Ldap-Group unlang 2.0.5
Dear all, I'm in process migrating from FR 1.1.X to FR 2.0.5 but stuck with Ldap-Group using unlang. I'm trying to convert below line in users file to unlang in authorize section.. but it's not working.. Using FreeBSD 7.0. users:- == DEFAULT Called-Station-Id == Y5, ldapmain1-Ldap-Group == TEST, Autz-Type := Y5 authorize:- === Trying a few as below but not working... i) if ( ldapmain1-Ldap-Group == TEST ) { ii) if ( control:ldapmain1-Ldap-Group == TEST ) { iii) if ( %{ldapmain1-Ldap-Group} == TEST ) { iv) if ( %{ldapmain1:Ldap-Group} == TEST ) { modules/ldap:- =' ldap ldapmain1 { groupname_attribute = jaringService groupmembership_filter = ((uid=%{Stripped-User-Name:- {UserName}})(objectclass=radiusprofile)) } Debug:- == ++? if (%{ldapmain1:Ldap-Group} == TEST ) rlm_ldap: - ldap_xlat expand: Ldap-Group - Ldap-Group rlm_ldap: String passed does not look like an LDAP URL. expand: %{ldapmain1:Ldap-Group} - ? Evaluating (%{ldapmain1:Ldap-Group} == TEST ) - FALSE ++? if (%{ldapmain1:Ldap-Group} == TEST ) - FALSE --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group unlang FR 2.0.5
OS: FB 7.0 FR: 2.0.5 Let we analyze below if statement using unlang with Ldap-Group:- ++? if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group == UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED))) expand: %{NAS-Port-Type} - ?? Evaluating (%{NAS-Port-Type} =~ /^ISDN|^Sync/) - FALSE ??? Skipping (ldap1-Ldap-Group == UNLIMITED) ??? Skipping (ldap2-Ldap-Group == UNLIMITED) ++? if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group == UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED))) - TRUE ++- entering if ((%{NAS-Port-Type} =~ /^ISDN|^Sync/) ((ldap1-Ldap-Group == UNLIMITED) || (ldap2-Ldap-Group == UNLIMITED))) suppose if (%{NAS-Port-Type} =~ /^ISDN|^Sync/) - FALSE, the whole line should FALSE. but why it show TRUE? It is AND () comparison. Or possible problem in my if statement?? --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex Ldap Group
FR: 1.1.2 Openldap 2.3.X I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. value to match (jarService = Y5-IPOH, NAS-Identifier=Y5-IPOH) Users file === NAS-Identifier =~ Y5, ldapmain1-Ldap-Group =~ Y5, Autz-Type := Y5 radiusd.conf = ldap ldapmain1 { .. groupname_attribute = jarService groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } Debug: = rlm_ldap: performing search in ou=CUSTOMER,ou=People,dc=x,dc=xx, with filter ((jarService=Y5)((uid=bacang)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Noted TQ. Will try the proposed solution. --haizam - Original Message - From: Kolbjørn Barmen [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 19, 2008 6:07 PM Subject: Re: Regex Ldap Group On Tue, 19 Feb 2008, Alan DeKok wrote: Rohaizam Abu Bakar wrote: I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. It doesn't work like that. The match is IF the user is in the named group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp(). If you want it to do a regex match, you'll have to modify the code in rlm_ldap. Also not that LDAP typically doesnt allow substring search on any given attribute. My solution is to use a seperate script to perform a search in LDAP using ldap-search and output whatever you need in the attribute. Example, I have LDAP users in either ou=group1,ou=test,o=bla, or ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab: #! /bin/sh # /usr/sbin/ldap2vlan GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \ -D cn=admin,ou=test,o=bla -W mypasswd \ '(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p') test ${GROUP = group1 echo -n 110 exit 0 test ${GROUP = group2 echo -n 120 exit 0 And then in the users file I have DEFAULT Freeradius-Proxied-To == 127.0.0.1 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}` Tunnel-Private-Group-Id will then either be 110 or 120 depending on whether user is found in group1 or group2 (and group1 if found in both) Hope this helps... :) -- Kolbjørn Barmen UNINETT Driftsenter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type
I've tried as recommended not to set Auth-Type but trying below will works in 1.1.2 but not on my recently upgraded to 1.1.7 Configs:- a) radiusd.conf authorize { Autz-Type LDAP { ldap1 } Autz-Type ADSL { ldapadsl1 } } authenticate { Auth-Type ldap1 { ldap1 Auth-Type ldapadsl1 { ldapadsl1 } } b) users DEFAULTHuntgroup-Name == adsl, ldapadsl1-Ldap-Group == ADSL, Autz-Type := ADSL DEFAULT Autz-Type := LDAP ## Results:- In 1.1.2 - (Auth-Type ldap1 = working!!) modcall: leaving group authorize (returns ok) for request 18 Found Autz-Type LDAP Processing the authorize section of radiusd.conf modcall: entering group LDAP for request 18 modcall: entering group redundant for request 18 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=RADIUS,ou=People,dc=xxx,dc=xx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=xxx,dc=xx, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by dialupAccess rlm_ldap: Added password {CRYPT} in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: Setting Auth-Type = ldap1 rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 18 modcall: leaving group redundant (returns ok) for request 18 modcall: leaving group LDAP (returns ok) for request 18 rad_check_password: Found Auth-Type ldap1 auth: type ldap1 ## In 1.1.7 (Auth-Type = Local = not working!!) ## modcall: leaving group authorize (returns ok) for request 1 Found Autz-Type LDAP Processing the authorize section of radiusd.conf modcall: entering group LDAP for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=RADIUS,ou=People,dc=xxx,dc=xx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=xxx,dc=xx, with filter (uid=test) rlm_ldap: checking if remote access for test is allowed by dialupAccess rlm_ldap: Added password {CRYPT}X in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression = Van-Jacobson-TCP-IP rlm_ldap: Adding radiusFramedMTU as Framed-MTU = 1500 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol = PPP rlm_ldap: Adding radiusServiceType as Service-Type = Framed-User rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 1 modcall: leaving group redundant (returns ok) for request 1 modcall: leaving group LDAP (returns ok) for request 1 auth: type Local auth: user supplied User-Password does NOT match local User-Password ###3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type
Yep.. the pap is on the last line in authorize section. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 13, 2007 12:00 AM Subject: Re: Same config 1.1.2 but not work on 1.1.7 - not set Auth-Type Rohaizam Abu Bakar wrote: I've tried as recommended not to set Auth-Type but trying below will works in 1.1.2 but not on my recently upgraded to 1.1.7 Configs:- a) radiusd.conf authorize { Autz-Type LDAP { ldap1 } Autz-Type ADSL { ldapadsl1 } Add pap here. This is documented in the README in 1.1.7. See also the comments in the default radiusd.conf in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl problem (Detaching!!)
Hi.. FR:1.1.2 FBSD:6.0 My rlm_perl keep logging error as example below. Everytime this happen radiusd will hang and DO NOT respond to any request. But this NEVER happen while running in debug mode and working fine. rlm_perl is used to load timeout based on certain rules.. u can see below my perl script (newtimeou5.pl) and also config files setting. Please help TQ. Error /var/log/radius.log ## Thu Feb 8 12:30:09 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= Undefined subroutine main:: called. Thu Feb 8 12:32:00 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 12:39:46 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout4.pl , func = authorize exit status= panic: leave_scope inconsistency at /usr/local/etc/raddb/newtimeout4.pl line 184. Thu Feb 8 12:39:47 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:08:52 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:22:40 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Thu Feb 8 14:57:25 2007 : rlm_perl: rlm_perl::Detaching. Reloading. Done. Fri Feb 9 09:53:52 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Usage: Encode::is_utf8(sv, check = 0) at /usr/local/lib/perl5/site_perl/5.8.7/Convert/ASN1.pm line 422, DATA line 424. Fri Feb 9 10:21:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = authorize exit status= Undefined subroutine Convert::ASN1::authorize called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 Fri Feb 9 10:57:59 2007 : Error: rlm_perl: perl_embed:: module = /usr/local/etc/raddb/newtimeout5.pl , func = preacct exit status= Undefined subroutine Convert::ASN1::preacct called at /usr/local/lib/perl5/site_perl/5.8.7/Net/LDAP.pm line 759 ##users DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5, Auth-Type :Y5 #radiusd.conf# authorize { Autz-Type Y5 { redundant { ldapy51 ldapy52 } y5perl } } modules { perl y5perl { module = /usr/local/etc/raddb/newtimeout5.pl } } authenticate { Auth-Type Y5 { redundant { ldapy51 ldapy52 } } } ## ###newtimeout5.pl sub authorize { ##main my $return_value = 0; $return_value = timeout; print VALUE return: $return_value\n; if ($return_value eq '-1'){ return RLM_MODULE_REJECT; }else{ return RLM_MODULE_OK; } } sub timeout { my $query; my $query2; my $uid=$RAD_REQUEST{'User-Name'}; my $userfrom; my $userconnect=$RAD_REQUEST{'NAS-Identifier'}; my $timeout; if ($userconnect =~ /Wireless-802.11|WiFi/) { $query=Service; $query2 = TimeoutWIFI; } if ($query){ $userfrom = ldapquery($uid,$query); if ($userfrom =~ /Y5PLAT|Y5GOLD/){ $userfrom = WiFi-BTP; }elsif ($userfrom =~ /^Y5$/){ $userfrom = Wireless-802.11; } if ($userconnect eq $userfrom){ print rlm_perl: Local user.. No timeout.. Unlimited!!!\n; return (1); }elsif ($userconnect ne $userfrom){ print rlm_perl: Roaming user.. Timeout will be loaded !!\n; $timeout = ldapquery($uid,$query2); print rlm_perl: $query2:$timeout\n; if (!$timeout){ return (-1); }else{ $RAD_REPLY{'Session-Timeout'} = $timeout; print rlm_perl: NOT YET\n; return (1); } } }else{ print rlm_perl: Not a wifi connection !!!\n; return (1); } } sub ldapquery { my ( $uid, $query ) = @_; my $host = xx; my $value; my $baseDN = ou=Y5,ou=AAA, ou=x, dc=x, dc=; my $ldap = Net::LDAP-new( $host ) or die $@; my $mesg = $ldap-bind ;# an anonymous bind $mesg = $ldap-search( # perform a search base = $baseDN, filter = ((uid=$uid)) ); my $count = $mesg-count; if ($mesg-code) { return (NULL); } if ($count 0 ){
Re: rlm_perl DEBUG log with garbage output
It's work!!.. thanks.. --haizam - Original Message - From: Bjørn Mork [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, January 25, 2007 6:05 PM Subject: Re: rlm_perl DEBUG log with garbage output Rohaizam Abu Bakar [EMAIL PROTECTED] writes: Hi,.. running xlat within rlm_perl.. giving correct result.. but what concern me is that.. in debug log.. there are garbage output as below:- radius_xlat: '.*' radius_xlat: Running registered xlat function of module y5perl for string '%{User-Name}:%{NAS-Identifier}' radius_xlat: 'bacang:JARINGWiF' rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254 radius_xlat: 'NULL' Try this patch: diff -u -r1.13.4.7 rlm_perl.c --- src/modules/rlm_perl/rlm_perl.c 27 Apr 2006 17:35:44 - 1.13.4.7 +++ src/modules/rlm_perl/rlm_perl.c 25 Jan 2007 10:03:51 - @@ -694,7 +694,7 @@ } else if (count 0) { tmp = POPp; ret = strlen(tmp); - strncpy(out,tmp,ret); + strncpy(out,tmp,ret+1); radlog(L_DBG,rlm_perl: Len is %d , out is %s freespace is %d, ret, out,freespace); Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl DEBUG log with garbage output
Hi,.. running xlat within rlm_perl.. giving correct result.. but what concern me is that.. in debug log.. there are garbage output as below:- radius_xlat: '.*' radius_xlat: Running registered xlat function of module y5perl for string '%{User-Name}:%{NAS-Identifier}' radius_xlat: 'bacang:JARINGWiF' rlm_perl: Len is 4 , out is NULL?8???Ù¿¿?49(hÕ¿¿?? freespace is 254 radius_xlat: 'NULL' calling from :- attr_rewrite wifi { ##some code replacewith = %{y5perl:%{User-Name}:%{NAS-Identifier}} } preacct { y5perl wifi files } sub xlat { # some code # return NULL or somevalue return ($value); } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting after query LDAP
I've tried to run from preacct instead of in acounting inside rlm_perl and set Proxy-To-Realm = proxy_name but still accounting not been proxied... ## ii) radiusd.conf perl y5perl { module = /usr/local/etc/raddb/y5perl.pl } preacct { . y5perl files } i) y5perl.pl sub preacct { # some code here $RAD_REPLY{'Proxy-To-Realm'} = infranet2; # where infranet2 is configured in proxy.conf to forward to other server. } How can we set Proxy-To-Realm from rlm_perl?? --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, January 22, 2007 2:26 PM Subject: Proxy accounting after query LDAP FR: freeradius-1.1.2 OD: FreeBSD 6.0 trying to query LDAP for certain attribute.. if found, then proxy accounting to other server if not store accounting locally. trying using rlm_perl as below:- i) radiusd.conf perl y5perl { module = /usr/local/etc/raddb/y5perl.pl } accounting { .. y5perl } ii) y5perl.pl sub accounting { # For debugging purposes only log_request_attributes; # You can call another subroutine from here test_call; wifi_infranet; return RLM_MODULE_OK; } sub wifi_infranet { ## some code to query ldap for attribute A if (A) { ## What should i put here to force proxy accounting to other server?? } Any other method?? TQ.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy accounting after query LDAP
