Re: Problems with radzap: radclient:: failed to get value
On 12/19/2011 04:03 PM, Alan Buxey wrote: you talk to the server using the servers secretnot the NAS with the NAS secret, so send a radzap command to your FR server with its secret from the session you are on (eg on localhost thats testing123 by default..) Ah hah, ok, thanks! This pointer plus the pointer from one of my associates that it doesn't actually log the user out, it just modifies the radutmp. The problem ended up being (beyond trying to talk to the NAS rather than the server): We had both radutmp and sradutmp defined, so it was writing to both locations. radwho -R is reporting a blank Framed-IP-Address = line, which causes radclient to choke (that was the source of the failed to get value messages). So, if I modify the radzap script to grep -v '^Framed-IP-Address', that should work. Thanks! Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with radzap: radclient:: failed to get value
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to run a radzap and having no luck. For example, if I try: radzap -d /etc/raddb -N $NAS_IP -P 1 -u las $NAS_IP $NAS_PW radclient:: failed to get value radclient: Nothing to send. I've also tried it with the NAS name (52a2, from /etc/raddb/naslist) rather than IP: radzap -d /etc/raddb -N $NAS_IP -P 1 -u las 52a2 $NAS_PW radclient: Failed to find IP address for host 52a2: Success If I run radwho: radwho -ZR -N 216.138.63.130 -P 1 -u las I get a reasonable-looking: User-Name = las Acct-Session-Id = 01C1 Acct-Status-Type = Stop NAS-IP-Address = $NAS_IP NAS-Port = 1 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = Acct-Session-Time = 239370 However, if I pipe that through radclient: radclient -x -d /etc/raddb -f - $NAS_IP acct $NAS_PW I get the error above: radclient:: failed to get value radclient: Nothing to send. I've been trying various combinations of both the output of radwho, and commands for radclient to log a user out, based on searches on the Internet including things like sending the packet of disconnect (PoD), including things on this page: http://wiki.freeradius.org/Disconnect_Messages including trying sending to ports 1700 and 3799, using commands like disconnect and 40, using packets like: Acct-Session-Id = 01C1 User-Name = las NAS-IP-Address = $NAS_IP Using the above packet looks most promising, in that I don't get an error, it just hangs a few seconds and then fails with no response from server for ID 141 socket 3 or similar. Any pointers on this? The version of FreeRADIUS is 2.1.10 from CentOS. There are a couple of micro version updates I could do, but I didn't see any mention in the changelog of anything related to this issue being resolved. Thanks, Sean -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFO774BxUhyMYEjVX0RAu4aAJ0R/vUb8XSKO2J0lCW9UKsq0jUgVwCeJF7a 8wxcDliE2oHyfqtDzJrgA00= =II6m -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beginner Question: Hotspot Login Failed
Yes, Alan, you were right. The SQL entries were causing the message about Please update your configuration so that the known good. Since DaloRadius created those entries, I will investigate it. Sean This message is intended only for the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited, and you are requested to return the original message to the sender. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Beginner Question: Hotspot Login Failed
Hi All,
In my testing lab (yes, I'm new to FreeRadius), usernames entered (e.g. with
attribute User-Password in sql radcheck table) via my NAS (dd-wrt with
Chillispot) refuse to authenticate (error below), whereas attribute=Auth-Type
(what DaloRadius calls a PIN) works fine. I'm using the packaged MySQL
(5.0.51a-24+lenny3) with FreeRadius (2.0.4+dfsg-6)and freeradius-dialupadmin
(2.0.4+dfsg-6) on Debian Lenny, along with Daloradius 0.9-8 for GUI frontend.
Below is the Daloradius-populated mysql table (again, only 4321 works fine,
regardless of password entered):
++--+++--+
| id | username | attribute | op | value|
++--+++--+
| 9 | aaa | MD5-Password | := | 47bce5c74f589f4867dbd57e9ca9f808 |
| 7 | 123 | User-Password | := | 123 |
| 8 | 4321 | Auth-Type | := | Accept |
| 10 | bbb | SHA1-Password | := | bbb |
| 11 | ccc | CHAP-Password | := | ccc |
| 12 | eee | Cleartext-Password | := | eee |
++--+++--+
6 rows in set (0.00 sec)
==
Debug output of working connection
==
rad_recv: Access-Request packet from host 192.168.0.72 port 2112, id=0,
length=191
User-Name = 4321
User-Password = \223=\0322\343\233\361a\365\323\320\333_\245×¼
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.3
Calling-Station-Id = C4-17-FE-1C-5C-9D
Called-Station-Id = 00-24-A5-6F-81-0A
NAS-Identifier = 1
Acct-Session-Id = 4c890e89
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x468b4f124525571d6d37d6d1ec69cbdd
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 4321, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - 4321
rlm_sql (sql): sql_set_user escaped user -- '4321'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '4321' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = '4321' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = '4321' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [4321/\223=\0322\343\233\361a\365\323\320\333_\245×¼] (from client
Subnet port 0 cli C4-17-FE-1C-5C-9D)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - 4321
rlm_sql (sql): sql_set_user escaped user -- '4321'
expand: %{User-Password} - =93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC
expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'4321',
'=93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC',
'Access-Accept', '2010-09-09 08:36:57')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'4321',
'=93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC',
RE: Beginner Question: Hotspot Login Failed
Thanks to Alan and Stephen, I am closer to a solution. I realized the scrambled
password was due to hotspotlogin.php (I need to study Chillispot more), so for
now I commented out its uamsecret line, which -- although it still fails on the
123 account -- provides different output in debugging mode:
rad_recv: Access-Request packet from host 192.168.0.72 port 2116, id=0,
length=209
User-Name = 123
CHAP-Challenge = 0x176af9b56c5cd047480bbaa4e88b04fd
CHAP-Password = 0x00a6498cb1313e02eb187f93dc05302b50
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.3
Calling-Station-Id = C4-17-FE-1C-5C-9D
Called-Station-Id = 00-24-A5-6F-81-0A
NAS-Identifier = 1
Acct-Session-Id = 4c892dd4
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x5a8e0072ed810540ab6baf61b668b2bd
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
+- entering group authorize
++[preprocess] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 123, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - 123
rlm_sql (sql): sql_set_user escaped user -- '123'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '123' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = '123' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = '123' ORDER BY
priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type CHAP
+- entering group CHAP
rlm_chap: login attempt by 123 with CHAP password
rlm_chap: Using clear text password 123 for user 123 authentication.
rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [123/CHAP-Password] (from
client Subnet port 0 cli C4-17-FE-1C-5C-9D)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - 123
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 0 to 192.168.0.72 port 2116
Waking up in 4.9 seconds.
Cleaning up request 10 ID 0 with timestamp +3707
Ready to process requests.
This message is intended only for the individual or entity to which it is
addressed and may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you are not the intended
recipient, or the agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited, and you are requested to
return the original message to the sender.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Beginner Question: Hotspot Login Failed
from host 192.168.0.72 port 2126, id=4,
length=124
Acct-Status-Type = Start
User-Name = 123
Calling-Station-Id = C4-17-FE-1C-5C-9D
Called-Station-Id = 00-24-A5-6F-81-0A
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
NAS-Port-Id =
NAS-IP-Address = 0.0.0.0
NAS-Identifier = 1
Framed-IP-Address = 192.168.182.2
Acct-Session-Id = 4c8944db
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address =
192.168.0.72,NAS-IP-Address = 0.0.0.0,Acct-Session-Id =
4c8944db,User-Name = 123'
rlm_acct_unique: Acct-Unique-Session-ID = acc24399d8fb1504.
