Ldap-Group unlang 2.0.5
Dear all,
I'm in process migrating from FR 1.1.X to FR 2.0.5 but stuck with Ldap-Group
using unlang.
I'm trying to convert below line in users file to unlang in authorize
section.. but it's not working..
Using FreeBSD 7.0.
users:-
==
DEFAULT Called-Station-Id == Y5, ldapmain1-Ldap-Group == TEST,
Autz-Type := Y5
authorize:-
===
Trying a few as below but not working...
i) if ( ldapmain1-Ldap-Group == TEST ) {
ii) if ( control:ldapmain1-Ldap-Group == TEST ) {
iii) if ( %{ldapmain1-Ldap-Group} == TEST ) {
iv) if ( %{ldapmain1:Ldap-Group} == TEST ) {
modules/ldap:-
='
ldap ldapmain1 {
groupname_attribute = jaringService
groupmembership_filter = ((uid=%{Stripped-User-Name:-
{UserName}})(objectclass=radiusprofile))
}
Debug:-
==
++? if (%{ldapmain1:Ldap-Group} == TEST )
rlm_ldap: - ldap_xlat
expand: Ldap-Group - Ldap-Group
rlm_ldap: String passed does not look like an LDAP URL.
expand: %{ldapmain1:Ldap-Group} -
? Evaluating (%{ldapmain1:Ldap-Group} == TEST ) - FALSE
++? if (%{ldapmain1:Ldap-Group} == TEST ) - FALSE
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group unlang FR 2.0.5
OS: FB 7.0
FR: 2.0.5
Let we analyze below if statement using unlang with Ldap-Group:-
++? if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group ==
UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED)))
expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} =~ /^ISDN|^Sync/) - FALSE
??? Skipping (ldap1-Ldap-Group == UNLIMITED)
??? Skipping (ldap2-Ldap-Group == UNLIMITED)
++? if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group ==
UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED))) - TRUE
++- entering if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group
== UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED)))
suppose if (%{NAS-Port-Type} =~ /^ISDN|^Sync/) - FALSE, the whole line
should FALSE. but why it show TRUE? It is AND () comparison.
Or possible problem in my if statement??
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex Ldap Group
FR: 1.1.2
Openldap 2.3.X
I tried to do regex match in Ldap-Group. From below users file, The
NAS-Identifier regex works OK but for Ldap-Group match, it's not working
as below DEBUG log.
value to match (jarService = Y5-IPOH, NAS-Identifier=Y5-IPOH)
Users file
===
NAS-Identifier =~ Y5, ldapmain1-Ldap-Group =~ Y5, Autz-Type := Y5
radiusd.conf
=
ldap ldapmain1 {
..
groupname_attribute = jarService
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
Debug:
=
rlm_ldap: performing search in ou=CUSTOMER,ou=People,dc=x,dc=xx, with
filter ((jarService=Y5)((uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Noted TQ. Will try the proposed solution.
--haizam
- Original Message -
From: Kolbjørn Barmen [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, February 19, 2008 6:07 PM
Subject: Re: Regex Ldap Group
On Tue, 19 Feb 2008, Alan DeKok wrote:
Rohaizam Abu Bakar wrote:
I tried to do regex match in Ldap-Group. From below users file, The
NAS-Identifier regex works OK but for Ldap-Group match, it's not
working as below DEBUG log.
It doesn't work like that. The match is IF the user is in the named
group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
If you want it to do a regex match, you'll have to modify the code in
rlm_ldap.
Also not that LDAP typically doesnt allow substring search on any given
attribute.
My solution is to use a seperate script to perform a search in LDAP using
ldap-search and output whatever you need in the attribute.
Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
#! /bin/sh
# /usr/sbin/ldap2vlan
GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
-D cn=admin,ou=test,o=bla -W mypasswd \
'(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
test ${GROUP = group1 echo -n 110 exit 0
test ${GROUP = group2 echo -n 120 exit 0
And then in the users file I have
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
Tunnel-Private-Group-Id will then either be 110 or 120 depending on
whether user is found in group1 or group2 (and group1 if found in both)
Hope this helps... :)
--
Kolbjørn Barmen
UNINETT Driftsenter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type
I've tried as recommended not to set Auth-Type but trying below will works
in 1.1.2 but not on my recently upgraded to 1.1.7
Configs:-
a) radiusd.conf
authorize {
Autz-Type LDAP {
ldap1
}
Autz-Type ADSL {
ldapadsl1
}
}
authenticate {
Auth-Type ldap1 {
ldap1
Auth-Type ldapadsl1 {
ldapadsl1
}
}
b) users
DEFAULTHuntgroup-Name == adsl, ldapadsl1-Ldap-Group ==
ADSL, Autz-Type := ADSL
DEFAULT Autz-Type := LDAP
##
Results:-
In 1.1.2 - (Auth-Type ldap1 = working!!)
modcall: leaving group authorize (returns ok) for request 18
Found Autz-Type LDAP
Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 18
modcall: entering group redundant for request 18
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=RADIUS,ou=People,dc=xxx,dc=xx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=xxx,dc=xx, with filter
(uid=test)
rlm_ldap: checking if remote access for test is allowed by dialupAccess
rlm_ldap: Added password {CRYPT} in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: Setting Auth-Type = ldap1
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for request 18
modcall: leaving group redundant (returns ok) for request 18
modcall: leaving group LDAP (returns ok) for request 18
rad_check_password: Found Auth-Type ldap1
auth: type ldap1
##
In 1.1.7 (Auth-Type = Local = not working!!)
##
modcall: leaving group authorize (returns ok) for request 1
Found Autz-Type LDAP
Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=RADIUS,ou=People,dc=xxx,dc=xx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=xxx,dc=xx, with filter
(uid=test)
rlm_ldap: checking if remote access for test is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}X in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression =
Van-Jacobson-TCP-IP
rlm_ldap: Adding radiusFramedMTU as Framed-MTU = 1500
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol = PPP
rlm_ldap: Adding radiusServiceType as Service-Type = Framed-User
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for request 1
modcall: leaving group redundant (returns ok) for request 1
modcall: leaving group LDAP (returns ok) for request 1
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
###3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type
Yep.. the pap is on the last line in authorize section.
--haizam
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, September 13, 2007 12:00 AM
Subject: Re: Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type
Rohaizam Abu Bakar wrote:
I've tried as recommended not to set Auth-Type but trying below will
works in 1.1.2 but not on my recently upgraded to 1.1.7
Configs:-
a) radiusd.conf
authorize {
Autz-Type LDAP {
ldap1
}
Autz-Type ADSL {
ldapadsl1
}
Add pap here.
This is documented in the README in 1.1.7. See also the comments in
the default radiusd.conf in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi..
FR:1.1.2
FBSD:6.0
My rlm_perl keep logging error as example below. Everytime this happen
radiusd will hang and DO NOT respond to any request.
But this NEVER happen while running in debug mode and working fine.
rlm_perl is used to load timeout based on certain rules.. u can see below my
perl script (newtimeou5.pl) and also config files setting.
Please help TQ.
Error /var/log/radius.log
##
Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status=
Undefined subroutine main:: called.
Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic:
leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184.
Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done.
Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage:
Encode::is_utf8(sv, check = 0) at
/usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, DATA line
424.
Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status=
Undefined subroutine Convert::ASN1::authorize called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module =
/usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status=
Undefined subroutine Convert::ASN1::preacct called at
/usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759
##users
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :Y5
#radiusd.conf#
authorize {
Autz-Type Y5 {
redundant {
ldapy51
ldapy52
}
y5perl
}
}
modules {
perl y5perl {
module = /usr/local/etc/raddb/newtimeout5.pl
}
}
authenticate {
Auth-Type Y5 {
redundant {
ldapy51
ldapy52
}
}
}
##
###newtimeout5.pl
sub authorize {
##main
my $return_value = 0;
$return_value = timeout;
print VALUE return: $return_value\n;
if ($return_value eq '-1'){
return RLM_MODULE_REJECT;
}else{
return RLM_MODULE_OK;
}
}
sub timeout {
my $query;
my $query2;
my $uid=$RAD_REQUEST{'User-Name'};
my $userfrom;
my $userconnect=$RAD_REQUEST{'NAS-Identifier'};
my $timeout;
if ($userconnect =~ /Wireless-802.11|WiFi/) {
$query=Service;
$query2 = TimeoutWIFI;
}
if ($query){
$userfrom = ldapquery($uid,$query);
if ($userfrom =~ /Y5PLAT|Y5GOLD/){
$userfrom = WiFi-BTP;
}elsif ($userfrom =~ /^Y5$/){
$userfrom = Wireless-802.11;
}
if ($userconnect eq $userfrom){
print rlm_perl: Local user.. No timeout.. Unlimited!!!\n;
return (1);
}elsif ($userconnect ne $userfrom){
print rlm_perl: Roaming user.. Timeout will be loaded
!!\n;
$timeout = ldapquery($uid,$query2);
print rlm_perl: $query2:$timeout\n;
if (!$timeout){
return (-1);
}else{
$RAD_REPLY{'Session-Timeout'} = $timeout;
print rlm_perl: NOT YET\n;
return (1);
}
}
}else{
print rlm_perl: Not a wifi connection !!!\n;
return (1);
}
}
sub ldapquery {
my ( $uid, $query ) = @_;
my $host = xx;
my $value;
my $baseDN = ou=Y5,ou=AAA, ou=x, dc=x, dc=;
my $ldap = Net::LDAP-new( $host ) or die $@;
my $mesg = $ldap-bind ;# an anonymous bind
$mesg = $ldap-search( # perform a search
base = $baseDN,
filter = ((uid=$uid))
);
my $count = $mesg-count;
if ($mesg-code) {
return (NULL);
}
if ($count 0 ){
Re: rlm_perl DEBUG log with garbage output
It's work!!.. thanks..
--haizam
- Original Message -
From: Bjørn Mork [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, January 25, 2007 6:05 PM
Subject: Re: rlm_perl DEBUG log with garbage output
Rohaizam Abu Bakar [EMAIL PROTECTED] writes:
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern
me is that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat: 'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat: 'NULL'
Try this patch:
diff -u -r1.13.4.7 rlm_perl.c
--- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7
+++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 -
@@ -694,7 +694,7 @@
} else if (count 0) {
tmp = POPp;
ret = strlen(tmp);
- strncpy(out,tmp,ret);
+ strncpy(out,tmp,ret+1);
radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d,
ret, out,freespace);
Bjørn
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl DEBUG log with garbage output
Hi,..
running xlat within rlm_perl.. giving correct result.. but what concern me is
that.. in debug log.. there are garbage output as below:-
radius_xlat: '.*'
radius_xlat: Running registered xlat function of module y5perl for string
'%{User-Name}:%{NAS-Identifier}'
radius_xlat: 'bacang:JARINGWiF'
rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254
radius_xlat: 'NULL'
calling from :-
attr_rewrite wifi {
##some code
replacewith = %{y5perl:%{User-Name}:%{NAS-Identifier}}
}
preacct
{
y5perl
wifi
files
}
sub xlat {
# some code
# return NULL or somevalue
return ($value);
} -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting after query LDAP
I've tried to run from preacct instead of in acounting inside rlm_perl and
set Proxy-To-Realm = proxy_name but still accounting not been proxied...