any suggestion on below.. --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, January 22, 2007 2:26 PM Subject: Proxy accounting after query LDAP FR: freeradius-1.1.2 OD: FreeBSD 6.0 trying to query LDAP for certain attribute.. if found, then proxy accounting to other server if not store accounting locally. trying using rlm_perl as below:- i) radiusd.conf perl y5perl { module = /usr/local/etc/raddb/y5perl.pl } accounting { .. y5perl } ii) y5perl.pl sub accounting { # For debugging purposes only log_request_attributes; # You can call another subroutine from here test_call; wifi_infranet; return RLM_MODULE_OK; } sub wifi_infranet { ## some code to query ldap for attribute A if (A) { ## What should i put here to force proxy accounting to other server?? } Any other method?? TQ.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewrite accounting request/Proxy-To-Realm
i) How rewrite accounting request to insert certain attribute in order for billing engine to process futher.?? ii) Tried to set Proxy-To-Realm to force proxy accounting using rlm_perl.. But failed... $RAD_REPLY{'Proxy-To-Realm'} = infranet2; --haizam- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy accounting after query LDAP
FR: freeradius-1.1.2 OD: FreeBSD 6.0 trying to query LDAP for certain attribute.. if found, then proxy accounting to other server if not store accounting locally. trying using rlm_perl as below:- i) radiusd.conf perl y5perl { module = /usr/local/etc/raddb/y5perl.pl } accounting { .. y5perl } ii) y5perl.pl sub accounting { # For debugging purposes only log_request_attributes; # You can call another subroutine from here test_call; wifi_infranet; return RLM_MODULE_OK; } sub wifi_infranet { ## some code to query ldap for attribute A if (A) { ## What should i put here to force proxy accounting to other server?? } Any other method?? TQ.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using DN from previous default entry
FreeBSD 6.1 with FR 1.1.2 I'm trying to detect user that has attribute Service=REAL and search through different LDAP tree as below config in users file. The problem happened when both tree (DIALUP LDAP) has user's entry with same uid. So although first DEFAULT entry is not match when searching for attribute Service=REAL... the 2nd DEFAULT will use DN from first DEFAULT for authenticate... Why Feeradius not using the DN from 2nd query?? It should use ou=RADIUS not ou=DIALUP for auth. Please refer below debug log.. thanks.. ### users:- DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP ## NORMAL DIALUP DEFAULT Autz-Type := LDAP rad_recv: Access-Request packet from host 192.228.137.77:55146, id=13, length=46 User-Name = bacang User-Password = x rad_rmspace_pair: User-Name now 'bacang' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 0 rlm_realm: No '@' in User-Name = bacang, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = bacang rlm_realm: Proxying request from user bacang to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=x,dc=' radius_xlat: '(uid=bacang)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=xx,dc=/xx to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=x,dc=, with filter (uid=bacang) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '((uid=bacang)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=xxx,dc=, with filter ((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=x,dc=xxx' radius_xlat: '((uid=bacang)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 61.6.32.201:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=xxx,dc=x/xx to :389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=xx,dc=, with filter ((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group REAL not found or user is not a member. users: Matched entry DEFAULT at line 23 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 Found Autz-Type LDAP Processing the authorize section of radiusd.conf modcall: entering group LDAP for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for bacang radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,dc=x,dc=xxx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=x,dc=xxx/x to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,dc=x,dc=, with filter (uid=bacang) rlm_ldap: checking if remote access for bacang is allowed by dialupAccess rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding
Re: More documentation on Auth-Type
Just managed to try ur 2nd suggestion... but giving below error in debug logs.. refer debug logs. ERROR: Unknown value specified for Auth-Type. Cannot perform requested action modules { ldap ldap1 { basedn = ou=RADIUS.. set_auth_type = yes } ldap ldapdialup1 { basedn = ou=DIALUP.. set_auth_type = yes } authorize { Autz-Type LDAP { ldap1 } Autz-Type DIALUP { ldapdialup1 } } authenticate { Auth-Type ldap1 { ldap1 } Auth-Type ldapdialup1 { ldapdialup1 } } DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP DEFAULT Autz-Type := LDAP # lm_ldap: performing user authorization for bacang radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,.' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to :389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,./x to xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,..., with filter (uid=bacang) rlm_ldap: checking if remote access for bacang is allowed by attrRoaming rlm_ldap: Added password {CRYPT}Y3EhshegMNPxA in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user bacang authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 0 modcall: group Autz-Type returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [bacang] (from client sysadmin port 0) - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar wrote: any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = %{reply:Tmp-String-1} ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS DEFAULT Huntgroup-Name == something, Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org users_wireless: DEFAULT Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in dictionary ATTRIBUTE Tmp-String-1 3000 string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = ou=wireless,dc=domain,dc=com set_auth_type = yes } ldap vpn_ldap { basedn = ou=vpn,dc=example,dc=org set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
For the 2nd option.. already tried almost the same except the auth-type name... Previously tried autz auth type using the same name... Will try it out as suggested... thx Phil --haizam - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 6:28 PM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar wrote: any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? As far as I know, you should be able to do something like: modules { files { usersfile = users } files wireless_files { usersfile = wireless_users } files vpn_files { usersfile = vpn_users } ldap { basedn = %{reply:Tmp-String-1} ... } } authorize { files Autz-Type WIRELESS { wireless_files ldap } Autz-Type VPN { vpn_files ldap } } users: DEFAULT Huntgroup-Name == whatever, Autz-Type := WIRELESS DEFAULT Huntgroup-Name == something, Autz-Type := VPN users_vpn: DEFAULT Tmp-String-1 = ou=vpnusers,dc=mydomain,dc=org users_wireless: DEFAULT Tmp-String-1 = ou=wireless,dc=anotherdomain,dc=com You may need to add Tmp-String-1 to a local dictionary if you're running an older server, e.g. in dictionary ATTRIBUTE Tmp-String-1 3000 string Alternatively, 1.1.0 and up can do this I think? modules { ldap wireless_ldap { basedn = ou=wireless,dc=domain,dc=com set_auth_type = yes } ldap vpn_ldap { basedn = ou=vpn,dc=example,dc=org set_auth_type = yes } files { ... } } authorize { preprocess files Autz-Type WIRELESS { wireless_ldap } Autz-Type VPN { vpn_ldap } } authenticate { Auth-Type wireless_ldap { wireless_ldap } Auth-Type vpn_ldap { vpn_ldap } } and in users: DEFAULT Huntgroup-Name == VPN, Autz-Type := VPN DEFAULT Huntgroup-Name == WIRELESS, Autz-Type := WIRELESS Basically, what happens then is: 1. preprocess run 2. files run, autz-type set 3. authorize re-run, autz-type section run 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT SET, set Auth-Type to modulename - i.e. wireless_ldap or vpn_ldap 5. authenticate run, appropriate LDAP module run - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Alan, Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Normally i detect NAS-Identifier, NAS-Port-Type as check item. If I specify Auth-Type Autz-Type in users file, seems working but when up to EAP.. it's not working ) users = DEFAULT (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf == ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... ## - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, August 07, 2006 9:08 AM Subject: Re: More documentation on Auth-Type Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP ... which isn't authentication. You just described searching an LDAP tree for information. That's using LDAP for what it was designed to do best: database lookups. Once the information is found in LDAP, the RADIUS server can do CHAP, MS-CHAP, etc. for authentication. LDAP servers don't handle those authentication protocols, so you're stuck with using LDAP for DB lookups, and RADIUS for authentication. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. I don't recall seeing that, sorry. What was the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
Aside from setting Reject/Accept, that (use of 1 module for a given auth method) is probably the single valid use. That use would be better supported using another method than conflating module instance names with algorithm names. I'm not quite understand above suggestion/comments.. That is probably because the EAP inner request does not have the NAS-Id and NAS-Port-Type attribute. Set copy_request_to_tunnel = yes on the EAP method(s) you're using. I will try that one... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
any docs to help on my problem... ? in doc/rlm_ldap, there is section about LDAP XLAT.. Is it the one ? thanks.. --haizam - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, August 08, 2006 12:28 AM Subject: Re: More documentation on Auth-Type On Mon, 7 Aug 2006, Alan DeKok wrote: Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Refering to below config, each services having their own LDAP tree and specified under ldap module with different Auth-Type Autz-type specified in radiusd.conf. How can I set in users file to search for which tree? Right now, you can't. It's probably not too hard to add support in rlm_ldap for dynamic updates of the basedn. That would make life a lot easier for many people, I think. basedn is already xlated.. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More documentation on Auth-Type
I've read the docs about auth-type configuration. And agree that without setting auth-type and leave FR to auto detect it, the auth will work even up to EAP. But sometimes we have to specify auth-type in order to search for different tree in LDAP for each services. Even Autz-Type also need to be specified but some of the EAP won't work such as EAP-TTLS-PAP. normally EAP sequence works OK but when up to comparing password, it will failed. I've reported my problem a few times in mailing list. Any comments? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, August 04, 2006 2:47 AM Subject: More documentation on Auth-Type http://deployingradius.com/documents/configuration/auth_type.html Many web sites contain all sorts of recommendations about Auth-Type. This one is correct. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using previous DN in DEFAULT
I'm still can't find solution.. why it keep referring to previous DN to do LDAP bind... although both Autz-Type Auth-Type already been sent (in debug log) to the correct one... --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, July 20, 2006 2:51 PM Subject: using previous DN in DEFAULT Hi.. Freeradius 1.1.2 OS : FreeBSD 6.1 Referring to below debug logs and config.. I'm planning to have 2 DEFAULT entries in users.. One that read LDAP tree ou=DIALUP one ou=RADIUS but 1st DEFAULT entry will only be matched if it contain attribute jaringService = REAL in ou=DIALUP.. Other than that it will match 2nd entry... But the problem is that although first DEFAULT is NOT matched, and matched 2nd DEFAULT (Auth Autz Type LDAP), it will still bind using ou=DIALUP (from 1st DEFAULT) to LDAP rlm_ldap: user DN: uniqueIdentifier=10614,ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my The problem happen when both LDAP tree has entry with same uid... but different password and belong to different person. users:- ## NEW Dialup (REAL TIME) DEFAULT ldapdialup1-Ldap-Group == REAL, Autz-Type := DIALUP, Auth-Type :=DIALUP ## NORMAL DIALUP DEFAULT Autz-Type := LDAP, Auth-Type := LDAP radiusd.conf ldap ldap1 { basedn = ou=RADIUS,ou=People,dc=jaring,dc=my groupname_attribute = jaringConnectionType groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } ldap ldap2 { basedn = ou=RADIUS,ou=People,dc=jaring,dc=my groupname_attribute = jaringConnectionType groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } ldap ldapdialup1 { basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my groupname_attribute = jaringService groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } ldap ldapdialup2 { basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my groupname_attribute = jaringService groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } Autz-Type LDAP { redundant { ldap1 ldap2 } } Autz-Type DIALUP { redundant { ldapdialup1 ldapdialup2 } } Auth-Type LDAP { redundant { ldap1 ldap2 } } Auth-Type DIALUP { redundant { ldapdialup1 ldapdialup2 } } debug:- = rad_recv: Access-Request packet from host xxx:60005, id=41, length=46 User-Name = bacang User-Password = xx rad_rmspace_pair: User-Name now 'bacang' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 0 rlm_realm: No '@' in User-Name = bacang, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = bacang rlm_realm: Proxying request from user bacang to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my' radius_xlat: '(uid=bacang)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to x:389, authentication 0 rlm_ldap: bind as cn=x,ou=Applications,dc=jaring,dc=my/xxx to x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=bacang) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '((uid=bacang)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my, with filter ((jaringService=REAL)((uid=bacang)(objectclass=radiusprofile))) rlm_ldap: object not found or got