++[acct_unique] returns ok
rlm_realm: No '@' in User-Name = 123, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
- /var/log/freeradius/radacct/192.168.0.72/detail-20100909
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.72/detail-20100909
expand: %t - Thu Sep 9 11:34:59 2010
++[detail] returns ok
++[unix] returns ok
expand: /var/log/freeradius/radutmp - /var/log/freeradius/radutmp
expand: %{User-Name} - 123
++[radutmp] returns ok
expand: %{User-Name} - 123
rlm_sql (sql): sql_set_user escaped user -- '123'
expand: %{Acct-Delay-Time} -
expand:INSERT INTO radacct (acctsessionid,
acctuniqueid, username, realm,nasipaddress,
nasportid, nasporttype, acctstarttime,acctstoptime,
acctsessiontime, acctauthentic,connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay,xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protoc!
ol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}') -INSERT INTO radacct
(acctsessionid,acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay,
xascendsessionsvrkey) VALUES ('4c8944db',
'acc24399d8fb1504', '123', '', '0.0.0.0', '0',
'Wireless-802.11', '2010-09-09 11:34:59', NULL, '0', '', '',
'', '0', '0', '00-24-A5-6F-81-0A',
'C4-17-FE-1C-5C-9D', '', '', '', '192.16!
8.182.2', '0', '0', '')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
expand: %{User-Name} - 123
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 4 to 192.168.0.72 port 2126
Finished request 48.
Cleaning up request 48 ID 4 with timestamp +6565
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 47 ID 0 with timestamp +6565
Ready to process requests.
Thanks,
Sean
This message is intended only for the individual or entity to which it is
addressed and may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you are not the intended
recipient, or the agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited, and you are requested to
return the original message to the sender.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user to specific NAS Port
Hi 2008/11/11 [EMAIL PROTECTED]: I need to restrict a specifc user to say 2 specific NAS ports and then define a different account to some different specific NAS ports. Currently as long as an account is only ever going to use one NAS port I can restrict it by adding the entry to the radcheck table. So for example if I have 10 users, I have 10 entries with the NAS port and the == operator. However if I want to add some accounts with multiple entries then .. use huntgroups. Ok I think I understand what needs to be done. So the next question then is how do I setup huntgroups to be in the same database as everything else because as it stands it looks like it can only be a file and I am going to have hundreds of groups and it would be easier to manage in the database. Regards Sean -- Sean Preston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restricting user to specific NAS Port
Hi 2008/11/11 [EMAIL PROTECTED]: Use huntgroups to group ports. [EMAIL PROTECTED] Huntgroup-Name == whatever Thanks. I took a look at huntgroups and it looks userful but I think it is not right for what I am trying to do. I think I did not explain well enough. I need to restrict a specifc user to say 2 specific NAS ports and then define a different account to some different specific NAS ports. Currently as long as an account is only ever going to use one NAS port I can restrict it by adding the entry to the radcheck table. So for example if I have 10 users, I have 10 entries with the NAS port and the == operator. However if I want to add some accounts with multiple entries then if I put more than one entry in radcheck for the same username then it never authenticates because I assume it is trying to ensure the user matches all entries which it obviously does not. If I use the += operator or := operators then it never seems to restrict but always authenticates no matter what the port is. I hope this explains what I am trying to do a little better. Regards Sean -- Sean Preston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restricting user to specific NAS Port
Hi I have gone through the archives and either I am searching on the wrong terms or there is not much on this topic. I am using FreeRadius 1.1.3 on Debian with a database backend to FreeRadius and I need to restrict some ADSL users to specific NAS Ports. I found that adding an entry to radcheck like: [EMAIL PROTECTED] NAS-Port-Id == abc restricts the user to this port Now how do I add additional NAS ports so that they still authenticate because the same useraccount needs to be able to log in from multiple NAS ports. I tried putting in multiple entries but it does not seem to work. I get an authentication accepted response for the first port and then additional ones always reject. Any help or pointers would be greatly appreciated. Regards Sean -- Sean Preston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script (manIP)
Hi, I have a working PHP script that may help. You can load it from http://swarmhotspots.com/bb.php.txt The sript is designed to reply to Chillispot authentication requests but should be easy to modify for other NAS's. Hope it helps. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange problem
Hi, I am using Freeradius with a MySQL backend and the users log in through Chillispot running on Buffalo and Linksys routers running DD-WRT. The problem is that randomly users are recorded up to five times in radacct with one login. This is not a problem for users with expiration acccounts but users with max-all-session accounts are thrown out before they have really used up their time. Has anyone come accross this before? I'd appreiate any help. Sean - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, August 21, 2007 4:28 PM Subject: Freeradius-Users Digest, Vol 28, Issue 73 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: PAM Radius (Sayan S) 2. customise dialup admin (Carl aniams) 3. I am a first timer ! (Joshua Mashiane) 4. Database Population problem with mysql (ram) 5. RE: Database Population problem with mysql (Josh Howlett) 6. Re: I am a first timer ! (Alan DeKok) 7. Re: Database Population problem with mysql (ram) -- Message: 1 Date: Tue, 21 Aug 2007 04:22:20 -0700 (PDT) From: Sayan S [EMAIL PROTECTED] Subject: RE: PAM Radius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: Josh Howlett [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 yes josh, as you guessed it, it doesn't work with HP-UX and Solaris (to some extent, as it provides a warning during useradd command with '@' in the username). We don't plan to use LDAP for NSS immediately. thanks to all. sayan Josh Howlett [EMAIL PROTECTED] wrote: Hi Sayan, I think I have tried this previously, and it was possible (on Linux/glibc anyway - YMMV with other unices). TBH, I don't really see the point in using RADIUS when you'll (probably) want to use LDAP anyway for nss resolution, so you might as well just use LDAP for PAM. josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Sayan S Sent: 20 August 2007 14:04 To: FreeRadius users mailing list Subject: Re: PAM Radius Thanks Alan for the quick response. I am referring to realm here, as RADIUS support realms, and we are using RADIUS to authenticate the users to Linux, so seems like we need to have all users contained in the same realm. Is having username in [EMAIL PROTECTED] form a valid unix format? I was thinking the first part of the [EMAIL PROTECTED] should be the unix username though the radius request is sent as [EMAIL PROTECTED] Otherwise we need to have a comprehensive [EMAIL PROTECTED] to Unix-userid mapping. regards, sayan Alan DeKok wrote: Sayan S wrote: Greetings, I am very new to RADIUS and PAM RADIUS. I am trying to configure PAM Radius to authenticate users on a Linux host. I would like to know, how to configure PAM Radius to authenticate users from different realms, as the current configuration doesn't seem to take realm. You don't use realms in Unix logins. please help me with this as I have configured users to be part of different realms on radius server and now want to authenticate all those users to the same Linux host. You just login as [EMAIL PROTECTED]. That might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. n_center/; _ylc=X3oDMTE5cDF2bXZzBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDZ 3JlZW4tY2VudGVy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos more. -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070821/8287c4ad/attachment-0001.html -- Message: 2 Date: Tue, 21 Aug 2007 15:32:04 +0200 From: Carl aniams [EMAIL PROTECTED] Subject: customise dialup admin To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi i'm presently using dialup admin for client connexion to the net. but my handicap is the time counter. i would like to know if it would be possible to set
rlm_eap_tls: SSL_read failed in a system call
Hello all, I saw there was a bit of talk in 2006 over this issue, but, I wasn't able to track down a definitive solution. We're running FreeRADIUS 1.1.5 with EAP/TTLS (openSSL 0.9.8d) on Solaris 10. The server will come up and process clients for a few days, but, every now and then it begins denying all auth-requests with the following error: Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.notice] Login incorrect (rlm_ldap: User not found): [anonymous] (from client VillanovaWireless port 5191 cli 000b.7d22.b3a9) Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] TLS Alert write:fatal:bad record mac Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] TLS_accept:error in SSLv3 read certificate verify A Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. A restart makes the server happy and it goes back to properly auth'ing clients... As of the moment I'm compiling FreeRADIUS 1.1.6 and hoping for some improvement, but, does anyone have any additional advice or experience with this issue. .. or better yet, does anyone know the fix? Thanks for your time! ..Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP server per realm
Hello everyone,
I'm working on finding a way to define multiple local realms and have
each have a unique ldap profile associated with them.We want one
associated with a particular realm, and the other to be the
catchall/default case. In addition to this, we're also using EAP/TTLS,
which may or not complicate the situation.. After googling a bit, I was
under the impression that something along the following lines should work:
Here are the relevant parts of the the files I modified:
in proxy.conf:
realm VLS {
type= radius
authhost= LOCAL
accthost= LOCAL
}
in dictionary:
VALUE Auth-Type VU 1
VALUE Auth-Type VLS 2
VALUE Autz-Type VU 1
VALUE Autz-Type VLS 2
in users:
DEFAULT Domain == VLS, Autz-Type := VLS
in radiusd.conf:
ldap vlsldap {
set_auth_type = yes
}
ldap vuldap {
set_auth_type = yes
}
authorize {
...