##
ii) radiusd.conf
perl y5perl {
module = /usr/local/etc/raddb/y5perl.pl
}
preacct {
.
y5perl
files
}
i) y5perl.pl
sub preacct {
# some code here
$RAD_REPLY{'Proxy-To-Realm'} = infranet2;
# where infranet2 is configured in proxy.conf to forward to other server.
}
How can we set Proxy-To-Realm from rlm_perl??
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Monday, January 22, 2007 2:26 PM
Subject: Proxy accounting after query LDAP
FR: freeradius-1.1.2
OD: FreeBSD 6.0
trying to query LDAP for certain attribute.. if found, then proxy
accounting to other server if not store accounting locally.
trying using rlm_perl as below:-
i) radiusd.conf
perl y5perl {
module = /usr/local/etc/raddb/y5perl.pl
}
accounting {
..
y5perl
}
ii) y5perl.pl
sub accounting {
# For debugging purposes only
log_request_attributes;
# You can call another subroutine from here
test_call;
wifi_infranet;
return RLM_MODULE_OK;
}
sub wifi_infranet {
## some code to query ldap for attribute A
if (A) {
## What should i put here to force proxy accounting to other server??
}
Any other method??
TQ..
--haizam
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting after query LDAP
any suggestion on below..
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Monday, January 22, 2007 2:26 PM
Subject: Proxy accounting after query LDAP
FR: freeradius-1.1.2
OD: FreeBSD 6.0
trying to query LDAP for certain attribute.. if found, then proxy
accounting to other server if not store accounting locally.
trying using rlm_perl as below:-
i) radiusd.conf
perl y5perl {
module = /usr/local/etc/raddb/y5perl.pl
}
accounting {
..
y5perl
}
ii) y5perl.pl
sub accounting {
# For debugging purposes only
log_request_attributes;
# You can call another subroutine from here
test_call;
wifi_infranet;
return RLM_MODULE_OK;
}
sub wifi_infranet {
## some code to query ldap for attribute A
if (A) {
## What should i put here to force proxy accounting to other server??
}
Any other method??
TQ..
--haizam
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewrite accounting request/Proxy-To-Realm
i) How rewrite accounting request to insert certain attribute in order for
billing engine to process futher.??
ii) Tried to set Proxy-To-Realm to force proxy accounting using rlm_perl.. But
failed...
$RAD_REPLY{'Proxy-To-Realm'} = infranet2;
--haizam-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy accounting after query LDAP
FR: freeradius-1.1.2
OD: FreeBSD 6.0
trying to query LDAP for certain attribute.. if found, then proxy accounting
to other server if not store accounting locally.
trying using rlm_perl as below:-
i) radiusd.conf
perl y5perl {
module = /usr/local/etc/raddb/y5perl.pl
}
accounting {
..
y5perl
}
ii) y5perl.pl
sub accounting {
# For debugging purposes only
log_request_attributes;
# You can call another subroutine from here
test_call;
wifi_infranet;
return RLM_MODULE_OK;
}
sub wifi_infranet {
## some code to query ldap for attribute A
if (A) {
## What should i put here to force proxy accounting to other server??
}
Any other method??
TQ..
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using DN from previous default entry
FreeBSD 6.1 with FR 1.1.2
I'm trying to detect user that has attribute Service=REAL and search through
different LDAP tree as below config in users file.
The problem happened when both tree (DIALUP LDAP) has user's entry with
same uid. So although first DEFAULT entry is not match when searching for
attribute Service=REAL... the 2nd DEFAULT will use DN from first DEFAULT
for authenticate...
Why Feeradius not using the DN from 2nd query?? It should use ou=RADIUS not
ou=DIALUP for auth. Please refer below debug log..
thanks..
###
users:-
DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP
## NORMAL DIALUP
DEFAULT Autz-Type := LDAP
rad_recv: Access-Request packet from host 192.228.137.77:55146, id=13,
length=46
User-Name = bacang
User-Password = x
rad_rmspace_pair: User-Name now 'bacang'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config.
modcall[authorize]: module IPASS returns noop for request 0
rlm_realm: No '@' in User-Name = bacang, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = bacang
rlm_realm: Proxying request from user bacang to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=x,dc='
radius_xlat: '(uid=bacang)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=xx,dc=/xx
to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=x,dc=,
with filter (uid=bacang)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
ou=DIALUP,ou=AAA,ou=People,dc=xxx,dc=, with filter
((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=x,dc=xxx'
radius_xlat: '((uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 61.6.32.201:389, authentication 0
rlm_ldap: bind as
cn=Sysadmin,ou=Applications,dc=xxx,dc=x/xx to
:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=xx,dc=,
with filter
((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member.
users: Matched entry DEFAULT at line 23
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
Found Autz-Type LDAP
Processing the authorize section of radiusd.conf
modcall: entering group LDAP for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bacang
radius_xlat: '(uid=bacang)'
radius_xlat: 'ou=RADIUS,ou=People,dc=x,dc=xxx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=x,dc=xxx/x
to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=x,dc=, with
filter (uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding
Re: More documentation on Auth-Type
Just managed to try ur 2nd suggestion... but giving below error in debug
logs.. refer debug logs.
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action
modules {
ldap ldap1 {
basedn = ou=RADIUS..
set_auth_type = yes
}
ldap ldapdialup1 {
basedn = ou=DIALUP..
set_auth_type = yes
}
authorize {
Autz-Type LDAP {
ldap1
}
Autz-Type DIALUP {
ldapdialup1
}
}
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldapdialup1 {
ldapdialup1
}
}
DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP
DEFAULT Autz-Type := LDAP
#
lm_ldap: performing user authorization for bacang
radius_xlat: '(uid=bacang)'
radius_xlat: 'ou=RADIUS,ou=People,.'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as cn=Sysadmin,ou=Applications,./x to
xxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=RADIUS,ou=People,..., with filter
(uid=bacang)
rlm_ldap: checking if remote access for bacang is allowed by attrRoaming
rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user bacang authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for request 0
modcall: group Autz-Type returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Login incorrect: [bacang] (from client sysadmin port 0)
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = %{reply:Tmp-String-1}
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == something, Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org
users_wireless:
DEFAULT
Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in dictionary
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = ou=wireless,dc=domain,dc=com
set_auth_type = yes
}
ldap vpn_ldap {
basedn = ou=vpn,dc=example,dc=org
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN
DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap
5. authenticate run, appropriate LDAP module run
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
For the 2nd option.. already tried almost the same except the auth-type
name... Previously tried autz auth type using the same name... Will try it
out as suggested... thx Phil
--haizam
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar wrote:
any docs to help on my problem... ? in doc/rlm_ldap, there is section
about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = %{reply:Tmp-String-1}
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == something, Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org
users_wireless:
DEFAULT
Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in dictionary
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = ou=wireless,dc=domain,dc=com
set_auth_type = yes
}
ldap vpn_ldap {
basedn = ou=vpn,dc=example,dc=org
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN
DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap
5. authenticate run, appropriate LDAP module run
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Alan,
Refering to below config, each services having their own LDAP tree and
specified under ldap module with different Auth-Type Autz-type specified
in radiusd.conf. How can I set in users file to search for which tree?
Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify
Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's
not working
) users
=
DEFAULT (not to set Auth-Type but need to direct to certain LDAP
tree)
ii) radiusd.conf
==
ldap adsl {
basedn=ou=ADSL, ou=People...
}
ldap wifi {
basedn=ou=wifi, ou=People...
}
Then .. in authenticate and authorize section :-
authorize {
eap
Autz-Type=ADSL {
adsl
}
Autz-Type=WIFI {
wifi
}
}
authenticate {
Auth-Type=ADSL {
adsl
}
Auth-Type=WIFI {
wifi
}
eap
}
iii) eap.conf
... some config...
##
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Monday, August 07, 2006 9:08 AM
Subject: Re: More documentation on Auth-Type
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
I've read the docs about auth-type configuration. And agree that without
setting auth-type and leave FR to auto detect it, the auth will work even
up
to EAP. But sometimes we have to specify auth-type in order to search for
different tree in LDAP
... which isn't authentication. You just described searching an
LDAP tree for information. That's using LDAP for what it was designed
to do best: database lookups.
Once the information is found in LDAP, the RADIUS server can do
CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle
those authentication protocols, so you're stuck with using LDAP for DB
lookups, and RADIUS for authentication.
normally EAP sequence works OK but when up to comparing password, it will
failed. I've reported my problem a few times in mailing list.
I don't recall seeing that, sorry. What was the problem?
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. I'm not quite understand above suggestion/comments.. That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. I will try that one... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? thanks.. --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 12:28 AM Subject: Re: More documentation on Auth-Type On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP for each services. Even Autz-Type also need to be specified but some of the EAP won't work such as EAP-TTLS-PAP. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. Any comments? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, August 04, 2006 2:47 AM Subject: More documentation on Auth-Type http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using previous DN in DEFAULT
I'm still can't find solution.. why it keep referring to previous DN to do
LDAP bind... although both Autz-Type Auth-Type already been sent (in debug
log) to the correct one...
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, July 20, 2006 2:51 PM
Subject: using previous DN in DEFAULT
Hi..
Freeradius 1.1.2
OS : FreeBSD 6.1
Referring to below debug logs and config.. I'm planning to have 2 DEFAULT
entries in users.. One that read LDAP tree ou=DIALUP one ou=RADIUS
but 1st DEFAULT entry will only be matched if it contain attribute
jaringService = REAL in ou=DIALUP.. Other than that it will match 2nd
entry...
But the problem is that although first DEFAULT is NOT matched, and matched
2nd DEFAULT (Auth Autz Type LDAP), it will still bind using ou=DIALUP
(from 1st DEFAULT) to LDAP
rlm_ldap: user DN:
uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
The problem happen when both LDAP tree has entry with same uid... but
different password and belong to different person.
users:-
## NEW Dialup (REAL TIME)
DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP,
Auth-Type :=DIALUP
## NORMAL DIALUP
DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
radiusd.conf
ldap ldap1 {
basedn = ou=RADIUS,ou=People,dc=jaring,dc=my
groupname_attribute = jaringConnectionType
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
ldap ldap2 {
basedn = ou=RADIUS,ou=People,dc=jaring,dc=my
groupname_attribute = jaringConnectionType
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
ldap ldapdialup1 {
basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
groupname_attribute = jaringService
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
ldap ldapdialup2 {
basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
groupname_attribute = jaringService
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
Autz-Type LDAP {
redundant {
ldap1
ldap2
}
}
Autz-Type DIALUP {
redundant {
ldapdialup1
ldapdialup2
}
}
Auth-Type LDAP {
redundant {
ldap1
ldap2
}
}
Auth-Type DIALUP {
redundant {
ldapdialup1
ldapdialup2
}
}
debug:-
=
rad_recv: Access-Request packet from host xxx:60005, id=41,
length=46
User-Name = bacang
User-Password = xx
rad_rmspace_pair: User-Name now 'bacang'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config.
modcall[authorize]: module IPASS returns noop for request 0
rlm_realm: No '@' in User-Name = bacang, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = bacang
rlm_realm: Proxying request from user bacang to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my'
radius_xlat: '(uid=bacang)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to x:389, authentication 0
rlm_ldap: bind as cn=x,ou=Applications,dc=jaring,dc=my/xxx
to x:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my,
with filter (uid=bacang)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((uid=bacang)(objectclass=radiusprofile))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my,
with filter
((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got
Re: EAP-TTLS-PAP-LDAP
I don't think it's becoz of wrong password.. It's seems coz by radius cannot set Auth-Type and cannot read crypt password... When change to plain pasword.. then it's work.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, July 14, 2006 11:28 PM Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: No error detected (refer below debug logs) Really? auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Try using the correct password to log in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it
as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls
help..