Re: EAP-TTLS-PAP-LDAP
I don't think it's becoz of wrong password.. It's seems coz by radius cannot set Auth-Type and cannot read crypt password... When change to plain pasword.. then it's work.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, July 14, 2006 11:28 PM Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: No error detected (refer below debug logs) Really? auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Try using the correct password to log in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again... cannot find any article related to repeating LDAP query for EAP... pls help.. I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working... --haizam - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, July 14, 2006 5:26 PM Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar wrote: rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in That's your problem. The CVS version of FreeRadius has auto_header which will detect the {type} in the password, strip it and put the password in the right place. Try that. Or, write an external script (run via exec) to manipulate the request correctly. A couple more things: 1. You're doing the LDAP query on *every* radius request, which is pointless for the EAP conversation. You can rework the config so that doesn't happen - see the list archives for eap AND 127.0.0.1 2. You put your LDAP server admin name, password and IP into the debug output. I'd change those ASAP... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
: Matched entry DEFAULT at line 19 modcall[authorize]: module files returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldapOCE returns ok for request 9 modcall: leaving group OCE (returns ok) for request 9 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module preprocess returns ok for request 9 modcall[authorize]: module chap returns noop for request 9 modcall[authorize]: module mschap returns noop for request 9 rlm_realm: No '/' in User-Name = [EMAIL PROTECTED], skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 9 rlm_realm: Looking up realm ocemy015.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm ocemy015.com rlm_realm: Adding Stripped-User-Name = jaroce2 rlm_realm: Proxying request from user jaroce2 to realm ocemy015.com rlm_realm: Adding Realm = ocemy015.com rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 9 users: Matched entry DEFAULT at line 19 modcall[authorize]: module files returns ok for request 9 modcall: leaving group authorize (returns ok) for request 9 Found Autz-Type OCE Processing the authorize section of radiusd.conf modcall: entering group OCE for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce2 radius_xlat: '(uid=jaroce2)' radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my, with filter (uid=jaroce2) rlm_ldap: checking if remote access for jaroce2 is allowed by dialupAccess rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user jaroce2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldapOCE returns ok for request 9 modcall: leaving group OCE (returns ok) for request 9 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client localhost port 0) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli 00-11-5b-2d-b2-8e) - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, July 14, 2006 1:44 PM Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar [EMAIL PROTECTED
EAP-TTLS-PAP-LDAP
Trying to do EAP-TTLS-PAP with CRYPT passwd in LDAP.. The tunelling seems fine.. but up to comparing the password it will failed. Refer below logs config Some says (http://felipe-alfaro.org/blog/category/radius/) PAP is tunneled inside EAP-TTLS through EAP-GTC... Tried that as well.. still same error.. gtc { auth_type = PAP [even trying to change to LDAP/OCE - still same error) } Error auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client localhost port 0) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli 00-11-5b-2d-b2-8e) With setting:- a) radiusd.conf ldapOCE { --some setting } authorize { eap Autz-Type OCE { ldapOCE } } authenticate { Auth-Type OCE { ldapOCE } eap } b) eap.conf eap { default_eap_type = ttls tls { --some setting } ttls { default_eap_type = md5 } c) users:- DEFAULT Realm == my015.com, Autz-Type := OCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple Auth-Type
I've mutiple Auth-Type and Autz-Type to use for LDAP backend From below setting, i'm trying NOT to set Auth-Type as suggested... So i let Freeradius detecting Auth-Type by itself... It only working for OCE line coz it's EAP type. Other line not working unless the password is stored in plain-text in LDAP If all line (except OCE line) been added with Auth-Type :=LDAP/Y5/ADSL.. then it's working .. So my big question is ..why it's recommended not to set Auth-Type?? Error in debug: auth: type Local auth: user supplied User-Password does NOT match local User-Password users: = DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5 DEFAULT Huntgroup-Name == adsl, Autz-Type := ADSL DEFAULT NAS-Identifier == OCEPOP, Autz-Type := OCE DEFAULT Autz-Type := LDAP modules{ ldap ldapadsl { -- some config basedn = ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldapy5 { -- some config basedn = ou=Y5,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldap1 { -- some config basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my -- some config } ldap ldapOCE { -- some config basedn = ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my -- some config } } authorize { Autz-Type ADSL { ldapadsl } Autz-Type Y5 { ldapy5 } Autz-Type OCE { ldapOCE } Autz-Type LDAP { ldap1 } } authenticate { Auth-Type ADSL { ldapadsl } Auth-Type Y5 { ldapy5 } Auth-Type OCE { ldapOCE } Auth-Type LDAP { ldap1 } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS-LDAPv3.schema db_mysql.sql
I noticed that from Freeradius1.1.1 onwards, both RADIUS-LDAPv3.schema db_mysql.sql NOT included in source dir? Looking for latest schema since i'm currently would like to upgrade my ldap. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
After searching for solution.. found one comment from Alan that advise not to set Auth-Type :=LDAP because LDAP do not do authentication.. EAP does.. let server figure out itself... In case of EAP, LDAP just extract password for EAP to do authentication. But the problem is, my radius need to serve a few services... such as ADSL, Wifi, Dial up .. etc. Each services have their own LDAP tree for better management. So in radiusd.conf, there will be a few ldap modules.. See below:- How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type i) users = DEFAULT (not to set Auth-Type but need to direct to certain LDAP tree) ii) radiusd.conf == ldap adsl { basedn=ou=ADSL, ou=People... } ldap wifi { basedn=ou=wifi, ou=People... } Then .. in authenticate and authorize section :- authorize { eap Autz-Type=ADSL { adsl } Autz-Type=WIFI { wifi } } authenticate { Auth-Type=ADSL { adsl } Auth-Type=WIFI { wifi } eap } iii) eap.conf ... some config... - Original Message - From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, June 24, 2006 5:37 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar wrote: Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. EAP-MD5 requires you have the plaintext password (in the LDAP server, in this case). If you do not, you cannot do EAP-MD5. If you do, configure the LDAP server to give the plaintext password to the radius server (usually in userPassword) and the radius server to map that into User-Password (done by default) and it will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 with LDAP
Can I set Autz-Type in users? but leave EAP to set Auth-Type?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sunday, June 25, 2006 10:48 PM Subject: Re: EAP-MD5 with LDAP Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: How do i set in users file in order for WIFI user to perform EAP but get LDAP info from certain LDAP tree without having to set Auth-Type The EAP module will take care of setting Auth-Type. You don't have to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 with LDAP
Hi.. Using FB 6.0 FR 1.0.5 trying to configure EAP-MD5 with LDAP backend... But it keep reporting: rlm_ldap: Attribute User-Password is required for authentication. No EAP been processed... please see full debug log below.. Below is my config with multiple DEFAULT entry... for Wireless services normal Dialup authentication i) users = DEFAULT NAS-Identifier == Wireless-802.11, Autz-Type := Y5, Auth-Type :=Y5 DEFAULT Autz-Type := LDAP, Auth-Type := LDAP ii) eap.conf eap { default_eap_type = md5 } md5 { } } iii) radiusd.conf $INCLUDE ${confdir}/eap.conf authorize { eap Autz-Type LDAP { ldap1 } Autz-Type Y5 { ldapy51 } } authenticate { Auth-Type LDAP { ldap1 } Auth-Type Y5 { ldapy51 } eap } ldap ldap1 { server = localhost identity = cn=root,dc=jaring,dc=my password = xx basedn = ou=RADIUS,ou=People,dc=jaring,dc=my filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } ldap ldapy51 { server = localhost identity = cn=root,dc=jaring,dc=my password = xx basedn = ou=Y5,ou=People,dc=jaring,dc=my filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = dialupAccess dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } rad_recv: Access-Request packet from host 202.73.10.12:1814, id=133, length=197 Framed-MTU = 1466 NAS-IP-Address = 10.220.0.2 NAS-Identifier = OCEPOP User-Name = jaroce Service-Type = Framed-User NAS-Port = 129 NAS-Port-Type = Ethernet NAS-Port-Id = ether9_129 Called-Station-Id = 00-11-95-e1-ce-8a Calling-Station-Id = 00-13-46-86-c3-93 Connect-Info = CONNECT Ethernet 2Mbps Full duplex EAP-Message = 0x02020015016a61726f6365406d793031352e636f6d Message-Authenticator = 0x6d5b3fff40ff4c920b88d100ed80a209 Proxy-State = 0x3433 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '/' in User-Name = jaroce, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 1 rlm_realm: No '@' in User-Name = jaroce, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = jaroce rlm_realm: Proxying request from user jaroce to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 68 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jaroce radius_xlat: '(uid=jaroce)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=jaroce) rlm_ldap: checking if remote access for jaroce is allowed by dialupAccess rlm_ldap: Added password j4r1ng in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value Van-Jacobson-TCP-IP op=11 rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User op=11 rlm_ldap: user jaroce authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for
Zero Session-Timeout
Dear all, Using FB 6.0, FR 1.0.5 (will upgrade soon) I've problem with timeout... I've set in users file as below in order to load timeout value depending on type of connection (ISDN/PSTN) DEFAULT NAS-Port-Type == Sync, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U ISDN}` DEFAULT NAS-Port-Type == Async, Autz-Type := DIALUP, Auth-Type := DIALUP Session-Timeout = `%{exec:/usr/local/etc/raddb/timeout.pl %U PSTN}`value The problem is when Session-Timeout =0, normally happen when script cannot load value... it will NOT timeout... user till can get connect until manually disconnect... Below is the debug log... Login OK: [integ36] (from client INFRANETTEST port 300 cli ) Sending Access-Accept of id 111 to 10.1.1.1:1645 Session-Timeout = 0 Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1500 Framed-Protocol = PPP Service-Type = Framed-User Finished request 89 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=97, length=131 Acct-Session-Id = 00AE Framed-Protocol = PPP User-Name = integ36 Acct-Authentic = RADIUS Acct-Status-Type = Start Calling-Station-Id = Called-Station-Id = 2426 NAS-Port-Type = Async Connect-Info = 50667/24000 V90/V44/LAPM NAS-Port = 300 Service-Type = Framed-User NAS-IP-Address = 10.1.1.1 Acct-Delay-Time = 0 . . . . rad_recv: Accounting-Request packet from host 10.1.1.1:1646, id=98, length=173 Acct-Session-Id = 00AE Framed-Protocol = PPP Framed-IP-Address = 10.1.1.3 User-Name = integ36 Acct-Authentic = RADIUS Acct-Session-Time = 26 Acct-Input-Octets = 8110 Acct-Output-Octets = 4998 Acct-Input-Packets = 92 Acct-Output-Packets = 37 Acct-Terminate-Cause = User-Request Acct-Status-Type = Stop Calling-Station-Id = Called-Station-Id = 2426 NAS-Port-Type = Async Connect-Info = 50667/24000 V90/V44/LAPM NAS-Port = 300 Service-Type = Framed-User NAS-IP-Address = 10.1.1.1 Acct-Delay-Time = 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.1.1 with openldap 2.0.X
Tried to upgrade current machine with: FreeBSB 4.11 OpenLDAP 2.0.X Freeradius 1.0.4 To Freeradius 1.1.1 using ports But it tried to install openldap 2.2.X as well... I want to usedexisting openldap (2.0.X) It is possible to force freeradius ports installation to use existing openldap client? TQ --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug 314..