...
Autz-Type VLS {
vlsldap
}
vuldap
...
}
authenticate {
...
Auth-Type VLS {
vlsldap
}
vuldap
...
}
When I attempt to authenticate, regardless of whether I specify a realm
or not, it only checks the vuldap servers. Any suggestions would be
greatly appreciated!
Thank you..
..Sean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter
Hi Alan, Thanks for all the help last night. I've made a lot of
progress today. Max-Daily-Session is now being recognised as a valid
attribute and users with the attribute are being authenticated. The
problem I now have is that the users are being disconnected after their
allocated time has expired but they can log back in again straight away
instead of having to wait 24 hours.
I have this in the users file
DEFAULTMax-Daily-Session := 300
This in radiusd.conf
$INCLUDE ${confdir}/sql.conf
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
instantiate {
exec
expr
noresetcounter
daily
}
Could you please give me some pointers to where I'm going wrong. I've
scoured the list archives and Google looking for answers.
Regards,
Sean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter
On Tue, 2006-12-12 at 22:35 +0100, [EMAIL PROTECTED] wrote: Sean wrote: Hi Alan, Thanks for all the help last night. I've made a lot of progress today. Max-Daily-Session is now being recognised as a valid attribute and users with the attribute are being authenticated. The problem I now have is that the users are being disconnected after their allocated time has expired but they can log back in again straight away instead of having to wait 24 hours. Is the NAS sending accounting packets? If not, the server has no way of knowing that the time was used up. Yes it is. It's a Linksys 54G running DD-WRT and Chillispot. The accounting works for Max-All-Session and Expiration. Also the user is disconnected after the correct time has elapsed under Max-Daily-Session. The problem is that he can log back on again straight away, instead of having to wait twenty four hours. Did you list sql in the accounting section? If not, the accounting information won't be written to SQL. Yes sql is listed in accounting and the accounting information is being written into radacct. I think the problem might be in my sql code in sql.conf. I'll puzzle over it tonight although it works fine with the other attributes. Regards, Sean Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Counter
Hi,
Sorry if this is a repeat. I'm not sure if an email I sent yesterday got
through.
Clearly I'm missing something simple here. I'm trying to create accounts
that will renew on a daily or monthly basis.
I've put this code into my radiusd.conf file to test daily renewals.
$INCLUDE ${confdir}/sql.conf
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'
}
I've created this account in the MySQL radcheck table.
ropgis12 User-Password := gisnopum
ropgis12 Simultaneous-Use:= 1
ropgis12 Max-Daily-Session := 1800
radiusd -X gives the following result.
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql: Failed to create the pair: Unknown attribute
Max-Daily-Session
rlm_sql (sql): Error getting data from database
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns fail for request 39
modcall: group authorize returns fail for request 39
I can't understand why Max-Daily-Session is an unknown attribute when
it's declared in the radiusd.conf and radius loads with no errors.
As usual any help would be appreciated.
Sean Bracken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter
I can't understand why Max-Daily-Session is an unknown attribute when it's declared in the radiusd.conf and radius loads with no errors. Because attributes are defined in the dictionaries. Arguably, the sqlcounter module should look up that attribute, and either complain if it doesn't exist, or else create it. That doesn't happen right now. Okay, thanks Alan. Should I edit a dictionary file and if so which one? Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Counter (Enrique Acosta)
1. Fwd: SQL Counter (Enrique Acosta)
Thanks Enrique. I upgraded to 1.1.3 but the error is still there. Alan
gave me a hint that the attribute is not in the dictionary, so I've
spent all evening searching the dictionary files looking for SQL
attributes with no luck. My searches of the list archives suggest that
Max-Daily-Session and Max-Monthly-Session are valid attributes. I think
that the code I added to radiusd.conf is okay. I've listed it below.
$INCLUDE ${confdir}/sql.conf
sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sql
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{%k}'
}
So where am I going wrong? If it was a problem in my SQL queries I
wouldn't expect the following reply that comes from radius.
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql: Failed to create the pair: Unknown attribute
Max-Daily-Session
rlm_sql (sql): Error getting data from database
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns fail for request 39
modcall: group authorize returns fail for request 39
Did you ever get it to work? The guy I'm doing this for is putting me
under a lot of pressure to get it finished.