I think the problem coz by RADIUS cannot figure out to set Auth-Type and
then it require plain passwd.. When I change password to plain. with the
same setting.. it's working...
--haizam
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Friday, July 14, 2006 5:26 PM
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in
That's your problem.
The CVS version of FreeRadius has auto_header which will detect the {type}
in the password, strip it and put the password in the right place. Try
that. Or, write an external script (run via exec) to manipulate the
request correctly.
A couple more things:
1. You're doing the LDAP query on *every* radius request, which is
pointless for the EAP conversation. You can rework the config so that
doesn't happen - see the list archives for eap AND 127.0.0.1
2. You put your LDAP server admin name, password and IP into the debug
output. I'd change those ASAP...
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
: Matched entry DEFAULT at line 19
modcall[authorize]: module files returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
Found Autz-Type OCE
Processing the authorize section of radiusd.conf
modcall: entering group OCE for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce2
radius_xlat: '(uid=jaroce2)'
radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce2)
rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check
items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user jaroce2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapOCE returns ok for request 9
modcall: leaving group OCE (returns ok) for request 9
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
modcall[authorize]: module chap returns noop for request 9
modcall[authorize]: module mschap returns noop for request 9
rlm_realm: No '/' in User-Name = [EMAIL PROTECTED], skipping NULL
due to config.
modcall[authorize]: module IPASS returns noop for request 9
rlm_realm: Looking up realm ocemy015.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm ocemy015.com
rlm_realm: Adding Stripped-User-Name = jaroce2
rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com
rlm_realm: Adding Realm = ocemy015.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 9
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 9
users: Matched entry DEFAULT at line 19
modcall[authorize]: module files returns ok for request 9
modcall: leaving group authorize (returns ok) for request 9
Found Autz-Type OCE
Processing the authorize section of radiusd.conf
modcall: entering group OCE for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce2
radius_xlat: '(uid=jaroce2)'
radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce2)
rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check
items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user jaroce2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldapOCE returns ok for request 9
modcall: leaving group OCE (returns ok) for request 9
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client localhost port 0)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 9
modcall: leaving group authenticate (returns invalid) for request 9
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli
00-11-5b-2d-b2-8e)
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Friday, July 14, 2006 1:44 PM
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar [EMAIL PROTECTED
EAP-TTLS-PAP-LDAP
Trying to do EAP-TTLS-PAP with CRYPT passwd in LDAP.. The tunelling seems
fine.. but up to comparing the password it will failed. Refer below logs
config
Some says (http://felipe-alfaro.org/blog/category/radius/) PAP is tunneled
inside EAP-TTLS through EAP-GTC... Tried that as well.. still same error..
gtc {
auth_type = PAP [even trying to change to LDAP/OCE - still same error)
}
Error
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client localhost port 0)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 9
modcall: leaving group authenticate (returns invalid) for request 9
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli
00-11-5b-2d-b2-8e)
With setting:-
a) radiusd.conf
ldapOCE {
--some setting
}
authorize {
eap
Autz-Type OCE {
ldapOCE
}
}
authenticate {
Auth-Type OCE {
ldapOCE
}
eap
}
b) eap.conf
eap {
default_eap_type = ttls
tls {
--some setting
}
ttls {
default_eap_type = md5
}
c) users:-
DEFAULT Realm == my015.com, Autz-Type := OCE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple Auth-Type
I've mutiple Auth-Type and Autz-Type to use for LDAP backend
From below setting, i'm trying NOT to set Auth-Type as suggested... So i let
Freeradius detecting Auth-Type by itself...
It only working for OCE line coz it's EAP type. Other line not working
unless the password is stored in plain-text in LDAP
If all line (except OCE line) been added with Auth-Type :=LDAP/Y5/ADSL..
then it's working ..
So my big question is ..why it's recommended not to set Auth-Type??
Error in debug:
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
users:
=
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5
DEFAULT Huntgroup-Name == adsl, Autz-Type := ADSL
DEFAULT NAS-Identifier == OCEPOP, Autz-Type := OCE
DEFAULT Autz-Type := LDAP
modules{
ldap ldapadsl {
-- some config
basedn = ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my
-- some config
}
ldap ldapy5 {
-- some config
basedn = ou=Y5,ou=AAA,ou=People,dc=jaring,dc=my
-- some config
}
ldap ldap1 {
-- some config
basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
-- some config
}
ldap ldapOCE {
-- some config
basedn = ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my
-- some config
}
}
authorize {
Autz-Type ADSL {
ldapadsl
}
Autz-Type Y5 {
ldapy5
}
Autz-Type OCE {
ldapOCE
}
Autz-Type LDAP {
ldap1
}
}
authenticate {
Auth-Type ADSL {
ldapadsl
}
Auth-Type Y5 {
ldapy5
}
Auth-Type OCE {
ldapOCE
}
Auth-Type LDAP {
ldap1
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS-LDAPv3.schema db_mysql.sql
I noticed that from Freeradius1.1.1 onwards, both RADIUS-LDAPv3.schema db_mysql.sql NOT included in source dir? Looking for latest schema since i'm currently would like to upgrade my ldap. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
After searching for solution.. found one comment from Alan that advise not
to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does..
let server figure out itself... In case of EAP, LDAP just extract password
for EAP to do authentication.
But the problem is, my radius need to serve a few services... such as
ADSL, Wifi, Dial up .. etc. Each services have their own LDAP tree for
better management. So in radiusd.conf, there will be a few ldap modules..
See below:-
How do i set in users file in order for WIFI user to perform EAP but get
LDAP info from certain LDAP tree without having to set Auth-Type
i) users
=
DEFAULT (not to set Auth-Type but need to direct to certain LDAP
tree)
ii) radiusd.conf
==
ldap adsl {
basedn=ou=ADSL, ou=People...
}
ldap wifi {
basedn=ou=wifi, ou=People...
}
Then .. in authenticate and authorize section :-
authorize {
eap
Autz-Type=ADSL {
adsl
}
Autz-Type=WIFI {
wifi
}
}
authenticate {
Auth-Type=ADSL {
adsl
}
Auth-Type=WIFI {
wifi
}
eap
}
iii) eap.conf
... some config...
- Original Message -
From: Phil Mayers [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Saturday, June 24, 2006 5:37 PM
Subject: Re: EAP-MD5 with LDAP
Rohaizam Abu Bakar wrote:
Hi..
Using FB 6.0
FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute User-Password is required for authentication.
EAP-MD5 requires you have the plaintext password (in the LDAP server, in
this case). If you do not, you cannot do EAP-MD5. If you do, configure the
LDAP server to give the plaintext password to the radius server (usually
in userPassword) and the radius server to map that into User-Password
(done by default) and it will work.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, June 25, 2006 10:48 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 with LDAP
Hi..
Using FB 6.0
FR 1.0.5
trying to configure EAP-MD5 with LDAP backend...
But it keep reporting:
rlm_ldap: Attribute User-Password is required for authentication.
No EAP been processed...
please see full debug log below..
Below is my config with multiple DEFAULT entry... for Wireless services
normal Dialup authentication
i) users
=
DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5,
Auth-Type :=Y5
DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
ii) eap.conf
eap {
default_eap_type = md5
}
md5 {
}
}
iii) radiusd.conf
$INCLUDE ${confdir}/eap.conf
authorize {
eap
Autz-Type LDAP {
ldap1
}
Autz-Type Y5 {
ldapy51
}
}
authenticate {
Auth-Type LDAP {
ldap1
}
Auth-Type Y5 {
ldapy51
}
eap
}
ldap ldap1 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=RADIUS,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldapy51 {
server = localhost
identity = cn=root,dc=jaring,dc=my
password = xx
basedn = ou=Y5,ou=People,dc=jaring,dc=my
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133,
length=197
Framed-MTU = 1466
NAS-IP-Address = 10.220.0.2
NAS-Identifier = OCEPOP
User-Name = jaroce
Service-Type = Framed-User
NAS-Port = 129
NAS-Port-Type = Ethernet
NAS-Port-Id = ether9_129
Called-Station-Id = 00-11-95-e1-ce-8a
Calling-Station-Id = 00-13-46-86-c3-93
Connect-Info = CONNECT Ethernet 2Mbps Full duplex
EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d
Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209
Proxy-State = 0x3433
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '/' in User-Name = jaroce, skipping NULL due to
config.
modcall[authorize]: module IPASS returns noop for request 1
rlm_realm: No '@' in User-Name = jaroce, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = jaroce
rlm_realm: Proxying request from user jaroce to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 2 length 21
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 68
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns updated for request 1
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 1
modcall: entering group redundant for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce
radius_xlat: '(uid=jaroce)'
radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with
filter (uid=jaroce)
rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess
rlm_ldap: Added password j4r1ng in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobson-TCP-IP op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP
op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User
op=11
rlm_ldap: user jaroce authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap1 returns ok for
Zero Session-Timeout
Dear all,
Using FB 6.0, FR 1.0.5 (will upgrade soon)
I've problem with timeout...
I've set in users file as below in order to load timeout value depending on
type of connection (ISDN/PSTN)
DEFAULT NAS-Port-Type == Sync, Autz-Type := DIALUP,
Auth-Type := DIALUP
Session-Timeout =
`%{exec:/usr/local/etc/raddb/timeout.pl %U ISDN}`
DEFAULT NAS-Port-Type == Async, Autz-Type := DIALUP,
Auth-Type := DIALUP
Session-Timeout =
`%{exec:/usr/local/etc/raddb/timeout.pl %U PSTN}`value
The problem is when Session-Timeout =0, normally happen when script cannot
load value... it will NOT timeout... user till can get connect until
manually disconnect...
Below is the debug log...
Login OK: [integ36] (from client INFRANETTEST port 300 cli )
Sending Access-Accept of id 111 to 10.1.1.1:1645
Session-Timeout = 0
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 89
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=97,
length=131
Acct-Session-Id = 00AE
Framed-Protocol = PPP
User-Name = integ36
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Calling-Station-Id =
Called-Station-Id = 2426
NAS-Port-Type = Async
Connect-Info = 50667/24000 V90/V44/LAPM
NAS-Port = 300
Service-Type = Framed-User
NAS-IP-Address = 10.1.1.1
Acct-Delay-Time = 0
.
.
.
