following.
Couldn't update SQL accounting STOP record - ERROR: invalid input
syntax for type timestamp with time zone: CONTEXT: PL/pgSQL function
strip_dot while casting return value to function's return type
A check with sql trace shows following.. as you can see, some datas are
missing such as h323-call-type, h323-call-origin, h323-conf-id...
basically any of the Cisco VSA attributes. However, I do have
with_cisco_vsa_hack turned on, and the setup does work with Cisco and
Quintum which both uses Cisco VSA.
INSERT into Stop(RadiusServerName, UserName,
NASIPAddress, AcctTime,AcctSessionTime, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId,
AcctDelayTime, H323RemoteAddress, CiscoNASPort, h323callorigin,
h323confid, h323connecttime, h323disconnectcause,
h323disconnecttime, h323gwid, h323setuptime)
values('myservername', 'test', '192.168.0.100', now(),
'10', '0', '0', '8186811', 'test', '0',
NULLIF('', '')::inet, '', '', '', strip_dot(''),
'', strip_dot(''), '', strip_dot(''));
The detail file shows the following.
Tue Nov 23 23:27:11 2004
Acct-Status-Type = Stop
NAS-IP-Address = 192.168.0.100
NAS-Identifier = PPIGK002
NAS-Port-Type = Virtual
Service-Type = Login-User
Acct-Session-Id = 41a437810001
User-Name = test
Framed-IP-Address = 192.168.1.26
Acct-Session-Time = 0
Calling-Station-Id = test
Called-Station-Id = 8186811
h323-gw-id = PPIGK002
h323-conf-id = 7BA3CDEF 3220EF44 87036791 99198BF
h323-call-origin = proxy
h323-call-type = VoIP
h323-setup-time = 23:26:57.000 PST Tue Nov 23 2004
h323-disconnect-time = 23:27:05.000 PST Tue Nov 23 2004
h323-disconnect-cause = 29
h323-remote-address = 192.168.1.26
Acct-Delay-Time = 0
Client-IP-Address = 127.0.0.1
Acct-Unique-Session-Id = d993e611037d8547
Timestamp = 1101281231
I'm not sure if I just need to add something to the dictionary file or
if it's something that needs to be configured.
Thanks,
Robin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