Regards,
Sean Bracken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter
Read /etc/raddb/dictionary Alan, that directory doesn't exist on either of my systems. One system is running 1.0.4 and the other is running 1.1.3. I've tried searching the dictionaries for Max-All-Session, because that attribute works as does Expiration. The dictionaries that I'm searching are in /local/share/freeradius. Thanks for giving me your time with this. Do you think that there is a basic flaw in my setup? Should I delete everything and start from scratch? Are Max-Daily-Session and Max-Monthly-Session valid attributes that I can use in the same way that I use Expiration and Max-All-Session? I doubt that it is a FreeRadius problem, and more likely that I'm mistaken in how I think it works. Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration
Hi, Just a quick question. Is expiration := Never valid in radcheck? At the moment I set dates a few years into the future for accounts that I don't want to expire, but I'm sure that they'll come back to haunt me later. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Open access
Hi, I want to grant access to any user or password on my backup server. I found DEFAULT Auth-Type := Accept in the FAQ, however it gives no hint as to where to put the code. I've been trying various parts of raddb.conf with no success. Any help appreciated as usual. Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Open access (Jonathan De Graeve)
Hi Jonatahan, Thanks for the quick response. It worked first time. Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Accounting oddness
Hi, Check that you have all the ports used by FreeRadius open. It looks as if the accounting traffic is not getting through to the server. Let me know if I'm right. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Stopped
Hi Alan, Thanks for taking the time to respond. I've already fixed the problem. It only took a bit of lateral thinking. The ADSL modem wasn't exchanging any information on port 1813. For the life of me I can't understand how it could re-boot and only loose a bit of it's setup. It would have been much better if it had lost everything. I wasted the best part of a week testing syslogd, reinstalling FreeRadius, MySQL and setting up a new test server. Anyway, once again thanks. I really appreciate the time and effort you take to give support to end users. Regards, Sean -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
syslog.conf
Hi, I've been running a trouble free Radius server for over a year. Last weekend a local power company substation went on fire. This resulted in a massive power surge and a major system crash. Since then Radius has been validating users from MySQL no problem. However it is not updating its log files or radacct in the database. After a lot of searching I discovered that the Linux (Mandriva 2006) syslog.conf was corrupted. I've created a new syslog and reinstalled Radius version 1.0.5. The problem has persisted. I reckon I must be missing something in the log config. Any advice or help would be very much appreciated. Two nights now with no sleep. Regards and thanks in advance. Sean -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnect
Hi, Does anyone know how to get disconnect to work with radclient? I can get it to return status but when I try disconnect radiusd -X returns the following:- rad_recv: Disconnect-Request packet from host 127.0.0.1:57181, id=9, length=29 Unknown packet code 40 from client swarm:57181 - ID 9 : IGNORED Any help or hints would be much appreciated. Thanks, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Report Generator
Hi Andre, You can download the work to date here http://swarmhotspots.com/phpreports.tar.gz I'm integrating phpMyPrepaid and Dialup Admin into it at the moment, so there are a lot of redundant files included in the tar file. You can have a look at how it works at http://topup.ie/reports username testuser, password testuser. Some reports ask for a client user name use seanb52, some reports ask for a NAS ID use palm1 and some reports request the NAS IP use 82.153.112.235 Please give me some feedback. I'd like to know if any of this would be useful or worth putting onto Sourceforge when it's ready for release. There is no documentation ready yet but if you need help send me an email. Don't tie up the FreeRadius list with private correspondence. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Report Generator
Hi, I'm developing a full reporting and statistics suite at the moment. I'm integrating it into phpMyPrepaid and have used Carl Peterson's menu structures and style sheets. The site usage report uses the Radius log files. I changed the logging to store one months data in a separate file for each hotspot. The individual user report gets its information from radacct. The ticket reports are not finished yet. I've added an extra field to radacct called hotspot and edited the accounting sections of sql.conf to put the Radius NAS ID into this field. When it's finished site owners will be able to generate used, unused and partly used ticket reports for their sites. You can download my work to date here http://swarmhotspots.com/phpreports.tar.gz I hope you find it useful. As usual I welcome any advice, improvements or comments. Regards Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Report Generator
Hi Morder, I've also written a utility to allow users to see their usage. I'm tying it into a complete reporting and statistics package, I expect to have a test version ready over the weekend. As soon as it's ready I'll post a download link here. By the way an official forum for FreeRadius users would be a good idea. I've started an informal forum at http://topup.ie/phpBB2/ I hope it grows into a good site for people to share experience and help each other. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Report Generator
Hi, Ive written a report generator in PHP and HTML that will allow your clients to generate usage reports from the FreeRadius log files. When the user logs in he/she is asked for their IP address and the Month that they want to display. If anyone wants a copy let me know. If there is enough interest I'll make it available for public download. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Thanks for that, I cant believe I didnt find it. I scoured the wiki. I seriously don't like to ask for help unless I just cant find it anywhere. Anyways, I'm working on a pretty neat php5 driven interface for this whole thing that I would be happy to share after it's finished if there would be an interest in that sort of thing. On Wed, 2006-06-14 at 12:06 +0200, Nicolas Baradakis wrote: Seferovic Edvin wrote: I do NOT want to be rude, but sometimes searching the archives helps A LOT ! BELIEVE ME ! But for the lazy developers among you people - here is the part that describes the needed feature. Thanks to Jamal ( of course ). This is copy paste - so do NOT blame me ;) You're right, but unfortunately you didn't pick up the easiest method. This question has been asked so many many times on the mailing list that now it's in the FAQ. (but it appears people are too lazy to read the FAQ) http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting
I have a quick question on the mysql accounting. I am working on my own interface for managing the freeradius+mysql setup. Everything is working great, I can view all my users, see who's connected, add new users, manage static vs. dynamic IP's, etc..The problem is it doesnt seem to log authentication failures into the radacct table. It logs all the successes just fine, but it would be very beneficial to have it log the failures too. I have the sql module turned on in the accounting section of the config and have uncommented all of the accounting queries. Any help appreciated. Thanks Sean Taylor Systems Administrator Valutel Communications - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
I actually did search the archives quite a bit, just not for the right
thing apparently. I usually won't post to a list until I've exhausted
all other options. Anyways, has someone actually turned this giberish
into working SQL code they are willing to share?
Thanks
Seferovic Edvin wrote:
Hello,
I do NOT want to be rude, but sometimes searching the archives helps A LOT !
BELIEVE ME ! But for the lazy developers among you people - here is the part
that describes the needed feature. Thanks to Jamal ( of course ). This is
copy paste - so do NOT blame me ;)
START
Create a table in the radius schema (called fails_log) to include three
columns: trial_date, username, password.
Create a function in the database (called fails). The main statements
which you should write are
fails ( username1 in out char, password1 in char) return char is
v_user char:='';
v_password:='';
begin
select username , value into v_user from radcheck where
attribute='password' and username= username1 and password=password1;
if v_user = '' then insert into fails_log values
(sysdate,username1,password1);
else return v_user;
end if;
end;
Update authorize_ceck_query module in sql.conf file to be as follows:
authorize_check_query = SELECT id,Username,Attribute,Value,op FROM
${authcheck_table} WHERE Username =(select
fails('%{SQL-User-Name}','%{User-Password}') from dual) ORDER BY id
That is all. Then you can find all failed logs inside the new created table
fails_log.
END
Regards,
Edvin Seferovic
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of Sean Taylor
Sent: Donnerstag, 15. Juni 2006 07:13
To: freeradius-users@lists.freeradius.org
Subject: mysql accounting
I have a quick question on the mysql accounting. I am working on my own
interface for managing the freeradius+mysql setup. Everything is
working great, I can view all my users, see who's connected, add new
users, manage static vs. dynamic IP's, etc..The problem is it doesnt
seem to log authentication failures into the radacct table. It logs all
the successes just fine, but it would be very beneficial to have it log
the failures too. I have the sql module turned on in the accounting
section of the config and have uncommented all of the accounting
queries. Any help appreciated.