.
rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=98,
length=173
Acct-Session-Id = 00AE
Framed-Protocol = PPP
Framed-IP-Address = 10.1.1.3
User-Name = integ36
Acct-Authentic = RADIUS
Acct-Session-Time = 26
Acct-Input-Octets = 8110
Acct-Output-Octets = 4998
Acct-Input-Packets = 92
Acct-Output-Packets = 37
Acct-Terminate-Cause = User-Request
Acct-Status-Type = Stop
Calling-Station-Id =
Called-Station-Id = 2426
NAS-Port-Type = Async
Connect-Info = 50667/24000 V90/V44/LAPM
NAS-Port = 300
Service-Type = Framed-User
NAS-IP-Address = 10.1.1.1
Acct-Delay-Time = 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.1.1 with openldap 2.0.X
Tried to upgrade current machine with: FreeBSB 4.11 OpenLDAP 2.0.X Freeradius 1.0.4 To Freeradius 1.1.1 using ports But it tried to install openldap 2.2.X as well... I want to usedexisting openldap (2.0.X) It is possible to force freeradius ports installation to use existing openldap client? TQ --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug 314..
Which file i should fix? and what to add? According to Frank For 6.0, I'll fix it by unconditionally including sys/un.h in cryptocard.c thanks.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, January 24, 2006 02:09 Subject: Re: Bug 314.. Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 It's trivial to fix by hand in 1.1.0. It will be fixed permanently in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug 314..
Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.0 build error
I've got an error too.. but it's different testing using FreeBSD 4.11 machine.. ## rlm_attr_rewrite.c -o rlm_attr_rewrite.o In file included from rlm_attr_rewrite.c:31: /usr/include/regex.h:46: syntax error before `regoff_t' /usr/include/regex.h:46: warning: type defaults to `int' in declaration of `regoff_t' /usr/include/regex.h:46: warning: data definition has no type or storage class /usr/include/regex.h:56: syntax error before `regoff_t' rlm_attr_rewrite.c: In function `do_attr_rewrite': rlm_attr_rewrite.c:314: structure has no member named `rm_so' rlm_attr_rewrite.c:316: structure has no member named `rm_so' rlm_attr_rewrite.c:318: structure has no member named `rm_eo' rlm_attr_rewrite.c:318: structure has no member named `rm_so' rlm_attr_rewrite.c:330: structure has no member named `rm_eo' rlm_attr_rewrite.c:348: structure has no member named `rm_so' rlm_attr_rewrite.c:357: structure has no member named `rm_so' rlm_attr_rewrite.c:358: structure has no member named `rm_eo' rlm_attr_rewrite.c:358: structure has no member named `rm_so' rlm_attr_rewrite.c:359: structure has no member named `rm_eo' rlm_attr_rewrite.c:359: structure has no member named `rm_so' gmake[5]: *** [rlm_attr_rewrite.o] Error 1 gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_attr_rewrite' gmake[4]: *** [common] Error 2 gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' gmake[2]: *** [common] Error 2 gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src' gmake: *** [common] Error 2 *** Error code 2 ### - Original Message - From: Drew S. Dupont [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Friday, January 13, 2006 11:07 Subject: Freeradius 1.1.0 build error When trying to compile the new release, I am unable to b/c it stops with an error in the: Making install in rlm_sql_iodbc... gmake[11]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_sql/drivers/rlm_sql_iodbc' [ xrlm_sql_iodbc = x ] || /home/dsdupont/freeradius-1.1.0/libtool --mode=install /home/dsdupont/freeradius-1.1.0/install-sh -c -c rlm_sql_iodbc.la /home/dsdupont/freeradius/usr/local/lib/rlm_sql_iodbc.la libtool: install: `rlm_sql_iodbc.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. It does that for any module in the rlm_sql group. However, whenn I go and type make inside the rlm_sql_iodbc dir. it compiles fine. I then go back one and type make and it compiles fine. I can then return to the main dir. and type make and it runs along until: Making static dynamic in rlm_otp... gmake[4]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_otp' Making all in cardops ... gmake[5]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_otp/cardops' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/ssl/includes -Wall -D_GNU_SOURCE -DNDEBUG -I../../../include -I/usr/local/ssl/includes -DOTP_MODULE_NAME=rlm_otp -DFREERADIUS /usr/local/ssl/includes -c cryptocard.c -o cryptocard.o gcc: cannot specify -o with -c or -S and multiple compilations gmake[5]: *** [cryptocard.o] Error 1 If I make some of the remaining dirs. in the modules dir., it compiles those. I have not tried all the remaining dirs. yet. However, I can not get the rlm_otp dir. to compile. Thank you for your assistance, Drew Dupont -- -- Drew S. Dupont[EMAIL PROTECTED] AIM: NetWhizOneFWD #: 271144 YIM: dsdupont -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling FR 1.1.0
Tested with FBSD 4.11 error with rlm_attr_rewrite... After removethe folder... then error with rlm_otp ### Making all in cardops ...gmake[6]: Entering directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops'gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../../include -DOTP_MODULE_NAME="rlm_otp" -DFREERADIUS -c cryptocard.c -o cryptocard.oIn file included from /usr/include/openssl/des.h:66, from ../otp.h:32, from cryptocard.c:26:/usr/include/openssl/opensslconf.h:177: warning: `OPENSSL_NO_KRB5' redefined*Initialization*:1: warning: this is the location of the previous definitioncryptocard.c: In function `cryptocard_updatecsd':cryptocard.c:230: syntax error before `PRIx32'cryptocard.c: In function `cryptocard_isconsecutive':cryptocard.c:255: syntax error before `SCNx32'cryptocard.c:252: warning: unused variable `nextewin'cryptocard.c: At top level:cryptocard.c:260: syntax error before `++'cryptocard.c:58: warning: `cryptocard_name2fm' defined but not usedcryptocard.c:78: warning: `cryptocard_keystring2keyblock' defined but not usedcryptocard.c:110: warning: `cryptocard_nullstate' defined but not usedcryptocard.c:139: warning: `cryptocard_challenge' defined but not usedcryptocard.c:184: warning: `cryptocard_response' defined but not usedcryptocard.c:226: warning: `cryptocard_updatecsd' defined but not usedcryptocard.c:251: warning: `cryptocard_isconsecutive' defined but not usedcryptocard.h:59: warning: `cryptocard_maxtwin' declared `static' but never definedcryptocard.h:62: warning: `cryptocard_printchallenge' declared `static' but never definedgmake[6]: *** [cryptocard.o] Error 1gmake[6]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops'gmake[5]: *** [cardops/cryptocard.lo] Error 2gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake: *** [common] Error 2*** Error code 2 ###3 Tested with FBSD 6.0... OK with rlm_attr_rewrite but problem with rlm_otp with different from FBSD4.11 # otp_state.c: In function `otp_state_connect':otp_state.c:482: error: storage size of 'sa' isn't knownotp_state.c:482: warning: unused variable `sa'gmake[5]: *** [otp_state.o] Error 1gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake: *** [common] Error 2*** Error code 2## --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate but there is accounting record
Hi, I've found unusual activity wherethere is an attemptto authenticatebut unsuccesfulldue to no entry in database (LDAP) but there is accounting record for it. Beloware the log accounting record. Any comments on this.. TQ.. Fri Oct 21 22:03:06 2005 : Auth: Login incorrect (rlm_ldap: User not found): [assasaas] (from client 61.6.116.2 port 143) Fri Oct 21 22:03:08 2005 Acct-Session-Id = "0026190D" Framed-Protocol = PPP Framed-IP-Address = 61.6.116.27 User-Name = "assasaas" Acct-Authentic = RADIUS Acct-Session-Time = 7 Acct-Input-Octets = 762 Acct-Output-Octets = 494 Acct-Input-Packets = 16 Acct-Output-Packets = 15 Acct-Terminate-Cause = User-Error Acct-Status-Type = Stop Called-Station-Id = "20878830" NAS-Port-Type = Async NAS-Port = 143 Connect-Info = "28800 V34/V42bis/LAPM" Service-Type = Framed-User NAS-IP-Address = 61.6.116.2 Acct-Delay-Time = 0 Client-IP-Address = 61.6.116.2 Acct-Unique-Session-Id = "62a6e1512da039e2" Stripped-User-Name = "assasaas" Realm = "NULL" Timestamp = 1129903388 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
Dear all, configure with --disable-shared... cleaned old files... and still core dump.. gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libssl.so.3...done. Reading symbols from /usr/lib/libcrypto.so.3...done. Reading symbols from /usr/local/lib/libgdbm.so.3...done. Reading symbols from /usr/lib/libpam.so.1...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.14...done. Reading symbols from /usr/lib/libm.so.2...done. Reading symbols from /usr/lib/libz.so.2...done. Reading symbols from /usr/lib/libcipher.so.2...done. Reading symbols from /usr/lib/libc_r.so.4...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x808e23e in lt_dlsym (handle=0x812ae40, symbol=0xbfbfe660 rlm_ldap) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x808e23e in lt_dlsym (handle=0x812ae40, symbol=0xbfbfe660 rlm_ldap) at ltdl.c:3330 #1 0x8057fd4 in linkto_module (module_name=0xbfbfe7b0 rlm_ldap, cffilename=0x80932e7 radiusd.conf, cflineno=732) at modules.c:230 #2 0x805822a in find_module_instance (instname=0x80f31e0 ldap1) at modules.c:347 #3 0x8059416 in do_compile_modsingle (component=0, ci=0x80f2340, filename=0x80932e7 radiusd.conf, grouptype=1, modname=0xbfbfe948) at modcall.c:814 #4 0x80595dc in do_compile_modgroup (component=0, cs=0x80f2320, filename=0x80932e7 radiusd.conf, grouptype=1, parentgrouptype=0) at modcall.c:877 #5 0x80592fe in do_compile_modsingle (component=0, ci=0x80f2320, filename=0x80932e7 radiusd.conf, grouptype=0, modname=0xbfbfe9fc) at modcall.c:786 #6 0x805956f in do_compile_modgroup (component=0, cs=0x80f2300, filename=0x80932e7 radiusd.conf, grouptype=0, parentgrouptype=0) at modcall.c:859 #7 0x8059676 in compile_modgroup (component=0, cs=0x80f2300, filename=0x80932e7 radiusd.conf) at modcall.c:898 #8 0x8058471 in load_subcomponent_section (cs=0x80f2300, comp=0, filename=0x80932e7 radiusd.conf) at modules.c:483 #9 0x80585f0 in load_component_section (cs=0x80f2200, comp=0, filename=0x80932e7 radiusd.conf) at modules.c:546 #10 0x8058acd in setup_modules () at modules.c:858 #11 0x8050864 in main (argc=4, argv=0xbfbffc28) at radiusd.c:960 --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 23:01 Subject: Re: Segmentation Fault - 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... That's bug #98. Either link statically, or put the libraries rlm_ldap needs in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
dynamic linker can find ldap lib... since within directory /usr/local/lib.. 133:-lldap.2 = /usr/local/lib/libldap.so.2 134:-lldap_r.2 = /usr/local/lib/libldap_r.so.2 so last option will be ./configure --disable-shared --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 23:01 Subject: Re: Segmentation Fault - 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... That's bug #98. Either link statically, or put the libraries rlm_ldap needs in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... ### bash-2.05b# gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libcipher.so.2...done. Reading symbols from /usr/local/lib/libradius-1.0.5.so...done. Reading symbols from /usr/local/lib/libltdl.so.4...done. Reading symbols from /usr/lib/libssl.so.3...done. Reading symbols from /usr/lib/libcrypto.so.3...done. Reading symbols from /usr/lib/libc_r.so.4...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/local/lib/rlm_exec-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_expr-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_pap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_chap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_mschap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_unix-1.0.5.so...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x280c4172 in lt_dlsym (handle=0x80de0c0, symbol=0xbfbfe630 rlm_ldap) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x280c4172 in lt_dlsym (handle=0x80de0c0, symbol=0xbfbfe630 rlm_ldap) at ltdl.c:3330 #1 0x8053fb0 in linkto_module (module_name=0xbfbfe780 rlm_ldap, cffilename=0x805e5e7 radiusd.conf, cflineno=732) at modules.c:230 #2 0x8054206 in find_module_instance (instname=0x80a61e0 ldap1) at modules.c:347 #3 0x80553f2 in do_compile_modsingle (component=0, ci=0x80a5340, filename=0x805e5e7 radiusd.conf, grouptype=1, modname=0xbfbfe918) at modcall.c:814 #4 0x80555b8 in do_compile_modgroup (component=0, cs=0x80a5320, filename=0x805e5e7 radiusd.conf, grouptype=1, parentgrouptype=0) at modcall.c:877 #5 0x80552da in do_compile_modsingle (component=0, ci=0x80a5320, filename=0x805e5e7 radiusd.conf, grouptype=0, modname=0xbfbfe9cc) at modcall.c:786 #6 0x805554b in do_compile_modgroup (component=0, cs=0x80a5300, filename=0x805e5e7 radiusd.conf, grouptype=0, parentgrouptype=0) at modcall.c:859 #7 0x8055652 in compile_modgroup (component=0, cs=0x80a5300, filename=0x805e5e7 radiusd.conf) at modcall.c:898 #8 0x805444d in load_subcomponent_section (cs=0x80a5300, comp=0, filename=0x805e5e7 radiusd.conf) at modules.c:483 #9 0x80545cc in load_component_section (cs=0x80a5200, comp=0, filename=0x805e5e7 radiusd.conf) at modules.c:546 #10 0x8054aa9 in setup_modules () at modules.c:858 #11 0x804c840 in main (argc=4, argv=0xbfbffbf0) at radiusd.c:960 (gdb) - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 10:27 Subject: Re: Segmentation Fault Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Is there a way to remove all old modules ? or just simply delete the lib files... No just deleting the old files should be OK. Do we need to recompile again after cleaning it up... or just make install again..? If you install to a completely different directory, and se that directory via configure --prefix=..., then everything should work. It's only installing multiple versions of the server on top of each other that causes problems. My suggestion there is to delete the old files, and *then* compile * reinstall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