Which file i should fix? and what to add? According to Frank For 6.0, I'll fix it by unconditionally including sys/un.h in cryptocard.c thanks.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, January 24, 2006 02:09 Subject: Re: Bug 314.. Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 It's trivial to fix by hand in 1.1.0. It will be fixed permanently in 1.1.1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug 314..
Has bug 314 been fixed? Problem with rlm_otp on FreeBSD 6.0 thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.0 build error
I've got an error too.. but it's different testing using FreeBSD 4.11 machine.. ## rlm_attr_rewrite.c -o rlm_attr_rewrite.o In file included from rlm_attr_rewrite.c:31: /usr/include/regex.h:46: syntax error before `regoff_t' /usr/include/regex.h:46: warning: type defaults to `int' in declaration of `regoff_t' /usr/include/regex.h:46: warning: data definition has no type or storage class /usr/include/regex.h:56: syntax error before `regoff_t' rlm_attr_rewrite.c: In function `do_attr_rewrite': rlm_attr_rewrite.c:314: structure has no member named `rm_so' rlm_attr_rewrite.c:316: structure has no member named `rm_so' rlm_attr_rewrite.c:318: structure has no member named `rm_eo' rlm_attr_rewrite.c:318: structure has no member named `rm_so' rlm_attr_rewrite.c:330: structure has no member named `rm_eo' rlm_attr_rewrite.c:348: structure has no member named `rm_so' rlm_attr_rewrite.c:357: structure has no member named `rm_so' rlm_attr_rewrite.c:358: structure has no member named `rm_eo' rlm_attr_rewrite.c:358: structure has no member named `rm_so' rlm_attr_rewrite.c:359: structure has no member named `rm_eo' rlm_attr_rewrite.c:359: structure has no member named `rm_so' gmake[5]: *** [rlm_attr_rewrite.o] Error 1 gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_attr_rewrite' gmake[4]: *** [common] Error 2 gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' gmake[3]: *** [all] Error 2 gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules' gmake[2]: *** [common] Error 2 gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src' gmake[1]: *** [all] Error 2 gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src' gmake: *** [common] Error 2 *** Error code 2 ### - Original Message - From: Drew S. Dupont [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Friday, January 13, 2006 11:07 Subject: Freeradius 1.1.0 build error When trying to compile the new release, I am unable to b/c it stops with an error in the: Making install in rlm_sql_iodbc... gmake[11]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_sql/drivers/rlm_sql_iodbc' [ xrlm_sql_iodbc = x ] || /home/dsdupont/freeradius-1.1.0/libtool --mode=install /home/dsdupont/freeradius-1.1.0/install-sh -c -c rlm_sql_iodbc.la /home/dsdupont/freeradius/usr/local/lib/rlm_sql_iodbc.la libtool: install: `rlm_sql_iodbc.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. It does that for any module in the rlm_sql group. However, whenn I go and type make inside the rlm_sql_iodbc dir. it compiles fine. I then go back one and type make and it compiles fine. I can then return to the main dir. and type make and it runs along until: Making static dynamic in rlm_otp... gmake[4]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_otp' Making all in cardops ... gmake[5]: Entering directory `/home/dsdupont/freeradius-1.1.0/src/modules/rlm_otp/cardops' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I/usr/local/ssl/includes -Wall -D_GNU_SOURCE -DNDEBUG -I../../../include -I/usr/local/ssl/includes -DOTP_MODULE_NAME=rlm_otp -DFREERADIUS /usr/local/ssl/includes -c cryptocard.c -o cryptocard.o gcc: cannot specify -o with -c or -S and multiple compilations gmake[5]: *** [cryptocard.o] Error 1 If I make some of the remaining dirs. in the modules dir., it compiles those. I have not tried all the remaining dirs. yet. However, I can not get the rlm_otp dir. to compile. Thank you for your assistance, Drew Dupont -- -- Drew S. Dupont[EMAIL PROTECTED] AIM: NetWhizOneFWD #: 271144 YIM: dsdupont -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling FR 1.1.0
Tested with FBSD 4.11 error with rlm_attr_rewrite... After removethe folder... then error with rlm_otp ### Making all in cardops ...gmake[6]: Entering directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops'gcc -g -O2 -pthread -D_THREAD_SAFE -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../../../include -DOTP_MODULE_NAME="rlm_otp" -DFREERADIUS -c cryptocard.c -o cryptocard.oIn file included from /usr/include/openssl/des.h:66, from ../otp.h:32, from cryptocard.c:26:/usr/include/openssl/opensslconf.h:177: warning: `OPENSSL_NO_KRB5' redefined*Initialization*:1: warning: this is the location of the previous definitioncryptocard.c: In function `cryptocard_updatecsd':cryptocard.c:230: syntax error before `PRIx32'cryptocard.c: In function `cryptocard_isconsecutive':cryptocard.c:255: syntax error before `SCNx32'cryptocard.c:252: warning: unused variable `nextewin'cryptocard.c: At top level:cryptocard.c:260: syntax error before `++'cryptocard.c:58: warning: `cryptocard_name2fm' defined but not usedcryptocard.c:78: warning: `cryptocard_keystring2keyblock' defined but not usedcryptocard.c:110: warning: `cryptocard_nullstate' defined but not usedcryptocard.c:139: warning: `cryptocard_challenge' defined but not usedcryptocard.c:184: warning: `cryptocard_response' defined but not usedcryptocard.c:226: warning: `cryptocard_updatecsd' defined but not usedcryptocard.c:251: warning: `cryptocard_isconsecutive' defined but not usedcryptocard.h:59: warning: `cryptocard_maxtwin' declared `static' but never definedcryptocard.h:62: warning: `cryptocard_printchallenge' declared `static' but never definedgmake[6]: *** [cryptocard.o] Error 1gmake[6]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp/cardops'gmake[5]: *** [cardops/cryptocard.lo] Error 2gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake: *** [common] Error 2*** Error code 2 ###3 Tested with FBSD 6.0... OK with rlm_attr_rewrite but problem with rlm_otp with different from FBSD4.11 # otp_state.c: In function `otp_state_connect':otp_state.c:482: error: storage size of 'sa' isn't knownotp_state.c:482: warning: unused variable `sa'gmake[5]: *** [otp_state.o] Error 1gmake[5]: Leaving directory `/var/src/freeradius-1.1.0/src/modules/rlm_otp'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.1.0/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.1.0/src'gmake: *** [common] Error 2*** Error code 2## --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot authenticate but there is accounting record
Hi, I've found unusual activity wherethere is an attemptto authenticatebut unsuccesfulldue to no entry in database (LDAP) but there is accounting record for it. Beloware the log accounting record. Any comments on this.. TQ.. Fri Oct 21 22:03:06 2005 : Auth: Login incorrect (rlm_ldap: User not found): [assasaas] (from client 61.6.116.2 port 143) Fri Oct 21 22:03:08 2005 Acct-Session-Id = "0026190D" Framed-Protocol = PPP Framed-IP-Address = 61.6.116.27 User-Name = "assasaas" Acct-Authentic = RADIUS Acct-Session-Time = 7 Acct-Input-Octets = 762 Acct-Output-Octets = 494 Acct-Input-Packets = 16 Acct-Output-Packets = 15 Acct-Terminate-Cause = User-Error Acct-Status-Type = Stop Called-Station-Id = "20878830" NAS-Port-Type = Async NAS-Port = 143 Connect-Info = "28800 V34/V42bis/LAPM" Service-Type = Framed-User NAS-IP-Address = 61.6.116.2 Acct-Delay-Time = 0 Client-IP-Address = 61.6.116.2 Acct-Unique-Session-Id = "62a6e1512da039e2" Stripped-User-Name = "assasaas" Realm = "NULL" Timestamp = 1129903388 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
Dear all, configure with --disable-shared... cleaned old files... and still core dump.. gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libssl.so.3...done. Reading symbols from /usr/lib/libcrypto.so.3...done. Reading symbols from /usr/local/lib/libgdbm.so.3...done. Reading symbols from /usr/lib/libpam.so.1...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/local/lib/mysql/libmysqlclient.so.14...done. Reading symbols from /usr/lib/libm.so.2...done. Reading symbols from /usr/lib/libz.so.2...done. Reading symbols from /usr/lib/libcipher.so.2...done. Reading symbols from /usr/lib/libc_r.so.4...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x808e23e in lt_dlsym (handle=0x812ae40, symbol=0xbfbfe660 rlm_ldap) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x808e23e in lt_dlsym (handle=0x812ae40, symbol=0xbfbfe660 rlm_ldap) at ltdl.c:3330 #1 0x8057fd4 in linkto_module (module_name=0xbfbfe7b0 rlm_ldap, cffilename=0x80932e7 radiusd.conf, cflineno=732) at modules.c:230 #2 0x805822a in find_module_instance (instname=0x80f31e0 ldap1) at modules.c:347 #3 0x8059416 in do_compile_modsingle (component=0, ci=0x80f2340, filename=0x80932e7 radiusd.conf, grouptype=1, modname=0xbfbfe948) at modcall.c:814 #4 0x80595dc in do_compile_modgroup (component=0, cs=0x80f2320, filename=0x80932e7 radiusd.conf, grouptype=1, parentgrouptype=0) at modcall.c:877 #5 0x80592fe in do_compile_modsingle (component=0, ci=0x80f2320, filename=0x80932e7 radiusd.conf, grouptype=0, modname=0xbfbfe9fc) at modcall.c:786 #6 0x805956f in do_compile_modgroup (component=0, cs=0x80f2300, filename=0x80932e7 radiusd.conf, grouptype=0, parentgrouptype=0) at modcall.c:859 #7 0x8059676 in compile_modgroup (component=0, cs=0x80f2300, filename=0x80932e7 radiusd.conf) at modcall.c:898 #8 0x8058471 in load_subcomponent_section (cs=0x80f2300, comp=0, filename=0x80932e7 radiusd.conf) at modules.c:483 #9 0x80585f0 in load_component_section (cs=0x80f2200, comp=0, filename=0x80932e7 radiusd.conf) at modules.c:546 #10 0x8058acd in setup_modules () at modules.c:858 #11 0x8050864 in main (argc=4, argv=0xbfbffc28) at radiusd.c:960 --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 23:01 Subject: Re: Segmentation Fault - 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... That's bug #98. Either link statically, or put the libraries rlm_ldap needs in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
dynamic linker can find ldap lib... since within directory /usr/local/lib.. 133:-lldap.2 = /usr/local/lib/libldap.so.2 134:-lldap_r.2 = /usr/local/lib/libldap_r.so.2 so last option will be ./configure --disable-shared --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 23:01 Subject: Re: Segmentation Fault - 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... That's bug #98. Either link statically, or put the libraries rlm_ldap needs in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... ### bash-2.05b# gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `radiusd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libcipher.so.2...done. Reading symbols from /usr/local/lib/libradius-1.0.5.so...done. Reading symbols from /usr/local/lib/libltdl.so.4...done. Reading symbols from /usr/lib/libssl.so.3...done. Reading symbols from /usr/lib/libcrypto.so.3...done. Reading symbols from /usr/lib/libc_r.so.4...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/local/lib/rlm_exec-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_expr-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_pap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_chap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_mschap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_unix-1.0.5.so...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x280c4172 in lt_dlsym (handle=0x80de0c0, symbol=0xbfbfe630 rlm_ldap) at ltdl.c:3330 3330 lensym = LT_STRLEN (symbol) + LT_STRLEN (handle-loader-sym_prefix) (gdb) bt #0 0x280c4172 in lt_dlsym (handle=0x80de0c0, symbol=0xbfbfe630 rlm_ldap) at ltdl.c:3330 #1 0x8053fb0 in linkto_module (module_name=0xbfbfe780 rlm_ldap, cffilename=0x805e5e7 radiusd.conf, cflineno=732) at modules.c:230 #2 0x8054206 in find_module_instance (instname=0x80a61e0 ldap1) at modules.c:347 #3 0x80553f2 in do_compile_modsingle (component=0, ci=0x80a5340, filename=0x805e5e7 radiusd.conf, grouptype=1, modname=0xbfbfe918) at modcall.c:814 #4 0x80555b8 in do_compile_modgroup (component=0, cs=0x80a5320, filename=0x805e5e7 radiusd.conf, grouptype=1, parentgrouptype=0) at modcall.c:877 #5 0x80552da in do_compile_modsingle (component=0, ci=0x80a5320, filename=0x805e5e7 radiusd.conf, grouptype=0, modname=0xbfbfe9cc) at modcall.c:786 #6 0x805554b in do_compile_modgroup (component=0, cs=0x80a5300, filename=0x805e5e7 radiusd.conf, grouptype=0, parentgrouptype=0) at modcall.c:859 #7 0x8055652 in compile_modgroup (component=0, cs=0x80a5300, filename=0x805e5e7 radiusd.conf) at modcall.c:898 #8 0x805444d in load_subcomponent_section (cs=0x80a5300, comp=0, filename=0x805e5e7 radiusd.conf) at modules.c:483 #9 0x80545cc in load_component_section (cs=0x80a5200, comp=0, filename=0x805e5e7 radiusd.conf) at modules.c:546 #10 0x8054aa9 in setup_modules () at modules.c:858 #11 0x804c840 in main (argc=4, argv=0xbfbffbf0) at radiusd.c:960 (gdb) - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 10:27 Subject: Re: Segmentation Fault Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Is there a way to remove all old modules ? or just simply delete the lib files... No just deleting the old files should be OK. Do we need to recompile again after cleaning it up... or just make install again..? If you install to a completely different directory, and se that directory via configure --prefix=..., then everything should work. It's only installing multiple versions of the server on top of each other that causes problems. My suggestion there is to delete the old files, and *then* compile * reinstall. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault
I've been upgrading a few times.. but this is the one that need cleaning old version before installing new one.. Is there a way to remove all old modules ? or just simply delete the lib files... Do we need to recompile again after cleaning it up... or just make install again..? - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 04:53 Subject: Re: Segmentation Fault Linda Pagillo [EMAIL PROTECTED] wrote: I just installed the newest version of Freeradius (1.0.5) on my Linux Redhat 9 server. All went well except this... when i start the radius in debug mode.. all starts fine, but when the first user tries to authenticate, i get a Segmentation Fault and the radius stops. Any ideas? See doc/bugs Also, ensure that you *don't* have an older version of FreeRADIUS installed on the same box. Using old modules with a new server may cause problems. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
So.. do i need to upgrade to 5.X in order to use FR 1.0.5 ?? --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 23, 2005 02:29 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So seems the problem happen only to FreeBSD 4.X.. not to all FreeBSD.. Sounds to me like a problem with FreeBSD. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing FR 1.05
Install mysql (client or server) first.. then recompile the freeradius it will build with mysql module.. --haizam - Original Message - From: Bill Neely [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, September 25, 2005 00:31 Subject: Re: Installing FR 1.05 In the modules directory, there is a sub directory called rlm_sql. Does that mean that the module got built? -- 1-888-217-5498 Quoting Duane Cox [EMAIL PROTECTED]: During the configure/make process, was the module actually built? If not, then you are missing the mysql driver stuff. - Original Message - From: Bill Neely To: freeradius-users@lists.freeradius.org Sent: Friday, September 23, 2005 7:28 PM Subject: Installing FR 1.05 Am installing Free Radius 1.0.5 on Free BSD 5.4 OS Installation went alright, but when I fire it up, it fails to load the sql module. Here is the radiusd -x string: radiusd -x Starting - reading configuration files ... Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. In radiusd.conf, I have $INCLUDE ${confdir}/sql.conf What else do I need to do? Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message was sent using http://newwebmail.gct21.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Dear all, anyone having similar problem... when using 1.0.5 with FB 4.11 ?? Any finding on this.? I'm still having problem upgrading... on my 4.11 machine.. thanks.. --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 20, 2005 08:48 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Yes.. version 1.0.5.. previous version of 1.0.4 working fine... --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 20, 2005 01:29 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: #0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172 172 if (*first == NULL) { The value of first is suspicious. It looks like it's from explicitely uninitialized memory. #1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00) at rlm_ldap.c:1243 Are you using 1.0.5? The code isn't at that line number in my version of 1.0.5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
OS: FreeBSD 4.11p10 FR: 1.0.5 As requested.. bash-2.05b# gdb /usr/local/sbin/radiusd /usr/local/etc/raddb/radiusd.core GNU gdb 4.18 (FreeBSD) Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-unknown-freebsd...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf Core was generated by `radiusd'. Program terminated with signal 10, Bus error. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libcipher.so.2...done. Reading symbols from /usr/local/lib/libradius-1.0.5.so...done. Reading symbols from /usr/local/lib/libltdl.so.4...done. Reading symbols from /usr/local/lib/libssl.so.3...done. Reading symbols from /usr/local/lib/libcrypto.so.3...done. Reading symbols from /usr/lib/libc_r.so.4...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/lib/libssl.so.3...done. Reading symbols from /usr/lib/libcrypto.so.3...done. Reading symbols from /usr/local/lib/rlm_exec-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_expr-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_pap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_chap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_mschap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_unix-1.0.5.so...done. Reading symbols from /usr/local/lib/liblber.so...done. Reading symbols from /usr/local/lib/rlm_ldap-1.0.4.so...done. Reading symbols from /usr/local/lib/libldap_r.so.2...done. Reading symbols from /usr/lib/libssl.so.2...done. Reading symbols from /usr/lib/libcrypto.so.2...done. Reading symbols from /usr/local/lib/libeap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_eap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_eap_md5-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_eap_leap-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_eap_gtc-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_eap_mschapv2-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_preprocess-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_realm-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_files-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_acct_unique-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_detail-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_radutmp-1.0.5.so...done. Reading symbols from /usr/local/lib/rlm_sql-1.0.5.so...done. Reading symbols from /usr/lib/libz.so...done. Reading symbols from /usr/lib/libm.so...done. ---Type return to continue, or q return to quit--- Reading symbols from /usr/local/lib/mysql/libmysqlclient.so...done. Reading symbols from /usr/local/lib/rlm_sql_mysql-1.0.5.so...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172 172 if (*first == NULL) { (gdb) bt #0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172 #1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00) at rlm_ldap.c:1243 #2 0x8054e91 in call_modsingle (component=1, sp=0x818ecc0, request=0x819de00, default_result=6) at modcall.c:219 #3 0x8055088 in modcall (component=1, c=0x818ecc0, request=0x819de00) at modcall.c:344 #4 0x8054f4f in call_modgroup (component=1, g=0x818ec80, request=0x819de00, default_result=6) at modcall.c:252 #5 0x8055031 in modcall (component=1, c=0x818ec80, request=0x819de00) at modcall.c:335 #6 0x8054f4f in call_modgroup (component=1, g=0x818e980, request=0x819de00, default_result=6) at modcall.c:252 #7 0x8055031 in modcall (component=1, c=0x818e980, request=0x819de00) at modcall.c:335 #8 0x8054426 in indexed_modcall (comp=1, idx=0, request=0x819de00) at modules.c:469 #9 0x8054b16 in module_authorize (autz_type=0, request=0x819de00) at modules.c:883 #10 0x8051c23 in rad_authenticate (request=0x819de00) at auth.c:592 #11 0x804d25c in rad_respond (request=0x819de00, fun=0x8051ac4 rad_authenticate) at radiusd.c:1642 #12 0x804cfa6 in main (argc=4, argv=0xbfbffbe4) at radiusd.c:1427 - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, September 15, 2005 22:11 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar wrote: OS: FreeBSD4.11 p10 Freeradius: 1.0.5 from 1.0.4 - compilation OK.. but still to patch rlm_rewrite just like 1.0.4 - starting radiusd seems fine - but when trying to authenticate
Re: Bus error - core dumped on freeradius 1.0.5
Yes.. version 1.0.5.. previous version of 1.0.4 working fine... --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 20, 2005 01:29 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: #0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172 172 if (*first == NULL) { The value of first is suspicious. It looks like it's from explicitely uninitialized memory. #1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00) at rlm_ldap.c:1243 Are you using 1.0.5? The code isn't at that line number in my version of 1.0.5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
testing in one of my FreeBSD 5.3 machine... 1.0.5 seems working with same configuration as below tested in FreeBSD 4.11 So seems the problem happen only to FreeBSD 4.X.. not to all FreeBSD.. --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 20, 2005 08:48 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Yes.. version 1.0.5.. previous version of 1.0.4 working fine... --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, September 20, 2005 01:29 Subject: Re: Bus error - core dumped on freeradius 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: #0 pairadd (first=0xdeadbf27, add=0x81c8c00) at valuepair.c:172 172 if (*first == NULL) { The value of first is suspicious. It looks like it's from explicitely uninitialized memory. #1 0x2847db1c in ldap_authorize (instance=0x8096600, request=0x819de00) at rlm_ldap.c:1243 Are you using 1.0.5? The code isn't at that line number in my version of 1.0.5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bus error - core dumped on freeradius 1.0.5
OS: FreeBSD4.11 p10 Freeradius: 1.0.5 from 1.0.4 - compilation OK.. but still to patch rlm_rewrite just like 1.0.4 - starting radiusd seems fine - but when trying to authenticate.. then it will core dumped.. as below debug log.. Ready to process requests. rad_recv: Access-Request packet from host 192.228.137.77:34496, id=17, length=46 User-Name = bacang User-Password = x Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '/' in User-Name = bacang, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 0 rlm_realm: No '@' in User-Name = bacang, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = bacang rlm_realm: Proxying request from user bacang to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 102 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 Processing the authorize section of radiusd.conf modcall: entering group Autz-Type for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for LDAP radius_xlat: '(uid=bacang)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Sysadmin,ou=Applications,dc=jaring,dc=my/kh4l1f4h to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=bacang) Bus error (core dumped) ## - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, September 14, 2005 23:29 Subject: Re: FreeRADIUS 1.0.5 has been released M.McNeil [EMAIL PROTECTED] wrote: Does version 1.0.5 address/resolve the issues with EAP/LEAP authentication when using FreeRadius with Cisco wireless gear ? i.e. Cisco's WLSE and wireless access points. No. You still need another patch. That patch breaks LEAP for every other acces point. If there is a way to make FreeRADIUS work *everywhere*, then that patch can be added in. Otherwise, it's not nice to break interoperation with every other access point in order to make one work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Session-Id too long
Dear all, FreeRADIUS 1.0.4 I'm using mysql to store accounting...especially to check simultaneous-use.. but one case as below, i received a long Acct-Session-Id ... and cannot fit into mysql... and problem to update Stop record... should I change column size from char32 to reasonable value ? pls advise.. thanks.. Acct-Session-Id = erx atm 2/3.10601218:60.1218:0165889995 +--+--+--+-+-+ | nasipaddress | AcctSessionId| AcctUniqueId | acctstoptime| nasporttype | +--+--+--+-+-+ | 61.6.191.247 | erx atm 2/3.10601218:60.1218:016 | ebe88dbb3457c826 | 2005-08-22 10:32:52 | xDSL| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous check - MYSQL
Dear all, FB: 4.11 FR: 1.0.4 mysql: 4.1 From sql.conf file, I would to add one more checking for simul. use i.e NAS-Port-Type... and changes as below:- Seems working.. Just wanna confirmation regarding simul_verify_query ... what exactly this line do? I know it do verification .. but for what purpose.. thanks.. # Simultaneous Use Checking Queries ### # simul_count_query - query for the number of current connections # - If this is not defined, no simultaneouls use checking # - will be performed by this module instance # simul_verify_query- query to return details of current connections for verification # - Leave blank or commented out to disable verification step # - Note that the returned field order should not be changed. ### # Uncomment simul_count_query to enable simultaneous use checking # simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND Acct StopTime = 0 ##simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND Acct StopTime = 0 simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND NASPor tType = '%{NAS-Port-Type}' AND AcctStopTime = 0 ##simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPA ddress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTi me = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAdd ress, CallingStationId, FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND NASPortType = '%{NAS-Port-Type}' AND AcctStopTime = 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using RADIUS for content filtering.