Thanks
Sean Taylor
Systems Administrator
Valutel Communications
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault when launching freeradius 1.1.1 with sql authorization on debian 1:3.3.5-13
Make sure that you have the MySQL development module installed and configure FreeRadius with experimental extensions. My tutorial might help at http://swarmhotspots.com/faq Sean On Sat, 2006-05-13 at 12:01 +0200, [EMAIL PROTECTED] wrote: Segmentation fault when launching freeradius 1.1.1 with sql authorization on debian 1:3.3.5-13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running prepaid apps on freeradius
On Wed, 2006-05-03 at 12:13 +0200, [EMAIL PROTECTED] wrote: Running prepaid apps on freeradius Hi Checkout phpMyPreaid on sourceforge and http://swarmhotspots/faq for a tutorial. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: prepaid cards
Hi Morder, Why don't you create a page that allows your users to change their username and password themselves. This would be very easy to do with PHP. For example a user logs on to your site with his PIN code and password and you present him/her with an option to change his details. By the way if your users are using cell/mobile phones you could add to the security by sending an SMS message that includes a confirmation code that they would need to complete the update. Regards, Sean http://swarmhotspots.com Thanks Yves but i tried phpmyprepaid and it is a hackof dialup admin and not realy stable , what i want is a way to let the user to be able to change his pin code to a username for example : from 15478855 - mark password :Zx43ed - stealit pin and password are stored in the database any ideas? thanks On 4/27/06, YvesDM [EMAIL PROTECTED] wrote: On 4/27/06, Mordor Networks [EMAIL PROTECTED] wrote: Hi i want to make prepaid system for my dialup users ex: username : 15789546 password 123456 How i can make freeradius change the pin code to a valid username in my database ? i use mysql as a backend for my radius ppp/pppoe and dialup admin thank u - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well there is something out there called phpmyprepaid which is made for that purpose. I have no experience with it, but maybe you can give it a try. Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part -- An HTML attachment was scrubbed... URL: https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060428/6d747a09/attachment-0001.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 12, Issue 109 * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (Cannot assign requested address) bind() failed
On Mon, 2006-02-13 at 12:08 +0100, [EMAIL PROTECTED] wrote: Re: (Cannot assign requested address) bind() failed Hi Tommy, If you are using DD-WRT you might be making a common mistake. It won't accept a Web name for re-direction. You have to use an IP address. EG 123.123.123.123/hotspotlogin.cgi/ It is also vital to put a / at the end of the address. I've written a tutorial that might help you at http://swarmhotspots.com/faq.html and I also provide free FreeRadius testing for Chillispot at http://swarmhotspots.com/Chilli-Test-Area Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Alan
On Mon, 2006-02-13 at 19:58 +0100, [EMAIL PROTECTED] wrote: Phil Mayers [EMAIL PROTECTED] wrote: Alan, in case anyone hasn't said it recently - you do an excellent job maintaining this project under difficult conditions. You have my and I suspect many other peoples sincere gratitude, and I can only hope it's as rewarding for you as it is helpful for us. Thanks. FreeRADIUS is being used as part of the core product in at least 3 startups I know of, and possibly as many as 5. It's at the point now where it's getting me more professional attention than my other work activities. Alan DeKok. Alan, I'd like to add my thanks also. FreeRadius is at the core of swarmhotspots.com and I'm amazed at the help and support that is available from you and the open source community. The best way to show your appreciation is to contribute something back. Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:problem with simultanous use...any idea (tommy garsia)
Thanks seanit works great!! is there any way to limit user's bandwidth?? can i specify how many user's content/total bandwidth which can be downloaded? e.gi give only 10 MB to user A... regards, Sean [EMAIL PROTECTED] wrote: On Fri, 2006-02-10 at 11:15 +0100, [EMAIL PROTECTED] wrote: problem with simultanous use...any idea???tommy garsia Hi guys... I've finished compile and install freeradius v1.1.0 with mysql...and work great... and i'm happy with it... now i have a problem during the accounting what should i do if i want to limit only one connection per one user..?? what should i do with my freeradius configuration? best regards, tommy Set simultaneous-use :=1 in radcheck and enable simultaneous use checking in sql.conf Hi Tommy, Glad I could help. I'm working on MySQL commands to limit total usage using AccInputOctets and AccOutputOctets in Radacct. I'll let you know when I have it finished and tested. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:problem with simultanous use...any idea
On Fri, 2006-02-10 at 11:15 +0100, [EMAIL PROTECTED] wrote: problem with simultanous use...any idea???tommy garsia Hi guys... I've finished compile and install freeradius v1.1.0 with mysql...and work great... and i'm happy with it... now i have a problem during the accounting what should i do if i want to limit only one connection per one user..?? what should i do with my freeradius configuration? best regards, tommy Set simultaneous-use :=1 in radcheck and enable simultaneous use checking in sql.conf Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage instead of time accounting
Hi'
I've been using FreeRadius authorisation and accounting for my Internet
Hotspot service for some time. It performs perfectly. Up to now all of
my clients use time based tickets(One hour, one day, one week and one
month) I now have a client that wants to supply tickets that will limit
the usage in bytes of a user. Can this be done and if so can anyone
recommend a source for documentation. I've Googled for the last few days
and checked the DD-WRT and Chillispot forums to no avail.
Regards and rhanks in advance,
Sean Bracken
http://swarmhotspots.com
On Fri, 2006-02-03 at 17:55 +0100,
[EMAIL PROTECTED] wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. (Fwd) Detail Filter method (Breuer Nicolas)
2. Re: Detail Filter method (Nicolas Baradakis)
3. R: SQL.conf new query (Carlo Prestopino)
4. Re: how to log username in uppercase in radacct
(Nicolas Baradakis)
5. Root Certificate via ADS (Armin Kr?mer)
6. Re: FDS + Freeradius = pain. (Joey McDonald)
--
Message: 1
Date: Fri, 03 Feb 2006 14:14:54 +0100
From: Breuer Nicolas [EMAIL PROTECTED]
Subject: (Fwd) Detail Filter method
To: freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=iso-8859-1
In /etc/raddb/acct_users file:
DEFAULT Acct-Status-Type == Interim-Update, Acct-Type := empty
And in /etc/raddb/radiusd.conf:
modules {
always ok {
rcode = ok
}
...
}
...
accounting {
# Log start stop
detail
Acct-Type empty {
ok
}
}
--
Nicolas Baradakis
Can i also put the empty section only in detail module
because i have a sql line in account (to log everything)
I wouldlike only to disable it in detail accounting.
--- Forwarded message follows ---
From: Breuer Nicolas [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Subject: Detail Filter method
Send reply to:[EMAIL PROTECTED]
Date sent:Fri, 03 Feb 2006 10:54:43 +0100
Hello all,
I'm using the detailled logs with FreeRadius.
I wouldlike to filter the interim updates to not logged
them. Is it possible ??
I wouldlike to only have a logs files with start stop..
It would be a nice option, i think..
--- End of forwarded message ---
Breuer Nicolas
Content Marketing Manager.
Network Supervisor.
BELCENTER ISP PORTALS
Avenue Henri Conscience, 94
B -1140 Bruxelles
Tl. :+32 2 243 0 243
Fax :+32 2 243 0 244
Mobile :+32 486 50 27 87
E-Mail : [EMAIL PROTECTED]
http://www.BelCenter.be | http://www.BelCenter.net
http://www.BelCenter.lu | http://www.BelCenter.nl
-- next part --
An HTML attachment was scrubbed...
URL:
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060203/6a9e517f/attachment-0001.html
--
Message: 2
Date: Fri, 3 Feb 2006 15:01:02 +0100
From: Nicolas Baradakis [EMAIL PROTECTED]
Subject: Re: Detail Filter method
To: freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Breuer Nicolas wrote:
Can i also put the empty section only in detail module
because i have a sql line in account (to log everything)
I wouldlike only to disable it in detail accounting.