I've been upgrading a few times.. but this is the one that need cleaning old version before installing new one.. Is there a way to remove all old modules ? or just simply delete the lib files... Do we need to recompile again after cleaning it up... or just make install again..? - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 04:53 Subject: Re: Segmentation Fault Linda Pagillo [EMAIL PROTECTED] wrote: I just installed the newest version of Freeradius (1.0.5) on my Linux Redhat 9 server. All went well except this... when i start the radius in debug mode.. all starts fine, but when the first user tries to authenticate, i get a Segmentation Fault and the radius stops. Any ideas? See doc/bugs Also, ensure that you *don't* have an older version of FreeRADIUS installed on the same box. Using old modules with a new server may cause problems. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 23, 2005 02:29 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So seems the problem happen only to FreeBSD 4.X.. not to all FreeBSD.. Sounds to me like a problem with FreeBSD. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing FR 1.05
Install mysql (client or server) first.. then recompile the freeradius
it will build with mysql module..
--haizam
- Original Message -
From: Bill Neely [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, September 25, 2005 00:31
Subject: Re: Installing FR 1.05
In the modules directory, there is a sub directory called rlm_sql. Does
that
mean that the module got built?
--
1-888-217-5498
Quoting Duane Cox [EMAIL PROTECTED]:
During the configure/make process, was the module actually built? If
not, then you are missing the mysql driver stuff.
- Original Message - From: Bill Neely
To: freeradius-users@lists.freeradius.org
Sent: Friday, September 23, 2005 7:28 PM
Subject: Installing FR 1.05
Am installing Free Radius 1.0.5 on Free BSD 5.4 OS
Installation went alright, but when I fire it up, it fails to load the
sql module.
Here is the radiusd -x string:
radiusd -x
Starting - reading configuration files ...
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
In radiusd.conf, I have
$INCLUDE ${confdir}/sql.conf
What else do I need to do?
Bill
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html - List
info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This message was sent using http://newwebmail.gct21.net
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Dear all,
anyone having similar problem... when using 1.0.5 with FB 4.11 ??
Any finding on this.? I'm still having problem upgrading... on my 4.11
machine..
thanks..
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, September 20, 2005 08:48
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Yes.. version 1.0.5.. previous version of 1.0.4 working fine...
--haizam
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, September 20, 2005 01:29
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
#0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172
172 if (*first == NULL) {
The value of first is suspicious. It looks like it's from
explicitely uninitialized memory.
#1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00)
at
rlm_ldap.c:1243
Are you using 1.0.5? The code isn't at that line number in my
version of 1.0.5.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
OS: FreeBSD 4.11p10
FR: 1.0.5
As requested..
bash-2.05b# gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read
called at
/usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line
2627 in elfstab_build_psymtabs
Deprecated bfd_read called at
/usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line
933 in fill_symbuf
Core was generated by `radiusd'.
Program terminated with signal 10, Bus error.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libcipher.so.2...done.
Reading symbols from /usr/local/lib/libradius-1.0.5.so...done.
Reading symbols from /usr/local/lib/libltdl.so.4...done.
Reading symbols from /usr/local/lib/libssl.so.3...done.
Reading symbols from /usr/local/lib/libcrypto.so.3...done.
Reading symbols from /usr/lib/libc_r.so.4...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/lib/libssl.so.3...done.
Reading symbols from /usr/lib/libcrypto.so.3...done.
Reading symbols from /usr/local/lib/rlm_exec-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_expr-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_pap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_chap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_mschap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_unix-1.0.5.so...done.
Reading symbols from /usr/local/lib/liblber.so...done.
Reading symbols from /usr/local/lib/rlm_ldap-1.0.4.so...done.
Reading symbols from /usr/local/lib/libldap_r.so.2...done.
Reading symbols from /usr/lib/libssl.so.2...done.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/local/lib/libeap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_eap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_preprocess-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_realm-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_files-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_acct_unique-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_detail-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_radutmp-1.0.5.so...done.
Reading symbols from /usr/local/lib/rlm_sql-1.0.5.so...done.
Reading symbols from /usr/lib/libz.so...done.
Reading symbols from /usr/lib/libm.so...done.
---Type return to continue, or q return to quit---
Reading symbols from /usr/local/lib/mysql/libmysqlclient.so...done.
Reading symbols from /usr/local/lib/rlm_sql_mysql-1.0.5.so...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172
172 if (*first == NULL) {
(gdb) bt
#0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172
#1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00) at
rlm_ldap.c:1243
#2 0x8054e91 in call_modsingle (component=1, sp=0x818ecc0,
request=0x819de00, default_result=6)
at modcall.c:219
#3 0x8055088 in modcall (component=1, c=0x818ecc0, request=0x819de00) at
modcall.c:344
#4 0x8054f4f in call_modgroup (component=1, g=0x818ec80, request=0x819de00,
default_result=6)
at modcall.c:252
#5 0x8055031 in modcall (component=1, c=0x818ec80, request=0x819de00) at
modcall.c:335
#6 0x8054f4f in call_modgroup (component=1, g=0x818e980, request=0x819de00,
default_result=6)
at modcall.c:252
#7 0x8055031 in modcall (component=1, c=0x818e980, request=0x819de00) at
modcall.c:335
#8 0x8054426 in indexed_modcall (comp=1, idx=0, request=0x819de00) at
modules.c:469
#9 0x8054b16 in module_authorize (autz_type=0, request=0x819de00) at
modules.c:883
#10 0x8051c23 in rad_authenticate (request=0x819de00) at auth.c:592
#11 0x804d25c in rad_respond (request=0x819de00, fun=0x8051ac4
rad_authenticate) at radiusd.c:1642
#12 0x804cfa6 in main (argc=4, argv=0xbfbffbe4) at radiusd.c:1427
- Original Message -
From: Nicolas Baradakis [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, September 15, 2005 22:11
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar wrote:
OS: FreeBSD4.11 p10
Freeradius: 1.0.5 from 1.0.4
- compilation OK.. but still to patch rlm_rewrite just like 1.0.4
- starting radiusd seems fine
- but when trying to authenticate
Re: Bus error - core dumped on freeradius 1.0.5
Yes.. version 1.0.5.. previous version of 1.0.4 working fine...
--haizam
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, September 20, 2005 01:29
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
#0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172
172 if (*first == NULL) {
The value of first is suspicious. It looks like it's from
explicitely uninitialized memory.
#1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00)
at
rlm_ldap.c:1243
Are you using 1.0.5? The code isn't at that line number in my
version of 1.0.5.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
testing in one of my FreeBSD 5.3 machine... 1.0.5 seems working with same
configuration as below tested in FreeBSD 4.11
So seems the problem happen only to FreeBSD 4.X.. not to all FreeBSD..
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, September 20, 2005 08:48
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Yes.. version 1.0.5.. previous version of 1.0.4 working fine...
--haizam
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Tuesday, September 20, 2005 01:29
Subject: Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
#0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172
172 if (*first == NULL) {
The value of first is suspicious. It looks like it's from
explicitely uninitialized memory.
#1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00)
at
rlm_ldap.c:1243
Are you using 1.0.5? The code isn't at that line number in my
version of 1.0.5.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bus error - core dumped on freeradius 1.0.5
OS: FreeBSD4.11 p10 Freeradius: 1.0.5 from 1.0.4 - compilation OK.. but still to patch rlm_rewrite just like 1.0.4 - starting radiusd seems fine - but when trying to authenticate.. then it will core dumped.. as below debug log.. Ready to process requests. rad_recv: Access-Request packet from host 192.228.137.77:34496, id=17, length=46 User-Name = bacang User-Password = x Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 0 rlm_realm: No '@' in User-Name = bacang, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = bacang rlm_realm: Proxying request from user bacang to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 102 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for LDAP radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=jaring,dc=my/kh4l1f4h to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=bacang) Bus error (core dumped) ## - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 14, 2005 23:29 Subject: Re: FreeRADIUS 1.0.5 has been released M.McNeil [EMAIL PROTECTED] wrote: Does version 1.0.5 address/resolve the issues with EAP/LEAP authentication when using FreeRadius with Cisco wireless gear ? i.e. Cisco's WLSE and wireless access points. No. You still need another patch. That patch breaks LEAP for every other acces point. If there is a way to make FreeRADIUS work *everywhere*, then that patch can be added in. Otherwise, it's not nice to break interoperation with every other access point in order to make one work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Session-Id too long
Dear all, FreeRADIUS 1.0.4 I'm using mysql to store accounting...especially to check simultaneous-use.. but one case as below, i received a long Acct-Session-Id ... and cannot fit into mysql... and problem to update Stop record... should I change column size from char32 to reasonable value ? pls advise.. thanks.. Acct-Session-Id = erx atm 2/3.10601218:60.1218:0165889995 +--+--+--+-+-+ | nasipaddress | AcctSessionId| AcctUniqueId | acctstoptime| nasporttype | +--+--+--+-+-+ | 61.6.191.247 | erx atm 2/3.10601218:60.1218:016 | ebe88dbb3457c826 | 2005-08-22 10:32:52 | xDSL| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous check - MYSQL
Dear all,
FB: 4.11
FR: 1.0.4
mysql: 4.1
From sql.conf file, I would to add one more checking for simul. use i.e
NAS-Port-Type... and changes as below:- Seems working..