Dear all, I've given one assignment to create some sort of tunneling to cache server (netcache) to do some content filtering when browsing. There will be 2 cache-server. One passing all traffic another one will do content filtering.. When user subscribe to this service (for their children maybe).. When user doing authentication, what should i include in the profile for the traffic to be diverted to cache server that do the filtering? Is it possible to use below? Or pls suggest suitable method.. Login-Service: TCP-ClearLogin-IP-Host: 10.1.1.1Service-Type: Login-UserLogin-TCP-Port: 80 I've heart about method L2TP tunnelling with ERX/SDX (juniper) .. But that seems costly... thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clash between group LDAP
Dear all, I've LDAP tree structure as below, to seperate ADSL DIALUP. But encounter one problem.. when userA = userB, LDAP will found userA's account although userB that actually login. This maybe due to DEFAULT sequence in users file. Any idea to solve this ? thanks.. ou=AAA | | -- | | ou=ADSLou=DIALUP dn: uid=userA,ou=ADSL,ou=AAA ... dn: uid=userB,ou=DIALUP,ou=AAA serviceflag: ADSL serviceflag: DIALUP Users: DEFAULT ldapadsl-Ldap-Group == ADSL, Autz-Type := ADSL, Auth-Type := ADSL DEFAULT ldapdialup-Ldap-Group == DIALUP, Autz-Type := DIALUP, Auth-Type := DIALUP radiusd.conf ldap ldapadsl { basedn = ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my groupname_attribute = serviceflag } ldap ldapdialup { basedn = ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my groupname_attribute = serviceflag authorize { Autz-Type ADSL { ldapadsl } Autz-Type DIALUP { ldapdialup } } authenticate { Auth-Type ADSL { ldapadsl } Auth-Type DIALUP { ldapdialup } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: grouping services - LDAP
I've read the doc do it exactly as suggested and it's working.. thanx!! --haizam - Original Message - From: Dusty Doris [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, July 20, 2005 21:18 Subject: Re: grouping services - LDAP On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote: Hi all, Using Freeradius 1.0.4 (FB 4.11) I want to grouping between dialup adsl... refer to users file below by if if Ldap-Group ==ADSL is found, should authenticate/authorize by ldapadsl and if not found, assuming dialup user and should authenticate/authorize by ldap1/ldap2 (DIALUP) But the problem, referring to debug log.. doesn't matter whether Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 ldapadsl i.e checking adslAccess dialAcess atttribute. What i want is that.. If Ldap-Group ==ADSL is found, it should be handled by ldapadsl and not checking ldap1/ldap2 and same goes when not found, it will be handled by ldap1/ldap2 and not checking ldapadsl anyone can help.?? thanks Try using Autz Type as well, there is some documentation on it in the doc dir. It might look something like this. DEFAULT Ldap-Group == ADSL, Autz-Type := ADSL, Auth-Type := ADSL DEFAULT Autz-Type := LDAP, Auth-Type := LDAP # authorize { Autz-Type LDAP { redundant { ldap1 ldap2 } } Autz-Type ADSL { ldapadsl } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
grouping services - LDAP
Hi all, Using Freeradius 1.0.4 (FB 4.11) I want to grouping between dialup adsl... refer to users file below by if if Ldap-Group ==ADSL is found, should authenticate/authorizeby "ldapadsl" and if not found, assuming dialup user and should authenticate/authorizeby "ldap1/ldap2" (DIALUP) But the problem, referring to debug log.. doesn't matter whether Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 ldapadsl i.e checking "adslAccess dialAcess" atttribute. What i want is that.. If Ldap-Group ==ADSL is found, it should be handled by "ldapadsl" and not checking "ldap1/ldap2" and same goes when not found, it will be handled by "ldap1/ldap2" and not checking "ldapadsl" anyone can help.?? thanks --haizam ## users file: DEFAULT Ldap-Group == "ADSL", Auth-Type := ADSL DEFAULT Auth-Type := LDAP #3 Debug:- rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter ((jaringConnectionType=ADSL)((uid=organza)(objectclass=radiusprofile)))rlm_ldap: object not found or got ambiguous search resultrlm_ldap: ldap_release_conn: Release Id: 0rlm_ldap::ldap_groupcmp: Group ADSL not found or user is not a member. users: Matched entry DEFAULT at line 147. . . rlm_ldap: checking if remote access for organza is allowed by dialupAccess . .. rlm_ldap: noadslAccess attribute - access denied by default authenticate { Auth-Type LDAP { redundant { ldap1 ldap2 } } Auth-Type ADSL { ldapadsl } } # authorize { redundant { ldap1 ldap2 } ldapadsl} # ldap ldap1 { server = "10.1.1.1" basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my" access_attr = "dialupAccess" groupname_attribute = jaringConnectionType groupmembership_filter = "((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))" } ldap ldap2 { server = "10.1.1.2" basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my" access_attr = "dialupAccess" groupname_attribute = jaringConnectionType groupmembership_filter = "((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))" } ldapadsl { server = "10.1.1.3" basedn = "ou=ADSL,ou=People,dc=jaring,dc=my" access_attr = "adslAccess" groupname_attribute = jaringConnectionType groupmembership_filter = "((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
not using ports... I'll try the patch.. thanks.. --haizam - Original Message - From: Andrew Thompson [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 20, 2005 11:30 Subject: Re: FreeRADIUS 1.0.4 has been released. On Mon, Jun 20, 2005 at 11:20:19AM +0800, Rohaizam Abu Bakar wrote: What is the function of rlm_attr_rewrite?? Becoz I'm havng the same problem compiling 1.0.3/1.0.4 on my FB 4.11 machine.. Are you using the port becuase that problem has been fixed. If not then you will want the patch in: net/freeradius/files/patch-src-modules-rlm_attr_rewrite-rlm_attr_rewrite.c Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.4 has been released.