Please no HTML to the list.
You can add the sql module in the subsection, as explained in the
provided documentation: http://freeradius.org/radiusd/doc/Acct-Type
For example, in acct_users:
DEFAULT Acct-Status-Type == Interim-Update, Acct-Type := interim
And in radiusd.conf:
accounting {
sql
detail
Acct-Type interim {
sql
}
}
--
Nicolas Baradakis
--
Message: 3
Date: Fri, 3 Feb 2006 15:02:55 +0100
From: Carlo Prestopino [EMAIL PROTECTED]
Subject: R: SQL.conf new query
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
Ok, problem solved, as you can see at this post
http://lists.freeradius.org/pipermail/freeradius-devel/2006-February/009446.
html
Thank you to everyone
Regards,
Carlo
--
Message: 4
Date: Fri, 3 Feb 2006 15:51
Re: New accounting database each month
Yes. I can do that for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to compile freeradius without ssl
Hi, If you are using FreeRadius to manage WiFi hotspots with Chillispot I have a PHP login script that works without SSL. Email me if you want a copy. Regards, Sean Bracken http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL settings causing FreeRADIUS to segfault
Hi, Have you installed the MySQL development extensions? They are essential. You also need to compile FreeRadius with experimental modules to enable MySQL. Regards, Sean http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Bustmante
Can someone block this guys auto-responder? Happy New Year http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 108
Hi, Sorry that my PHP script didn't work straight out of the box. Have you tried the CGI script? Failing that you will have to tell your users to enable popups for your site. Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Happy Christmas
Wishing Alan DeKok and everyone involved with FreeRadius a very happy Christmas and thanks for all the work put into developing and supporting one of the best open source products available. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any Good Documentation for newbies
Hello As I am new to this free radius, could you please suggest me a good documentation(free) available on the net. Version I am using is Free RADIUS 1.0.5. Regards Manuj Hi, I've written a tutorial that you might find helpful. You'll find it here http://www.swarmhotspots.com/faq.html Let me know how you get on. Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 8, Issue 57
Hi, I have written written a howto that explains how to setup FreeRadius and Chillispot here http://swarmhotspots.com/faq.html. If you need any help you will find contact details on the site. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:Configuring freeRADIUS and NAS
Hi, I use Linksys WRT54G Routers and I suggest that you check out DD-WRT firmware. It includes Chillispot and is easy to setup. I've posted a tutorial here http://swarmhotspots.com/faq.html BTW the new WRT54G (Release 5 Firmware) uses VxWorks and not Linux anyone needing to use third party firmware like DD-WRT should buy WRT54GL instead. I hope this helps. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialupadmin wont connect to mysql
Hello, I've got Dialupadmin running however when I click through the various menus it keeps telling me that it cannot connect to sql database. This is no surprise to me as I have not setup anything on the mysql side of things for dialupadmin nor have I told dialupadmin what user and password to connect with. My question is where do I go to set the database options? And what, if any, database items do I need to create on the mysql side for it to work? Thanks, Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius and Squid
Hello, I'm very new to free raduis and would like to know if it will run with squid proxy server. If so how would this work? What I am looking to do is to allow users to access the internet via the transparent squid proxy for limited time sessions. Eg. a user who wishes to use the system would be greeted by a web page asking for a code. The code (which they would get from the system admin) would grant them access for 1 hour. Can this be done using FreeRadius and Squid? Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Server
Hi Tarun, I've written a how to for FreeRadius that might help you, You will find it here http://swarmhotspots.com/faq.html BTW You should be very explicit with questions posted to the mailing list. You will find people very helpful but don't ask questions if the answer can be found in the docs. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL Documentation
Sean [EMAIL PROTECTED] wrote:
Can anyone recommend a good source for documentation for FreeRadius.
The files that come with it, and the web pages?
There really isn't any secret treasure trove of documentation that
you get told about only if you ask for it.
I'm trying to understand the processes that occur between
Chillispot, FreeRadius and MySql. In particular I need to understand
how the Counter works and how to use the counter in MySQL.
the counter? Please be specific.
rlm_sqlcounter exists in the server source. It has sample
configurations and documentation. What part of that do you have
questions about?
Alan DeKok.
In particular I want to use the following in my radiusd.conf.
counter daily{
reset =24h
}
counter weekly{
reset =7d
}
counter monthly{
reset=30
}
What I need to know is do I have to add extra fields to my radius
database and if so which tables need to be changed and how to address
them from sql.conf.
Regards,
Sean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Documentation
Hi All, Can anyone recommend a good source for documentation for FreeRadius. I'm trying to understand the processes that occur between Chillispot, FreeRadius and MySql. In particular I need to understand how the Counter works and how to use the counter in MySQL. Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Session Time
Hi All,
I want to allow the SQL counter to continue deducting time from users
after they log out until they reach a certain amount of time left. I
have tried several ways to do it for example the following in sql.conf.
accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}' where Acct-Session-Time 3600
I'm fairly sure that it's a question of creating the right sql command
into radacc. I hope I have explained myself properly.
Any advice will be much appreciated.
Regards,
Sean Bracken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
Hi Thor, I'm just posting this to thank you for your help and let you know that it was appreciated and also to help anyone else with a similar problem to see the solution. In order to enable the accounting packets between Chilli and Radius I removed all of the pin holes in my ADSL modem and instead set up a NAT default server pointing to my Radius/WEB/Jabber/POP/SMTP/SMPP/Apache server. This allows all of the trafic arriving to the ADSL modem to pass through to the server and solved the problem. I not sure about the security of this fix so I'm setting up a firewall on the server. This will give me better control over the trafic than the ADSL modem did. Anyway once again thanks a million Thor you pointed me in the right direction and saved me another week with no sleep. Regards, Sean Bracken http://freetextworld.com http://topup.ie http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
Hi ALL,
I have made no progress in resolving the radaccct problem.
Radius is loading with no error messages and I've gone over the
radiusd.conf and sql.conf a million times.
below is the output from Radius when a client logs in.
rad_recv: Access-Request packet from host 82.141.232.132:51214, id=0,
length=218
--- Walking the entire request list ---
Waking up in 31 seconds...