Just wanna confirmation regarding simul_verify_query ... what exactly
this line do? I know it do verification .. but for what purpose..
thanks..
# Simultaneous Use Checking Queries
###
# simul_count_query - query for the number of current
connections
# - If this is not defined, no simultaneouls
use checking
# - will be performed by this module instance
# simul_verify_query- query to return details of current
connections for verification
# - Leave blank or commented out to disable
verification step
# - Note that the returned field order should
not be changed.
###
# Uncomment simul_count_query to enable simultaneous use checking
# simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND Acct
StopTime = 0
##simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND Acct
StopTime = 0
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND NASPor
tType = '%{NAS-Port-Type}' AND AcctStopTime = 0
##simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPA
ddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTi
me = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAdd
ress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND NASPortType
= '%{NAS-Port-Type}' AND AcctStopTime = 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using RADIUS for content filtering.
Dear all, I've given one assignment to create some sort of tunneling to cache server (netcache) to do some content filtering when browsing. There will be 2 cache-server. One passing all traffic another one will do content filtering.. When user subscribe to this service (for their children maybe).. When user doing authentication, what should i include in the profile for the traffic to be diverted to cache server that do the filtering? Is it possible to use below? Or pls suggest suitable method.. Login-Service: TCP-ClearLogin-IP-Host: 10.1.1.1Service-Type: Login-UserLogin-TCP-Port: 80 I've heart about method L2TP tunnelling with ERX/SDX (juniper) .. But that seems costly... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clash between group LDAP
Dear all,
I've LDAP tree structure as below, to seperate ADSL DIALUP. But
encounter one problem.. when userA = userB, LDAP will found userA's
account although userB that actually login. This maybe due to DEFAULT
sequence in users file.
Any idea to solve this ? thanks..
ou=AAA
|
|
--
| |
ou=ADSLou=DIALUP
dn: uid=userA,ou=ADSL,ou=AAA ... dn:
uid=userB,ou=DIALUP,ou=AAA
serviceflag: ADSL serviceflag: DIALUP
Users:
DEFAULT ldapadsl-Ldap-Group == ADSL, Autz-Type := ADSL,
Auth-Type := ADSL
DEFAULT ldapdialup-Ldap-Group == DIALUP, Autz-Type := DIALUP,
Auth-Type := DIALUP
radiusd.conf
ldap ldapadsl {
basedn = ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my
groupname_attribute = serviceflag
}
ldap ldapdialup {
basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my
groupname_attribute = serviceflag
authorize {
Autz-Type ADSL {
ldapadsl
}
Autz-Type DIALUP {
ldapdialup
}
}
authenticate {
Auth-Type ADSL {
ldapadsl
}
Auth-Type DIALUP {
ldapdialup
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: grouping services - LDAP
I've read the doc do it exactly as suggested and it's working..
thanx!!
--haizam
- Original Message -
From: Dusty Doris [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, July 20, 2005 21:18
Subject: Re: grouping services - LDAP
On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote:
Hi all,
Using Freeradius 1.0.4 (FB 4.11)
I want to grouping between dialup adsl... refer to users file below by
if if Ldap-Group ==ADSL is found, should authenticate/authorize by
ldapadsl and if not found, assuming dialup user and should
authenticate/authorize by ldap1/ldap2 (DIALUP)
But the problem, referring to debug log.. doesn't matter whether
Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2
ldapadsl i.e checking adslAccess dialAcess atttribute.
What i want is that.. If Ldap-Group ==ADSL is found, it should be
handled by ldapadsl and not checking ldap1/ldap2 and same goes when
not found, it will be handled by ldap1/ldap2 and not checking
ldapadsl
anyone can help.?? thanks
Try using Autz Type as well, there is some documentation on it in the doc
dir.
It might look something like this.
DEFAULT Ldap-Group == ADSL, Autz-Type := ADSL, Auth-Type := ADSL
DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
#
authorize {
Autz-Type LDAP {
redundant {
ldap1
ldap2
}
}
Autz-Type ADSL {
ldapadsl
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping services - LDAP
Hi all,
Using Freeradius 1.0.4 (FB 4.11)
I want to grouping between dialup adsl...
refer to users file below by if if Ldap-Group ==ADSL is found, should
authenticate/authorizeby "ldapadsl" and if not found, assuming dialup user
and should authenticate/authorizeby "ldap1/ldap2" (DIALUP)
But the problem, referring to debug log.. doesn't
matter whether Ldap-Group=ADSL is found or not, it still check at both
ldap1/ldap2 ldapadsl i.e checking "adslAccess dialAcess"
atttribute.
What i want is that.. If Ldap-Group ==ADSL is
found, it should be handled by "ldapadsl" and not checking
"ldap1/ldap2" and same goes when not found, it will be handled by "ldap1/ldap2"
and not checking "ldapadsl"
anyone can help.?? thanks
--haizam
##
users file:
DEFAULT Ldap-Group ==
"ADSL", Auth-Type := ADSL
DEFAULT Auth-Type :=
LDAP
#3
Debug:-
rlm_ldap: performing search in
ou=RADIUS,ou=People,dc=jaring,dc=my, with filter
((jaringConnectionType=ADSL)((uid=organza)(objectclass=radiusprofile)))rlm_ldap:
object not found or got ambiguous search resultrlm_ldap: ldap_release_conn:
Release Id: 0rlm_ldap::ldap_groupcmp: Group ADSL not found or user is not a
member. users: Matched entry DEFAULT at line
147.
.
.
rlm_ldap: checking if remote access for organza is
allowed by dialupAccess
.
..
rlm_ldap: noadslAccess attribute - access
denied by default
authenticate
{
Auth-Type LDAP
{
redundant
{
ldap1
ldap2
} }
Auth-Type ADSL
{
ldapadsl }
}
#
authorize {
redundant
{
ldap1
ldap2
} ldapadsl}
#
ldap ldap1
{
server =
"10.1.1.1"
basedn =
"ou=RADIUS,ou=People,dc=jaring,dc=my"
access_attr =
"dialupAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
ldap ldap2
{
server =
"10.1.1.2"
basedn =
"ou=RADIUS,ou=People,dc=jaring,dc=my"
access_attr =
"dialupAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
ldapadsl
{
server =
"10.1.1.3"
basedn =
"ou=ADSL,ou=People,dc=jaring,dc=my"
access_attr =
"adslAccess"
groupname_attribute =
jaringConnectionType
groupmembership_filter =
"((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
not using ports... I'll try the patch.. thanks.. --haizam - Original Message - From: Andrew Thompson [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 20, 2005 11:30 Subject: Re: FreeRADIUS 1.0.4 has been released. On Mon, Jun 20, 2005 at 11:20:19AM +0800, Rohaizam Abu Bakar wrote: What is the function of rlm_attr_rewrite?? Becoz I'm havng the same problem compiling 1.0.3/1.0.4 on my FB 4.11 machine.. Are you using the port becuase that problem has been fixed. If not then you will want the patch in: net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
What is the function of rlm_attr_rewrite?? Becoz I'm havng the same problem compiling 1.0.3/1.0.4 on my FB 4.11 machine.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, June 18, 2005 09:09 Subject: Re: FreeRADIUS 1.0.4 has been released. Stephen D. Bechard [EMAIL PROTECTED] wrote: I am still having diffuculty building the freeradius on all of my FreeBSD Servers with the ports collection. Ok... I know there was a bug in the older versions with shared libraries, but I was hoping this version fixed it. Any insight would be greatly appreciated... I don't recall specific problems with shared libraries. Can you be more specific? Here are the errors I get when trying to build the port: In file included from rlm_attr_rewrite.c:31: /usr/include/regex.h:46: syntax error before `regoff_t' That has nothing to do with shared libraries. It looks like the regular expression header files on your system are broken. 'regoff_t' is defined in regex.h on every other system. If you're not going to use rlm_attr_rewrite, just delete the directory. I would have hoped that the FreeBSD ports maintainer verified that the port worked before committing it to FreeBSD. If so, ask the port maintainer why it doesn't work on your system. I don't run FreeBSD, so I can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
upgrade from 1.0.1 -- 1.0.3
OS: FreeBSD 4.11 Upgrade : from 1.0.1 to 1.0.3 Receive below error # ./configure --with-logdir=/var/log --with-radacctdir=/var/adm/radacct --with-raddbdir=/usr/local/etc/raddb # make Should be no problem compiling for 1.0.2 In file included from rlm_attr_rewrite.c:31:/usr/include/regex.h:46: syntax error before `regoff_t'/usr/include/regex.h:46: warning: type defaults to `int' in declaration of `regoff_t'/usr/include/regex.h:46: warning: data definition has no type or storage class/usr/include/regex.h:56: syntax error before `regoff_t'rlm_attr_rewrite.c: In function `do_attr_rewrite':rlm_attr_rewrite.c:314: structure has no member named `rm_so'rlm_attr_rewrite.c:316: structure has no member named `rm_so'rlm_attr_rewrite.c:318: structure has no member named `rm_eo'rlm_attr_rewrite.c:318: structure has no member named `rm_so'rlm_attr_rewrite.c:330: structure has no member named `rm_eo'rlm_attr_rewrite.c:348: structure has no member named `rm_so'rlm_attr_rewrite.c:357: structure has no member named `rm_so'rlm_attr_rewrite.c:358: structure has no member named `rm_eo'rlm_attr_rewrite.c:358: structure has no member named `rm_so'rlm_attr_rewrite.c:359: structure has no member named `rm_eo'rlm_attr_rewrite.c:359: structure has no member named `rm_so'gmake[5]: *** [rlm_attr_rewrite.o] Error 1gmake[5]: Leaving directory `/var/src/freeradius-1.0.3/src/modules/rlm_attr_rewrite'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.0.3/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.0.3/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.0.3/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.0.3/src'gmake: *** [common] Error 2*** Error code 2 Stop in /var/src/freeradius-1.0.3. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Thanks.. Will try it out... Do I need to make any addition/changes in Makefile to compile radsqlrelay...? If yes... What changes is needed.. thanks.. --haizam - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 24, 2005 19:16 Subject: Re: SQL db failover Rohaizam Abu Bakar wrote: How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? You might try a different approach: - store accounting in detail files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
I've changed all except fail to return... and seems OK..
But the fail over (sql2) mysql still receive accounting although sql1 works
fine.. This has problem when checking single login since possible of start
stop record at different server... Although accounting that spill over
to sql2 is not much.. but it still effect the whole process...
How can we possible do to ensure only when sql1 down.. then the accounting
will be sent to sql2..??
I'm afraid that my unlimited customer (sinultaneous=1) get denied although
there is no other session active due to start stop record being sent to
different mysql
thanks..