What is the function of rlm_attr_rewrite?? Becoz I'm havng the same problem compiling 1.0.3/1.0.4 on my FB 4.11 machine.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Saturday, June 18, 2005 09:09 Subject: Re: FreeRADIUS 1.0.4 has been released. Stephen D. Bechard [EMAIL PROTECTED] wrote: I am still having diffuculty building the freeradius on all of my FreeBSD Servers with the ports collection. Ok... I know there was a bug in the older versions with shared libraries, but I was hoping this version fixed it. Any insight would be greatly appreciated... I don't recall specific problems with shared libraries. Can you be more specific? Here are the errors I get when trying to build the port: In file included from rlm_attr_rewrite.c:31: /usr/include/regex.h:46: syntax error before `regoff_t' That has nothing to do with shared libraries. It looks like the regular expression header files on your system are broken. 'regoff_t' is defined in regex.h on every other system. If you're not going to use rlm_attr_rewrite, just delete the directory. I would have hoped that the FreeBSD ports maintainer verified that the port worked before committing it to FreeBSD. If so, ask the port maintainer why it doesn't work on your system. I don't run FreeBSD, so I can't help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
upgrade from 1.0.1 -- 1.0.3
OS: FreeBSD 4.11 Upgrade : from 1.0.1 to 1.0.3 Receive below error # ./configure --with-logdir=/var/log --with-radacctdir=/var/adm/radacct --with-raddbdir=/usr/local/etc/raddb # make Should be no problem compiling for 1.0.2 In file included from rlm_attr_rewrite.c:31:/usr/include/regex.h:46: syntax error before `regoff_t'/usr/include/regex.h:46: warning: type defaults to `int' in declaration of `regoff_t'/usr/include/regex.h:46: warning: data definition has no type or storage class/usr/include/regex.h:56: syntax error before `regoff_t'rlm_attr_rewrite.c: In function `do_attr_rewrite':rlm_attr_rewrite.c:314: structure has no member named `rm_so'rlm_attr_rewrite.c:316: structure has no member named `rm_so'rlm_attr_rewrite.c:318: structure has no member named `rm_eo'rlm_attr_rewrite.c:318: structure has no member named `rm_so'rlm_attr_rewrite.c:330: structure has no member named `rm_eo'rlm_attr_rewrite.c:348: structure has no member named `rm_so'rlm_attr_rewrite.c:357: structure has no member named `rm_so'rlm_attr_rewrite.c:358: structure has no member named `rm_eo'rlm_attr_rewrite.c:358: structure has no member named `rm_so'rlm_attr_rewrite.c:359: structure has no member named `rm_eo'rlm_attr_rewrite.c:359: structure has no member named `rm_so'gmake[5]: *** [rlm_attr_rewrite.o] Error 1gmake[5]: Leaving directory `/var/src/freeradius-1.0.3/src/modules/rlm_attr_rewrite'gmake[4]: *** [common] Error 2gmake[4]: Leaving directory `/var/src/freeradius-1.0.3/src/modules'gmake[3]: *** [all] Error 2gmake[3]: Leaving directory `/var/src/freeradius-1.0.3/src/modules'gmake[2]: *** [common] Error 2gmake[2]: Leaving directory `/var/src/freeradius-1.0.3/src'gmake[1]: *** [all] Error 2gmake[1]: Leaving directory `/var/src/freeradius-1.0.3/src'gmake: *** [common] Error 2*** Error code 2 Stop in /var/src/freeradius-1.0.3. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Thanks.. Will try it out... Do I need to make any addition/changes in Makefile to compile radsqlrelay...? If yes... What changes is needed.. thanks.. --haizam - Original Message - From: Nicolas Baradakis [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Monday, January 24, 2005 19:16 Subject: Re: SQL db failover Rohaizam Abu Bakar wrote: How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? You might try a different approach: - store accounting in detail files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
I've changed all except fail to return... and seems OK.. But the fail over (sql2) mysql still receive accounting although sql1 works fine.. This has problem when checking single login since possible of start stop record at different server... Although accounting that spill over to sql2 is not much.. but it still effect the whole process... How can we possible do to ensure only when sql1 down.. then the accounting will be sent to sql2..?? I'm afraid that my unlimited customer (sinultaneous=1) get denied although there is no other session active due to start stop record being sent to different mysql thanks.. --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 18, 2005 11:30 Subject: Re: SQL db failover One more thing related to SQL accounting... Everytime I received error Stop packet with zero session length... Accounting will be stored in both sql1 sq2.. please refer debug log.. should I change noop= to something else instead of below...??? --haizam group { sql1 { fail=1 notfound=return noop=2 ok=return updated=3 reject=return userlock=4 invalid=5 handled=6 } sql2 { same as above } } ## radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessi onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2'' rlm_sql (sql1): Reserving sql socket id: 4 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2')' rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2') rlm_sql (sql1): Released sql socket id: 4 radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASP ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, Acct InputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtoc ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381', '18e9d9976b13739f', '', '', '161.142.17 .2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0) SECOND), '2005-01-18 10:39:34', '', '', '', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')' rlm_sql (sql1): Released sql socket id: 4 modcall[accounting]: module sql1 returns noop for request 132 radius_xlat: '' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessi onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2'' rlm_sql (sql2): Reserving sql socket id: 4 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2')' rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2') rlm_sql (sql2): Released sql socket id: 4 radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASP ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, Acct InputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtoc ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381', '18e9d9976b13739f', '', '', '161.142.17 .2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0) SECOND), '2005-01-18 10:39:34', '', '', '', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')' rlm_sql (sql2): Released sql socket id: 4 modcall[accounting]: module sql2 returns noop for request 132 modcall: group group returns noop for request 132 modcall: group accounting returns ok for request 132 Sending Accounting-Response of id 101 to 161.142.17.2:1027 Finished request 132 Going to the next request ### - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 18, 2005 00:40 Subject: Re: SQL db failover Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: But before that.. I tried to use the simplified one using redundant as below:- redundant { sql1 sql2 } But seems everytime accounting record being sent.. I will store in both of the mysql server... not the first one that return OK.. why??? It's a known bug. See bugs.freeradius.org Alan DeKok. - List info/subscribe/unsubscribe? See http
Re: SQL db failover
One more thing related to SQL accounting... Everytime I received error Stop packet with zero session length... Accounting will be stored in both sql1 sq2.. please refer debug log.. should I change noop= to something else instead of below...??? --haizam group { sql1 { fail=1 notfound=return noop=2 ok=return updated=3 reject=return userlock=4 invalid=5 handled=6 } sql2 { same as above } } ## radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessi onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2'' rlm_sql (sql1): Reserving sql socket id: 4 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2')' rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2') rlm_sql (sql1): Released sql socket id: 4 radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASP ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, Acct InputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtoc ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381', '18e9d9976b13739f', '', '', '161.142.17 .2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0) SECOND), '2005-01-18 10:39:34', '', '', '', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')' rlm_sql (sql1): Released sql socket id: 4 modcall[accounting]: module sql1 returns noop for request 132 radius_xlat: '' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2005-01-18 10:39:34', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessi onId = '442225381' AND UserName = '' AND NASIPAddress = '161.142.17.2'' rlm_sql (sql2): Reserving sql socket id: 4 radius_xlat: 'rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2')' rlm_sql: Stop packet with zero session length. (user '', nas '161.142.17.2') rlm_sql (sql2): Released sql socket id: 4 radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASP ortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, Acct InputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtoc ol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('442225381', '18e9d9976b13739f', '', '', '161.142.17 .2', '10202', 'Sync', DATE_SUB('2005-01-18 10:39:34', INTERVAL (0 + 0) SECOND), '2005-01-18 10:39:34', '', '', '', '', '', '', '9915600', '0320529716', '', '', '', '', '0', '0')' rlm_sql (sql2): Released sql socket id: 4 modcall[accounting]: module sql2 returns noop for request 132 modcall: group group returns noop for request 132 modcall: group accounting returns ok for request 132 Sending Accounting-Response of id 101 to 161.142.17.2:1027 Finished request 132 Going to the next request ### - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 18, 2005 00:40 Subject: Re: SQL db failover Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: But before that.. I tried to use the simplified one using redundant as below:- redundant { sql1 sql2 } But seems everytime accounting record being sent.. I will store in both of the mysql server... not the first one that return OK.. why??? It's a known bug. See bugs.freeradius.org Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Just wanna share... I've also configured as below setting (using group) for mysql failover.. and its working as well!!... But before that.. I tried to use the simplified one using redundant as below:- redundant { sql1 sql2 } But seems everytime accounting record being sent.. I will store in both of the mysql server... not the first one that return OK.. why??? Also before that.. I try to do as suggested in doc... to put handled after sql2.. and resulting accounting record being resent a few times from client.. (testing using NTRadping).. Can somebody help me on the handled portion ?? redundant { sql1 sql2 handled } always handled{ rcode = handled } --haizam - Original Message - From: Michel van Dop [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, January 16, 2005 08:04 Subject: Re: SQL db failover It works!! Yes Thanks Alan !! I replace on every refrence to sql this: group { sql1 { fail = 1 notfound = return noop = 2 ok = return updated = 3 reject = return userlock = 4 invalid = 5 handled = 6 } sql2 { fail = 1 notfound = return noop = 2 ok = return updated = 3 reject = return userlock = 4 invalid = 5 handled = 6 } } - Original Message - From: Michel van Dop [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Saturday, January 15, 2005 8:11 PM Subject: Re: SQL db failover Okay good, i replace any refrence to sql module and fix it. But how do i replace this? In group or sql1,sql2 or ? What's the name of sql1 and sql2 ? Thank you, Michel - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Saturday, January 15, 2005 5:58 PM Subject: Re: SQL db failover Michel van Dop [EMAIL PROTECTED] wrote: Okay i understand that ( i hope so): Now i do this in radiusd.conf: Yup, that should work. I get this error cat /var/log/radius/radius.log Sat Jan 15 13:35:19 2005 : Error: ERROR: Cannot find a configuration entry for module sql. Some part of radiusd.conf has a reference to an sql module. Find that, fix it, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reading other radius server's radutmp instead of using radrelay
what is the setting related in order for radius to check database (insted of radutmp) in order to control single login (or Simultaneous use)... --haizam - Original Message - From: Thor Spruyt [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Thursday, January 06, 2005 16:29 Subject: Re: reading other radius server's radutmp instead of using radrelay Maybe a database would be easier and faster than radutmp -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - Original Message - From: Rohaizam Abu Bakar To: freeradius-users@lists.freeradius.org Sent: Thursday, January 06, 2005 3:22 AM Subject: reading other radius server's radutmp instead of using radrelay OS: FreeBSD 4.9p4 + Freeradius 1.0.1 Objective: to control single login in distributed enviroment. I've tested radrelay to centralised accounting to all my radius servers .. All radius servers will replicate accounting to others... So there will be a few radrelay running in each radius server. But it's not really working well... A lot of locking problem... not replicated properly.. and quite hard to monitor and manage.. So what i plan to do is to have only one centralied accounting server... (maybe All NAS will point accounting to this server) and in order to perform single login check.. each radius server will check radutmp in centralised accounting... Is it possible? thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
define in ldap.attrmap.. define as check item... checkItem Connection-Type radiusConnectionType The situation is I've to check both attribute.. one from RAS (NAS-Port-Type) .. and one from LDAP (Connection-Type) before i can reject it.. As suggested by Kostas... I've to map the Connection-Type (my-own) attribute... and put files that reading users file after LDAP in authorize section... --haizam - Original Message - From: Dustin Doris [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, January 05, 2005 23:15 Subject: Re: Block group of ISDN connection On Wed, 5 Jan 2005, Rohaizam Abu Bakar wrote: YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam I believe the error you are receiving is because freeradius doesn't understand what Connection-Type is. I can't find connection-type in any of the dictionary files. Where did you define connection-type? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reading other radius server's radutmp instead of using radrelay
OS: FreeBSD 4.9p4 + Freeradius 1.0.1 Objective: to control single login in distributed enviroment. I've tested radrelay to centralised accounting to all my radius servers .. All radius servers will replicate accounting to others... So there will be a few radrelay running in each radius server. But it's not really working well... A lot of locking problem... not replicated properly.. and quite hard to monitor and manage.. So what i plan to do is to have only one centralied accounting server... (maybe All NAS will point accounting to this server)and in order to perform single login check.. each radius server will check radutmp in centralised accounting... Is it possible? thanks.. --haizam
Re: Block group of ISDN connection
Yes.. it is on one line NOT different line... DEFAULT NAS-Port-Type == Async ,Jaring-Connection-Type == ISDN, Auth-Type := Reject --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 04, 2005 23:14 Subject: Re: Block group of ISDN connection Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: /usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list for entry DEFAULT So... did you read users, to see if line 41 had a trailing comma? DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject The Auth-Type should be on the same line as DEFAULT. Please read the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
YES... it is on one line until Reject... just breaking up while pasting... DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. but still giving the same trailing coma problem.. /usr/local/etc/raddb/users[42]: Unexpected trailing comma in check item list for entry DEFAULT --haizam - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, January 04, 2005 18:33 Subject: Re: Block group of ISDN connection Hi, 1) users file ## DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. DEFAULT Auth-Type := LDAP How many lines do you actually have? I.e., there should be no linebreak after the UNLIMITED, in the first line above, but the line should continue till after the Reject. Quoting long lines via e-mails always is dependent on mail clients (and possibly server) involved, but I'll try anyway. That should be: DEFAULT NAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. (just two lines). HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Block group of ISDN connection
I've done as suggested.. but debug log giving below errors:- Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no /usr/local/etc/raddb/users[41]: Unexpected trailing comma in check item list for entry DEFAULT Errors reading /usr/local/etc/raddb/users radiusd.conf[1052]: files: Module instantiation failed. Below is a few details that might help.. 1) users file ## DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED, Auth-Type := Reject Reply-Message = Your account has been disabled. DEFAULT Auth-Type := LDAP ### 2) ldap.attrmap # checkItem Connection-Type radiusConnectionType # 3) In LDAP entry ## radiusConnectionType: UNLIMITED . . 4) Authorize entry # authorize { preprocess # auth_log # attr_filter chap mschap IPASS suffix # ntdomain eap # sql # etc_smbpasswd # ldap redundant { ldap1 ldap2 } # daily # checkval files } ### - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Sunday, January 02, 2005 21:50 Subject: Re: Block group of ISDN connection On Fri, 31 Dec 2004, Rohaizam Abu Bakar wrote: Hi, OS: FreeBSD 4.9p4 Radius: Freeradius 1.0.1 I know how to block ALL ISDN.. using NAS-Port-Type attribute.. users file == DEFAULTNAS-Port-Type == ISDN, Auth-Type := Reject Reply-Message = Your account has been disabled. DEFAULTAuth-Type := LDAP Tested seems working... But I would like to block ISDN that has certain flag stored in LDAP.. let say I stored flag unlimited = 1 in user's profile in LDAP... So only ISDN with this flag stored is block... All others ISDN will be through... Is it possible??? please help.. Map the unlimited attribute to a radius check attribute (like Hint, or create one of your own). Then in the users file (placed after ldap in the authorize section): DEFAULT NAS-Port-Type == ISDN, Hint == 1, Auth-Type := Reject --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay - filelock problem
Hi.. OS: FreeBSD 4.9p4 Version: Freeradius 1.0.1 My radrelay seem not fully working well... Receive a lot of below error.. I've followed all the doc given regarding how to setup radrelay Tue Oct 26 05:30:32 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius8, giving upTue Oct 26 05:50:52 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 05:58:16 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius5, giving upTue Oct 26 05:58:38 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving upTue Oct 26 06:11:36 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius7, giving upTue Oct 26 06:17:02 2004 : Error: rlm_detail: Failed to aquire filelock for /var/adm/radacct/detail-combined-radius6, giving up My setting as below: radius1 --- radius2 radius3 - radius4 then radius2 - radius1 --- radius3 radius4 and so on... until all 4 has the same full accounting record I ran 3 of below command for replication /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 \ detail-combined But it not working well... the accounting seems been relayed but got missing accounting...the detail file not rotated properly and will grow too big. and receive a lot above error... Please help..!! --haizam
radrelay problem....