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
User-Name = sipkek10
CHAP-Challenge = 0x8a37e2835fe0e45acf9680564cb660c3
CHAP-Password = 0x003c7507dd1f4ecf4389429af1a1e74e9d
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.14
Calling-Station-Id = 00-C0-49-5C-40-48
Called-Station-Id = 00-12-17-4A-01-A9
NAS-Identifier = wasp1
Acct-Session-Id = 430c042e0001
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Message-Authenticator = 0x6df308586dc9a8df5dc7a274fa008a88
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module chap returns ok for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: No '@' in User-Name = sipkek10, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
radius_xlat: 'sipkek10'
rlm_sql (sql): sql_set_user escaped user -- 'sipkek10'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'sipkek10' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sipkek10' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'sipkek10' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'sipkek10' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 2
modcall[authorize]: module sql returns ok for request 1
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='%{User-Name}''
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='sipkek10''
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct
WHERE UserName='sipkek10'}'
radius_xlat: Running registered xlat function of module sql for string
'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='sipkek10''
rlm_sql (sql): - sql_xlat
radius_xlat: 'sipkek10'
rlm_sql (sql): sql_set_user escaped user -- 'sipkek10'
radius_xlat: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE
UserName='sipkek10''
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): row[0] returned NULL
rlm_sql (sql): Released sql socket id: 1
radius_xlat: ''
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user sipkek10, check_item=1800, counter=0
rlm_sqlcounter: Sent Reply-Item for user sipkek10, Type=Session-Timeout,
value=1800
modcall[authorize]: module noresetcounter returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type CHAP
auth: type CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_chap: login attempt by sipkek10 with CHAP password
rlm_chap: Using clear text password bigdogut for user sipkek10
authentication.
rlm_chap: chap user sipkek10 authenticated succesfully
modcall[authenticate]: module chap returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Processing the session section of radiusd.conf
modcall: entering group session for request 1
modcall[session]: module sql returns noop for request 1
modcall: group session returns noop for request 1
Sending Access-Accept of id 0 to 82.141.232.132:51214
Session-Timeout = 1800
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
--- Walking the entire request list ---
Cleaning up request 1 ID 0 with timestamp 430c7430
Nothing to do. Sleeping until we see a request.
Can anyone spot something in this that might point me in the right
direction?
Regards,
Sean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile phone authentication
Hi, If I understand you properly you are trying to authenticate users by their mobile phone number.If that's right you need Kannel. You can download the latest version from http://www.kannel.org There is a bit of a learning curve but once you have authenticated the user you can pass them off to your Radius billing system. I presume that the authentication will arrive via SMS, WAP or HTTP if it's 3G. I hope this helps. If you need more advice you can email me at [EMAIL PROTECTED] Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated (Thor Spruyt)
: simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND
AcctStopTime = 0
sql: postauth_table = radpostauth
sql: postauth_query = INSERT into radpostauth (id, user, pass, reply,
date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%
{reply:Packet-Type}', NOW())
sql: safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Instantiated sql (sql)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-
IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-
Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 300
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread 1 waiting to be assigned a request
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Regards,
Sean
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
Hi Thor, Once again thanks for your help. I'm sorry but I don't understand your answer. Can you explain the debug of an accounting packet? Do you mean something like an Ethereal trace? How do I do a tcp dump on the Radius server. Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL radacct not updated
Hi,
I have a strange problem with MySQL and FreeRadius.
The system had been performing perfectly but it is no longer updating
radacct. The result is that when users login the counter on their login
page counts down their remaining time. But when they logout and then
login again the counter is reset back to its origional value. This means
that user names and passwords last forever.
The sql log file used to show
Quote:
SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='bebbik6';
INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop,
AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay, AcctStopDelay) values('42e44944',
'3f1c519e5a66e2fe', 'bebbik6', '', '0.0.0.0', '0', 'Wireless-802.11',
'2005-07-26 06:04:07', '0', '0', '', '', '', '0', '0', '00-12-17-B7-
A1-70', '00-C0-49-5C-40-48', '', '', '', '192.168.182.2', '', '0');
UPDATE radacct SET AcctStopTime = '2005-07-26 06:04:13', AcctSessionTime
= '6', AcctInputOctets = '1403', AcctOutputOctets = '5179',
AcctTerminateCause = 'User-Request', AcctStopDelay = '',
ConnectInfo_stop = '' WHERE AcctSessionId = '42e44944' AND
UserName = 'bebbik6' AND NASIPAddress = '0.0.0.0';
But now it only shows
Quote:
SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='bebbik6';
I'd really appreciate any help to solve this problem.
Regards from Ireland.
Sean Bracken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Elapsed time billing.
Hi everyone, Thanks to the advice and help I got from the list I now have a fully working FreeRadius server with MySQL. I can issue user names and passwords for set amounts of time e.g. 1 hour or 24 hours.What I'd like to do is issue names and passwords that will last for passed time e.g. one day or one month. Has anyone done this and can you advise me on how to go about it. Thanks for all the help in the past. Regards, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
filter id stored in LDAP
Can the actual Filter ID be store in and retreived by the radius server. By this I mean not just the name of the filter but it's actual contents? If so how? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No communication between FreeRadius and Chilli
On Wed, 2005-07-20 at 21:29 +0200, freeradius-users- [EMAIL PROTECTED] wrote: sean [EMAIL PROTECTED] wrote: The problem is that Chilli can't communicate with my Radius server. Ethereal tells me that the destination is unreachable when replying to the Chilli box. It looks like the port isn't open. No. TimeSourceDestination Protocol Info 540 142.622909 192.168.1.6 82.141.232.132 RADIUS Access Request(1) (id=0, l=195) Ok... The Radius server and the Chilli AP get their IP's from DHCP on a Caymen DSL modem with static IP. The Modem is 82.141.232.132. The Radius server is 192.168.1.2 What's the problem? The Ethereal output you showed above disagrees with your statement about the IP address of the RADIUS server. You have the Chilli AP configured to send RADIUS packets to the DSL modem. The Ethereal output is telling you this. Alan DeKok. I have UDP and TCP Pinholes open in the modem for ports 1812, 1813 and 1814 pointing to 192.168.1.2 This should be directing trafic to 82.141.232.132:1812 etc to 192.168.1.2:1812. That is what I had to do for Apache, Jabber and other services. Does Radius use any other ports and should I have any ports opened to 192.168.1.6 Thanks for your help. Regards Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 3, Issue 15
Hi, I can now get Chillispot to reach the CGI login on my server. The application loads and runs, but times out while trying to process the login. FreeRadius isn't getting any requests from Chilli but does process local requests from radtest. This is the way my network is structured. DSL modem with static ip 82.141.232.132 running firewall and DHCP File server IP 192.168.1.2 from DHCP Running Apache, Kannel, Jabber, MySQL, PHP and FreeRadius DSL Modem has pinholes set up directing traffic coming to the static ip out to the same ports on 192.168.1.2 IE 82.141.232.132:1812 sent to 192.168.1.2:1812 This works fine for Kannel, Apache etc. Radius listens on 1812, 1813 and 1814 Chilli is running on WRT54G with DD-WRT on port 192.168.1.6 from DHCP with internal address 192.169.10.1 DHCP is switched off in DD-WRT and Chilli is assigning IP to wireless clients and directing them to the CGI login script on the file server. This loads fine but times out after entering user and password. Radius can't see any requests coming from Chilli, but processes requests from radtest on the fileserver. I suspect that the DSL modem firewall needs to have some other ports opened but I can't add any software to it so I can't run Ethereal. I hope I've explained clearly. Thanks for any advice you can give. Regards Sean http://topup.ie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chillispot FreeRadius
On Fri, 2005-07-15 at 20:58 +0200, freeradius-users- [EMAIL PROTECTED] wrote: I have setup pinholes for both tcp and udp on ports 1812, 1813 and 1814. They all point to the Radius server on 192.168.1.2. The Chillispot on 192.168.1.6 can direct traffic to the CGI login but sends nothing to Radius. What I'm trying to understand is the sequence of events. When the hospotlogin.cgi script gets a request from a Chillispot user from the AP, does the cgi script initiate the Radius request? No, it's the chillispot server - not the cgi. Server is in case you run chilli on the wlan-router the wlan-router, in case you ran chilli on an linux-box the linux-server. I don't understand, Chilli is running on a WRT54G AP under DD-WRT and directing users to the login. What sends the Radius requests Chilli or the CGI script? This is what Chilli sends to the hotspotlogin.cgi script https://82.141.232.132/cgi-bin/hotspotlogin.cgi/? res=notyetuamip=192.168.182.1uamport=3990challenge=1b23fb5583173741fcfcb91b7b4e5e7auserurl=nasid=nas01mac=00-C0-49-5C-40-48 Radius gets no requests at all. The script just times out while waiting to login. 192.168.182.1 is the DSL modem which has been told to send traffic arriving on ports 1812, 1813, and 1814 to the Radius server. I have also opened port 3990 on the DSL modem to the Radius server. ie. DSL modem static ip 82.141.232.132. all traffic to 192.168.182.1 (82.141.232.132:1812) goes to 192.168.1.2:1812 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hotspotlogin.cgi problem
Hi, I have set up a FreeRadius server which I am trying to access from Chilli on a Linksys AP running DD-WRT and Chilli. Radtest shows that the Radius server is running and Chilli is directing users to /cgi- bin/hotspotlogin.cgi. However this produces an internal server error from Apache. If I send users to /cgi-bin/test.cgi the test page loads with no errors. I have no idea where to start looking for a solution. Any advice or pointers to where I've gone wrong would be very much appreciated. Regards, Sean Bracken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting string is interpreted as raw data instead of ascii.