--haizam
- Original Message -
From: Rohaizam Abu Bakar [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, January 18, 2005 11:30
Subject: Re: SQL db failover
One more thing related to SQL accounting...
Everytime I received error Stop packet with zero session length...
Accounting will be stored in both sql1 sq2.. please refer debug log..
should I change noop= to something else instead of below...???
--haizam
group {
sql1 {
fail=1
notfound=return
noop=2
ok=return
updated=3
reject=return
userlock=4
invalid=5
handled=6
}
sql2 {
same as above
}
}
##
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34',
AcctSessionTime = '', AcctInputOctets =
'', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0',
ConnectInfo_stop = '' WHERE AcctSessi
onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2''
rlm_sql (sql1): Reserving sql socket id: 4
radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '',
nas '161.142.17.2')'
rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')
rlm_sql (sql1): Released sql socket id: 4
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASP
ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, Acct
InputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtoc
ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381',
'18e9d9976b13739f', '', '', '161.142.17
.2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0)
SECOND), '2005-01-18 10:39:34', '', '',
'', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')'
rlm_sql (sql1): Released sql socket id: 4
modcall[accounting]: module sql1 returns noop for request 132
radius_xlat: ''
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34',
AcctSessionTime = '', AcctInputOctets =
'', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0',
ConnectInfo_stop = '' WHERE AcctSessi
onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2''
rlm_sql (sql2): Reserving sql socket id: 4
radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '',
nas '161.142.17.2')'
rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')
rlm_sql (sql2): Released sql socket id: 4
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASP
ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, Acct
InputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtoc
ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381',
'18e9d9976b13739f', '', '', '161.142.17
.2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0)
SECOND), '2005-01-18 10:39:34', '', '',
'', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')'
rlm_sql (sql2): Released sql socket id: 4
modcall[accounting]: module sql2 returns noop for request 132
modcall: group group returns noop for request 132
modcall: group accounting returns ok for request 132
Sending Accounting-Response of id 101 to 161.142.17.2:1027
Finished request 132
Going to the next request
###
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, January 18, 2005 00:40
Subject: Re: SQL db failover
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
But before that.. I tried to use the simplified one using redundant as
below:-
redundant {
sql1
sql2
}
But seems everytime accounting record being sent.. I will store in both
of
the mysql server... not the first one that return OK.. why???
It's a known bug. See bugs.freeradius.org
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http
Re: SQL db failover
One more thing related to SQL accounting...
Everytime I received error Stop packet with zero session length...
Accounting will be stored in both sql1 sq2.. please refer debug log..
should I change noop= to something else instead of below...???
--haizam
group {
sql1 {
fail=1
notfound=return
noop=2
ok=return
updated=3
reject=return
userlock=4
invalid=5
handled=6
}
sql2 {
same as above
}
}
##
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34',
AcctSessionTime = '', AcctInputOctets =
'', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0',
ConnectInfo_stop = '' WHERE AcctSessi
onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2''
rlm_sql (sql1): Reserving sql socket id: 4
radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')'
rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')
rlm_sql (sql1): Released sql socket id: 4
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASP
ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, Acct
InputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtoc
ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381',
'18e9d9976b13739f', '', '', '161.142.17
.2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0)
SECOND), '2005-01-18 10:39:34', '', '',
'', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')'
rlm_sql (sql1): Released sql socket id: 4
modcall[accounting]: module sql1 returns noop for request 132
radius_xlat: ''
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34',
AcctSessionTime = '', AcctInputOctets =
'', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0',
ConnectInfo_stop = '' WHERE AcctSessi
onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2''
rlm_sql (sql2): Reserving sql socket id: 4
radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')'
rlm_sql: Stop packet with zero session length. (user '', nas
'161.142.17.2')
rlm_sql (sql2): Released sql socket id: 4
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName,
Realm, NASIPAddress, NASPortId, NASP
ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, Acct
InputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtoc
ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381',
'18e9d9976b13739f', '', '', '161.142.17
.2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0)
SECOND), '2005-01-18 10:39:34', '', '',
'', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')'
rlm_sql (sql2): Released sql socket id: 4
modcall[accounting]: module sql2 returns noop for request 132
modcall: group group returns noop for request 132
modcall: group accounting returns ok for request 132
Sending Accounting-Response of id 101 to 161.142.17.2:1027
Finished request 132
Going to the next request
###
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, January 18, 2005 00:40
Subject: Re: SQL db failover
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote:
But before that.. I tried to use the simplified one using redundant as
below:-
redundant {
sql1
sql2
}
But seems everytime accounting record being sent.. I will store in both
of
the mysql server... not the first one that return OK.. why???
It's a known bug. See bugs.freeradius.org
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Just wanna share... I've also configured as below setting (using group) for
mysql failover.. and its working as well!!...
But before that.. I tried to use the simplified one using redundant as
below:-
redundant {
sql1
sql2
}
But seems everytime accounting record being sent.. I will store in both of
the mysql server... not the first one that return OK.. why???
Also before that.. I try to do as suggested in doc... to put handled after
sql2.. and resulting accounting record being resent a few times from
client.. (testing using NTRadping).. Can somebody help me on the handled
portion ??
redundant {
sql1
sql2
handled
}
always handled{
rcode = handled
}
--haizam
- Original Message -
From: Michel van Dop [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, January 16, 2005 08:04
Subject: Re: SQL db failover
It works!! Yes
Thanks Alan !!
I replace on every refrence to sql this:
group {
sql1 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
sql2 {
fail = 1
notfound = return
noop = 2
ok = return
updated = 3
reject = return
userlock = 4
invalid = 5
handled = 6
}
}
- Original Message -
From: Michel van Dop [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Saturday, January 15, 2005 8:11 PM
Subject: Re: SQL db failover
Okay good, i replace any refrence to sql module and fix it.
But how do i replace this? In group or sql1,sql2 or ?
What's the name of sql1 and sql2 ?
Thank you,
Michel
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Saturday, January 15, 2005 5:58 PM
Subject: Re: SQL db failover
Michel van Dop [EMAIL PROTECTED] wrote:
Okay i understand that ( i hope so):
Now i do this in radiusd.conf:
Yup, that should work.
I get this error cat /var/log/radius/radius.log
Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration
entry
for module sql.
Some part of radiusd.conf has a reference to an sql module. Find
that, fix it, and it should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reading other radius server's radutmp instead of using radrelay
what is the setting related in order for radius to check database (insted of radutmp) in order to control single login (or Simultaneous use)... --haizam - Original Message - From: Thor Spruyt [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, January 06, 2005 16:29 Subject: Re: reading other radius server's radutmp instead of using radrelay Maybe a database would be easier and faster than radutmp -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: Rohaizam Abu Bakar To: freeradius-users@lists.freeradius.org Sent: Thursday, January 06, 2005 3:22 AM Subject: reading other radius server's radutmp instead of using radrelay OS: FreeBSD 4.9p4 + Freeradius 1.0.1 Objective: to control single login in distributed enviroment. I've tested radrelay to centralised accounting to all my radius servers .. All radius servers will replicate accounting to others... So there will be a few radrelay running in each radius server. But it's not really working well... A lot of locking problem... not replicated properly.. and quite hard to monitor and manage.. So what i plan to do is to have only one centralied accounting server... (maybe All NAS will point accounting to this server) and in order to perform single login check.. each radius server will check radutmp in centralised accounting... Is it possible? thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
define in ldap.attrmap.. define as check item... checkItem Connection-Type radiusConnectionType The situation is I've to check both attribute.. one from RAS (NAS-Port-Type) .. and one from LDAP (Connection-Type) before i can reject it.. As suggested by Kostas... I've to map the Connection-Type (my-own) attribute... and put files that reading users file after LDAP in authorize section... --haizam - Original Message - From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 05, 2005 23:15 Subject: Re: Block group of ISDN connection On Wed, 5 Jan 2005, Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam I believe the error you are receiving is because freeradius doesn't understand what Connection-Type is. I can't find connection-type in any of the dictionary files. Where did you define connection-type? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reading other radius server's radutmp instead of using radrelay
OS: FreeBSD 4.9p4 + Freeradius 1.0.1 Objective: to control single login in distributed enviroment. I've tested radrelay to centralised accounting to all my radius servers .. All radius servers will replicate accounting to others... So there will be a few radrelay running in each radius server. But it's not really working well... A lot of locking problem... not replicated properly.. and quite hard to monitor and manage.. So what i plan to do is to have only one centralied accounting server... (maybe All NAS will point accounting to this server)and in order to perform single login check.. each radius server will check radutmp in centralised accounting... Is it possible? thanks.. --haizam
Re: Block group of ISDN connection
Yes.. it is on one line NOT different line... DEFAULT NAS-Port-Type == Async ,Jaring-Connection-Type == ISDN, Auth-Type := Reject --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 04, 2005 23:14 Subject: Re: Block group of ISDN connection Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: /usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list for entry DEFAULT So... did you read users, to see if line 41 had a trailing comma? DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject The Auth-Type should be on the same line as DEFAULT. Please read the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 04, 2005 18:33 Subject: Re: Block group of ISDN connection Hi, 1) users file ## DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. DEFAULT Auth-Type := LDAP How many lines do you actually have? I.e., there should be no linebreak after the UNLIMITED, in the first line above, but the line should continue till after the Reject. Quoting long lines via e-mails always is dependent on mail clients (and possibly server) involved, but I'll try anyway. That should be: DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. (just two lines). HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
I've done as suggested.. but debug log giving below errors:-
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
/usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list
for entry DEFAULT
Errors reading /usr/local/etc/raddb/users
radiusd.conf[1052]: files: Module instantiation failed.
Below is a few details that might help..
1) users file
##
DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED,
Auth-Type := Reject
Reply-Message = Your account has been disabled.
DEFAULT Auth-Type := LDAP
###
2) ldap.attrmap
#
checkItem Connection-Type radiusConnectionType
#
3) In LDAP entry
##
radiusConnectionType: UNLIMITED
.
.
4) Authorize entry
#
authorize {
preprocess
# auth_log
# attr_filter
chap
mschap
IPASS
suffix
# ntdomain
eap
# sql
# etc_smbpasswd
# ldap
redundant {
ldap1
ldap2
}
# daily
# checkval
files
}
###
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Sent: Sunday, January 02, 2005 21:50
Subject: Re: Block group of ISDN connection
On Fri, 31 Dec 2004, Rohaizam Abu Bakar wrote:
Hi,
OS: FreeBSD 4.9p4
Radius: Freeradius 1.0.1
I know how to block ALL ISDN.. using NAS-Port-Type attribute..
users file
==
DEFAULTNAS-Port-Type == ISDN, Auth-Type := Reject
Reply-Message = Your account has been disabled.
DEFAULTAuth-Type := LDAP
Tested seems working...
But I would like to block ISDN that has certain flag stored in LDAP.. let
say I stored flag unlimited = 1 in user's profile in LDAP... So only
ISDN with this flag stored is block... All others ISDN will be through...
Is it possible??? please help..