Hi... Info: FreeBSD 4.9 FreeRADIUS 1.0.1 OpenLDAP backend I'm using radrelay to duplicate accounting from a few servers to one master server as below: radius1- radius2 master_radius radius3 It's working OK... and master_radius has full records of all radius accounting including radutmp... But there is problem when I pump back from from master_radius to radiusX using radrelay --- radius1 master_radius --- radius2 --- radius3 From radutmp record (using radwho)... I cannot get full records as master_radius in radiusX Even the detail-combined in master_radius also not properly process.. it keep growing bigger... The detail-combined in radiusX is OK... Command used for radrelay.. /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r master_radius:1646 \ detail-combined /usr/local/bin/radrelay -a /var/adm/radacct -d /usr/local/etc/raddb \ -S /usr/local/etc/raddb/radrelay_secret -r radiusX:1646 \ detail-combined and detail-combined config in radiusd.conf detail detail2 { detailfile = ${radacctdir}/detail-combined detailperm = 0644 locking = yes } Anyone can help?? --haizam
Re: Fw: CHAP not working after upgrade from 0.9.3 to 1.0
But why the 0.9.3 version reading from the same LDAP database detect it as clear.. I don't think I should change anything in LDAP.. Maybe new setting is required in 1.0.0 which i don't know.. --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 17, 2004 22:20 Subject: Re: Fw: CHAP not working after upgrade from 0.9.3 to 1.0 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: Anyone can help...?? I've changed a few line in radiusd.conf.. still problem.. But when I divert the request to 0.9.3 version reading same LDAP entry It is OK So the password is confirm in clear form The debug log you posted shows that the server is NOT reading the clear-text password from the LDAP database. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP not working after upgrade from 0.9.3 to 1.0
Just upgraded from 0.9.3 to 1.0 on my FreeBSD 4.9 machine... Previously while on 0.9.3, PAP CHAP working fine... But now... after upgrade to 1.0.. CHAP is not working... The configuration in 1.0 is following previous 0.9.3 version... (rewritten.. not replacing!!) From the debug log below.. It keep complaining cannot find clear password.. I'm very sure that the password in clear form.. since while using 0.9.3.. it read the same entry and OK.. Please help..!!! --haizam User-Name = kpdn.gov.my CHAP-Password = 0xae9a6aff9c471ab31942831e2418d0bebd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 52 modcall[authorize]: module preprocess returns ok for request 52 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 52 modcall[authorize]: module mschap returns noop for request 52 rlm_realm: No '/' in User-Name = kpdn.gov.my, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 52 rlm_realm: No '@' in User-Name = kpdn.gov.my, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = kpdn.gov.my rlm_realm: Proxying request from user kpdn.gov.my to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 52 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 52 modcall[authorize]: module files returns notfound for request 52 modcall: entering group redundant for request 52 rlm_ldap: - authorize rlm_ldap: performing user authorization for kpdn.gov.my radius_xlat: '(uid=kpdn.gov.my)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=kpdn.gov.my) rlm_ldap: checking if remote access for kpdn.gov.my is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelServerAuthId as Tunnel-Server-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelClientAuthId as Tunnel-Client-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelAssignmentId as Tunnel-Assignment-Id, value :0:XX op=11 rlm_ldap: Adding radiusTunnelPassword as Tunnel-Password, value :0:XX op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value :0:IP op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value :0:L2TP op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Outbound-User op=11 rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair += vpdn:ip-addresses= rlm_ldap: user kpdn.gov.my authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 52 modcall: group redundant returns ok for request 52 modcall: group authorize returns ok for request 52 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 52 rlm_chap: login attempt by kpdn.gov.my with CHAP password rlm_chap: Could not find clear text password for user kpdn.gov.my modcall[authenticate]: module chap returns invalid for request 52 modcall: group Auth-Type returns invalid for request 52 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [kpdn.gov.my] (from client sysadmin port 0) Delaying request 52 for 1 seconds Finished request 52 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fw: CHAP not working after upgrade from 0.9.3 to 1.0
Anyone can help...?? I've changed a few line in radiusd.conf.. still problem.. But when I divert the request to 0.9.3 version reading same LDAP entry It is OK So the password is confirm in clear form --haizam - Original Message - From: Rohaizam Abu Bakar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 16, 2004 16:56 Subject: CHAP not working after upgrade from 0.9.3 to 1.0 Just upgraded from 0.9.3 to 1.0 on my FreeBSD 4.9 machine... Previously while on 0.9.3, PAP CHAP working fine... But now... after upgrade to 1.0.. CHAP is not working... The configuration in 1.0 is following previous 0.9.3 version... (rewritten.. not replacing!!) From the debug log below.. It keep complaining cannot find clear password.. I'm very sure that the password in clear form.. since while using 0.9.3.. it read the same entry and OK.. Please help..!!! --haizam User-Name = kpdn.gov.my CHAP-Password = 0xae9a6aff9c471ab31942831e2418d0bebd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 52 modcall[authorize]: module preprocess returns ok for request 52 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 52 modcall[authorize]: module mschap returns noop for request 52 rlm_realm: No '/' in User-Name = kpdn.gov.my, skipping NULL due to config. modcall[authorize]: module IPASS returns noop for request 52 rlm_realm: No '@' in User-Name = kpdn.gov.my, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = kpdn.gov.my rlm_realm: Proxying request from user kpdn.gov.my to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 52 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 52 modcall[authorize]: module files returns notfound for request 52 modcall: entering group redundant for request 52 rlm_ldap: - authorize rlm_ldap: performing user authorization for kpdn.gov.my radius_xlat: '(uid=kpdn.gov.my)' radius_xlat: 'ou=RADIUS,ou=People,dc=jaring,dc=my' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (uid=kpdn.gov.my) rlm_ldap: checking if remote access for kpdn.gov.my is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelServerAuthId as Tunnel-Server-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelClientAuthId as Tunnel-Client-Auth-Id, value :0:X op=11 rlm_ldap: Adding radiusTunnelAssignmentId as Tunnel-Assignment-Id, value :0:XX op=11 rlm_ldap: Adding radiusTunnelPassword as Tunnel-Password, value :0:XX op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value :0:IP op=11 rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value :0:L2TP op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Outbound-User op=11 rlm_ldap: extracted attribute Cisco-AVPair from generic item Cisco-AVPair += vpdn:ip-addresses= rlm_ldap: user kpdn.gov.my authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 52 modcall: group redundant returns ok for request 52 modcall: group authorize returns ok for request 52 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 52 rlm_chap: login attempt by kpdn.gov.my with CHAP password rlm_chap: Could not find clear text password for user kpdn.gov.my modcall[authenticate]: module chap returns invalid for request 52 modcall: group Auth-Type returns invalid for request 52 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [kpdn.gov.my] (from client sysadmin port 0) Delaying request 52 for 1 seconds Finished request 52 Going to the next request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple access_attr LDAP setting
OS: FB 4.9 Version FR 1.0 (just upgraded from 0.9.3) Authentication: LDAP In our environment, each services has its own flag... So I would like to create a few "access_attr" in radiusd.conf (ldap setting) example: ldap ldap1 { . . access_attr = dialupAccess access_attr = antivirusAccess access_attr = hotspotAccess access_attr - roamingAccess . . . } So user with either one of the flag can get authenticated.. Is it possible??? Or... it must have "dialAccess" AND/OR "others"... thanks.. --haizam
Re: realm module not searching second order
Yes... version 1.0 does fix thing problem as mentioned below... thanks - Original Message - From: Simon Bryden [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Rohaizam Abu Bakar [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 14:55 Subject: Re: realm module not searching second order In release 1.0 you have an extra option ignore_null which will tell freeradius not to match against the NULL domain if a realm match fails. Otherwise if you don't need the NULL domain you can remove it. Regards, Simon. --- On Thursday 12 August 2004 06:32, Rohaizam Abu Bakar wrote: Hi , Using freeradius 0.9.3 with FB 4.9 OS Try sending request using bacangtesting.com/bacang and in radiusd.conf already configure 2 realm order i.e realmslash and suffix But since i put the suffix above realmslash... It will search only at suffix and once not found.. it will straight go to realm NULL Once I change the order (realmslash above suffix) in radiusd.conf .. then it''s working.. Why the realm module do not search for 2nd line??? i) Debug LOG ### modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: No '@' in User-Name = bacangtesting.com/bacang, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = bacangtesting.com/bacang rlm_realm: Proxying request from user bacangtesting.com/bacang to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. 3 ii) radiusd.conf ## realm realmslash { format = prefix delimiter = / } realm suffix { format = suffix delimiter = @ } preacct { . . . suffix realmslash . . . } authorize { . . suffix realmslash . . .} ### iii) proxy.conf ###3 realm bacangtesting.com { type= radius authhost= LOCAL accthost= LOCAL } ### --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [ Scanned by JARING E-Mail Virus Scanner ( http://www.jaring.my ) ] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strip authentication no strip accounting
I'm using freeradius 0.93... and FreeBSD 4.9 For below entry in proxy.conf, Is it possible to STRIP the username during authentication but NOSTRIP while doing accounting.?? realm myself.com{ type= radius authhost= LOCAL accthost= LOCAL nostrip } For example, when receive [EMAIL PROTECTED] request, it will authenticate using only abc but in detail accouting we see it [EMAIL PROTECTED] thanks.. --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm module not searching second order
Hi , Using freeradius 0.9.3 with FB 4.9 OS Try sending request using "bacangtesting.com/bacang" and in radiusd.conf already configure 2 realm order i.e "realmslash" and "suffix" But since i put the "suffix" above "realmslash"... It will search only at "suffix" and once not found.. it will straight go to realm "NULL" Once I change the order ("realmslash" above "suffix")in radiusd.conf .. then it''s working.. Why the realm module do not search for 2nd line??? i) Debug LOG ### modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "bacangtesting.com/bacang", lookingup realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "bacangtesting.com/bacang" rlm_realm: Proxying request from user bacangtesting.com/bacang torealm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL.3 ii)radiusd.conf ## realm realmslash { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } preacct {. . . suffix realmslash. . . }authorize { . . suffix realmslash. . .}### iii) proxy.conf ###3 realm bacangtesting.com { type = radius authhost = LOCAL accthost = LOCAL } ### --haizam