Map the unlimited attribute to a radius check attribute (like Hint, or
create one of your own). Then in the users file (placed after ldap in the
authorize section):
DEFAULT NAS-Port-Type == ISDN, Hint == 1, Auth-Type := Reject
--haizam
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
[ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay - filelock problem
Hi.. OS: FreeBSD 4.9p4 Version: Freeradius 1.0.1 My radrelay seem not fully working well... Receive a lot of below error.. I've followed all the doc given regarding how to setup radrelay Tue Oct 26 05:30:32 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius8, giving upTue Oct 26 05:50:52 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 05:58:16 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius5, giving upTue Oct 26 05:58:38 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving upTue Oct 26 06:11:36 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 06:17:02 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving up My setting as below: radius1 --- radius2 radius3 - radius4 then radius2 - radius1 --- radius3 radius4 and so on... until all 4 has the same full accounting record I ran 3 of below command for replication /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 \ detail-combined But it not working well... the accounting seems been relayed but got missing accounting...the detail file not rotated properly and will grow too big. and receive a lot above error... Please help..!! --haizam
radrelay problem....
Hi...
Info: FreeBSD 4.9
FreeRADIUS 1.0.1
OpenLDAP backend
I'm using radrelay to duplicate accounting from a
few servers to one master server as below:
radius1-
radius2
master_radius
radius3
It's working OK... and master_radius has full
records of all radius accounting including radutmp...
But there is problem when I pump back from from
master_radius to radiusX using radrelay
--- radius1
master_radius ---
radius2
---
radius3
From radutmp record (using radwho)... I cannot get
full records as master_radius in radiusX
Even the detail-combined in master_radius also not
properly process.. it keep growing bigger... The detail-combined in radiusX is
OK...
Command used for radrelay..
/usr/local/bin/radrelay -a
/var/adm/radacct -d /usr/local/etc/raddb \ -S
/usr/local/etc/raddb/radrelay_secret -r master_radius:1646 \
detail-combined
/usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb
\ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646
\ detail-combined
and detail-combined config in
radiusd.conf
detail
detail2
{
detailfile =
${radacctdir}/detail-combined
detailperm =
0644
locking = yes }
Anyone can help??
--haizam
Re: Fw: CHAP not working after upgrade from 0.9.3 to 1.0
But why the 0.9.3 version reading from the same LDAP database detect it as clear.. I don't think I should change anything in LDAP.. Maybe new setting is required in 1.0.0 which i don't know.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 17, 2004 22:20 Subject: Re: Fw: CHAP not working after upgrade from 0.9.3 to 1.0 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Anyone can help...?? I've changed a few line in radiusd.conf.. still problem.. But when I divert the request to 0.9.3 version reading same LDAP entry It is OK So the password is confirm in clear form The debug log you posted shows that the server is NOT reading the clear-text password from the LDAP database. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP not working after upgrade from 0.9.3 to 1.0
Just upgraded from 0.9.3 to 1.0 on my FreeBSD 4.9 machine... Previously while on 0.9.3, PAP CHAP working fine... But now... after upgrade to 1.0.. CHAP is not working... The configuration in 1.0 is following previous 0.9.3 version... (rewritten.. not replacing!!) From the debug log below.. It keep complaining cannot find clear password.. I'm very sure that the password in clear form.. since while using 0.9.3.. it read the same entry and OK.. Please help..!!! --haizam User-Name = kpdn.gov.my CHAP-Password = 0xae9a6aff9c471ab31942831e2418d0bebd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 52 modcall[authorize]: module preprocess returns ok for request 52 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 52 modcall[authorize]: module mschap returns noop for request 52 rlm_realm: No '/' in User-Name = kpdn.gov.my, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 52 rlm_realm: No '@' in User-Name = kpdn.gov.my, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = kpdn.gov.my rlm_realm: Proxying request from user kpdn.gov.my to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 52 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 52 modcall[authorize]: module files returns notfound for request 52 modcall: entering group redundant for request 52 rlm_ldap: - authorize rlm_ldap: performing user authorization for kpdn.gov.my radius_xlat: '(uid=kpdn.gov.my)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=kpdn.gov.my) rlm_ldap: checking if remote access for kpdn.gov.my is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelServerAuthId as Tunnel-Server-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelClientAuthId as Tunnel-Client-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelAssignmentId as Tunnel-Assignment-Id, value :0:XX op=11 rlm_ldap: Adding radiusTunnelPassword as Tunnel-Password, value :0:XX op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value :0:IP op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value :0:L2TP op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Outbound-User op=11 rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair += vpdn:ip-addresses= rlm_ldap: user kpdn.gov.my authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 52 modcall: group redundant returns ok for request 52 modcall: group authorize returns ok for request 52 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 52 rlm_chap: login attempt by kpdn.gov.my with CHAP password rlm_chap: Could not find clear text password for user kpdn.gov.my modcall[authenticate]: module chap returns invalid for request 52 modcall: group Auth-Type returns invalid for request 52 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [kpdn.gov.my] (from client sysadmin port 0) Delaying request 52 for 1 seconds Finished request 52 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: CHAP not working after upgrade from 0.9.3 to 1.0
Anyone can help...?? I've changed a few line in radiusd.conf.. still problem.. But when I divert the request to 0.9.3 version reading same LDAP entry It is OK So the password is confirm in clear form --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 16, 2004 16:56 Subject: CHAP not working after upgrade from 0.9.3 to 1.0 Just upgraded from 0.9.3 to 1.0 on my FreeBSD 4.9 machine... Previously while on 0.9.3, PAP CHAP working fine... But now... after upgrade to 1.0.. CHAP is not working... The configuration in 1.0 is following previous 0.9.3 version... (rewritten.. not replacing!!) From the debug log below.. It keep complaining cannot find clear password.. I'm very sure that the password in clear form.. since while using 0.9.3.. it read the same entry and OK.. Please help..!!! --haizam User-Name = kpdn.gov.my CHAP-Password = 0xae9a6aff9c471ab31942831e2418d0bebd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 52 modcall[authorize]: module preprocess returns ok for request 52 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 52 modcall[authorize]: module mschap returns noop for request 52 rlm_realm: No '/' in User-Name = kpdn.gov.my, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 52 rlm_realm: No '@' in User-Name = kpdn.gov.my, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = kpdn.gov.my rlm_realm: Proxying request from user kpdn.gov.my to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 52 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 52 modcall[authorize]: module files returns notfound for request 52 modcall: entering group redundant for request 52 rlm_ldap: - authorize rlm_ldap: performing user authorization for kpdn.gov.my radius_xlat: '(uid=kpdn.gov.my)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=kpdn.gov.my) rlm_ldap: checking if remote access for kpdn.gov.my is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelServerAuthId as Tunnel-Server-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelClientAuthId as Tunnel-Client-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelAssignmentId as Tunnel-Assignment-Id, value :0:XX op=11 rlm_ldap: Adding radiusTunnelPassword as Tunnel-Password, value :0:XX op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value :0:IP op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value :0:L2TP op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Outbound-User op=11 rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair += vpdn:ip-addresses= rlm_ldap: user kpdn.gov.my authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 52 modcall: group redundant returns ok for request 52 modcall: group authorize returns ok for request 52 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 52 rlm_chap: login attempt by kpdn.gov.my with CHAP password rlm_chap: Could not find clear text password for user kpdn.gov.my modcall[authenticate]: module chap returns invalid for request 52 modcall: group Auth-Type returns invalid for request 52 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [kpdn.gov.my] (from client sysadmin port 0) Delaying request 52 for 1 seconds Finished request 52 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple access_attr LDAP setting
OS: FB 4.9
Version FR 1.0 (just upgraded from
0.9.3)
Authentication: LDAP
In our environment, each services has its own
flag... So I would like to create a few "access_attr" in radiusd.conf (ldap
setting)
example:
ldap ldap1 {
.
.
access_attr = dialupAccess
access_attr = antivirusAccess
access_attr = hotspotAccess
access_attr - roamingAccess
.
.
.
}
So user with either one of the flag can get
authenticated.. Is it possible??? Or... it must have "dialAccess" AND/OR
"others"...
thanks..
--haizam
Re: realm module not searching second order
Yes... version 1.0 does fix thing problem as mentioned below...
thanks
- Original Message -
From: Simon Bryden [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; Rohaizam Abu Bakar
[EMAIL PROTECTED]
Sent: Thursday, August 12, 2004 14:55
Subject: Re: realm module not searching second order
In release 1.0 you have an extra option ignore_null which will tell
freeradius not to match against the NULL domain if a realm match fails.
Otherwise if you don't need the NULL domain you can remove it.
Regards,
Simon.
---
On Thursday 12 August 2004 06:32, Rohaizam Abu Bakar wrote:
Hi ,
Using freeradius 0.9.3 with FB 4.9 OS
Try sending request using bacangtesting.com/bacang and in
radiusd.conf
already configure 2 realm order i.e realmslash and suffix But since
i
put the suffix above realmslash... It will search only at suffix
and
once not found.. it will straight go to realm NULL
Once I change the order (realmslash above suffix) in radiusd.conf ..
then it''s working..
Why the realm module do not search for 2nd line???
i) Debug LOG
###
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_realm: No '@' in User-Name = bacangtesting.com/bacang, looking
up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = bacangtesting.com/bacang
rlm_realm: Proxying request from user bacangtesting.com/bacang to
realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
3
ii) radiusd.conf
##
realm realmslash {
format = prefix
delimiter = /
}
realm suffix {
format = suffix
delimiter = @
}
preacct {
.
.
.
suffix
realmslash
.
.
.
}
authorize {
.
.
suffix
realmslash
.
.
.}
###
iii) proxy.conf
###3
realm bacangtesting.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
###
--haizam
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
[ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip authentication no strip accounting
I'm using freeradius 0.93... and FreeBSD 4.9
For below entry in proxy.conf, Is it possible to STRIP the username during
authentication but NOSTRIP while doing accounting.??
realm myself.com{
type= radius
authhost= LOCAL
accthost= LOCAL
nostrip
}
For example, when receive [EMAIL PROTECTED] request, it will authenticate using
only abc but in detail accouting we see it [EMAIL PROTECTED]
thanks..
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm module not searching second order
Hi ,
Using freeradius 0.9.3 with FB 4.9 OS
Try sending request using
"bacangtesting.com/bacang" and in radiusd.conf already configure 2
realm order i.e "realmslash" and "suffix"
But since i put the "suffix" above "realmslash"...
It will search only at "suffix" and once not found.. it will straight go to
realm "NULL"
Once I change the order ("realmslash" above
"suffix")in radiusd.conf .. then it''s working..
Why the realm module do not search for 2nd
line???
i) Debug LOG
###
modcall:
entering group authorize for request 0 modcall[authorize]: module
"preprocess" returns ok for request 0 modcall[authorize]: module
"chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bacangtesting.com/bacang",
lookingup realm NULL rlm_realm: Found realm
"NULL" rlm_realm: Adding Stripped-User-Name =
"bacangtesting.com/bacang" rlm_realm: Proxying request
from user bacangtesting.com/bacang torealm NULL
rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication
realm is LOCAL.3
ii)radiusd.conf
##
realm realmslash
{
format =
prefix
delimiter = "/" } realm
suffix
{
format =
suffix
delimiter = "@"
}
preacct
{.
.
.
suffix realmslash.
.
.
}authorize {
.
.
suffix
realmslash.
.
.}###
iii) proxy.conf
###3
realm bacangtesting.com {
type
= radius
authhost = LOCAL
accthost = LOCAL
}
###
--haizam