I have a vendor-specific attribute in my dictionary that is a atring type. As an attribute that is set, it comes to my authenticating device, a network switch, as a string. However, when I use it as an accounting attribute, it shows up in my accounting log on my RADIUS server not as a string but as raw data. Is there a way to get it to appear as the original string? Thanks. sean __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More same attribute, multiple entries.
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: how do I access the second, third, etc. value for a duplicate attribute in sql.conf ? I have read doc/variables.txt and I did not figure out. Can it be done ? In the current CVS snapshot. Not in 1.0.1 Alan DeKok. I found the above in the January 2005 archives. Perhaps my problem is too different, but I now have the current CVS snapshot (radiusd: FreeRADIUS Version 1.1.0-pre0, for host i686-pc-linux-gnu, built on Jan 14 2005 at 14:29:35), have built and run it, and it isn't helping with my problem. I have a vendor-specific attribute that I need to repeat several times. The freeRadius server still only sends it one time. For example, my dictionary file looks like: VENDOR BB 11 BEGIN-VENDORBB ATTRIBUTE BB-QOS 20 string ATTRIBUTE BB-RATE-LIMIT 25 integer ATTRIBUTE BB-ACL-ENTRY 61 string END-VENDOR BB And my users file looks like: pepsi Auth-Type:= Local, User-Password == coke BB-ACL-ENTRY = deny in ip from any to 10.0.8.10/24 30-35 log, BB-ACL-ENTRY = deny in ip from any to 10.0.9.20/24 10-20 log, BB-ACL-ENTRY = deny in ip from any to 10.0.10.30/24 15, 20 log, BB-ACL-ENTRY = deny in ip from any to 10.0.11.40/24 17 log, BB-ACL-ENTRY = permit in ip from any to 10.0.12.50/24 20-50, 18 The server (in -X, debug mode) always only sends the first attribute. I've tried interspersing the BB-ACL-ENTRY with the other two attributes, but it still sends just the first BB-ACL-ENTRY attribute and then the other two attributes. Was this supposed to work in the current snapshot or is my problem different or can my problem be solved in some other way? Thank you very much. sean __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get PAM to use RADIUS to authenticate a user?
the radiusd.conf file needs the pam entry uncommented. you need a /etc/pam.d/radiusd file. (I never got the pam_auth argument in the radiusd.conf file to work correctly, I don't believe you want to use the login file anyway since that checks out what tty you are using and in this case you are not using any..) Your 'users' file needs to include something like: DEFAULT Auth-Type :=Pam pam-auth=radius, Fall-Through = Yes I am not sure pam-auth= should read pam-auth=radiusd here. You can crank up debugging on the pam modules, I think it is the -d pam or -debug or something similar. Try something like this in your /etc/pam.d/radius.d file: auth required /lib/security/pam_unix.so auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_permit.so password required /lib/security/pam_permit.so sessionrequired /lib/security/pam_permit.so On Thu, 20 May 2004, Maqbool Hashim wrote: I posted the following to the list yesterday, I thought I would post it again in case anyone else has any ideas regarding this...? (Are there any experts on PAM on the list?) I know this may be a little of topic if it is a PAM problem, but I would appreciate help from anyone who has got RADIUS to work with PAM. Thanks and please forgive me for posting it twice Maqbool Hashim wrote: FreeRadius version: 0.9.3 Redhat Linux 9.0 I have installed FreeRadius on my system and to get familiar with it I am attempting to the Unix login program to authenticate using the radius server.In order to this I am using the radius pam module pam_radius_auth. So PAM is the radius client. (All programs are running on the same machine, client and radius server). Heres what I have in /etc/pam.d/login : #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so and in /raddb/users I have the following default line: DEFAULT Auth-Type := System Service-Type = Login-User I start the radius server as follows: radiusd -i 127.0.0.1 -X then in another terminal I execute login and try to login as a normal user. The login program returns with: Authentication service cannot retrieve authentication info. Now I check the radius server debugging info and from that side it seems to be authenticating the user fine: users: Matched DEFAULT at 140 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 206 to 127.0.0.1:5735 Service-Type = Login-User Finished request 0 This problem has me confused. If anyone can shed any light on the matter I would appreciate it. Perhaps the problem lies in the .../pam.d/login configuration? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Mon, 22 Mar 2004, Robert Banniza wrote: I'm not sure I'm following you...Let's say I want to add the Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile within OpenLDAP. Wouldn't I have to define these attributes within some LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other schema in order for OpenLDAP to know how to interpret the attribute? I can't talk about how freeradius interprets the juniper values, but openldap will need to have attribute and objectclass definitions to match what juniper has most likely. I am not that familiar with much about Juniper or FreeRadius but I have been working with ldap some. http://www.juniper.net/techpubs/software/management/sdx/sdx400/sw-sdx-install/html/sw-sdx-installTOC.html search down to openldap they have instructions on how to load the openldap server, I assume that installs the schema too which is what defines all the juniper attributes for you and you should be off to the races with the correct attributes and objectclasses. The rest of this is crap I wrote if you have to do it the hard way, which it doesn't look like you do but i am including it so _I_ don't forget what I am doing. The another way to get these is to set up the Juniper LDAP server, perform an ldapsearch on their database equivalent to an dump of the database into LDIF format. I don't know how well jumipers ldap server will respond to that. Sun's responded fairly well. You migh poke around and find a schema or an ldif file in the Juniper install media too. basically you need a lot of the attributes like on: http://www.juniper.net/techpubs/software/management/sdx/sdx310/sdx310-sw-developer/html/ldap-object-mapping6.html You need to figure out what they are looking for for the attribute syntax, since you need the long number representation of it. but you can cross reference from http://www.faqs.org/rfcs/rfc2252.html section 4.3.2 lists them. The rest of it is fairly straightforward if you look at another schema. The object identifier (OID) number _technically_ just has to be unique, but they supply one for you, I would use it only for the fact you wont have to worry about getting stuff mixed up if you try to do something else with the server. (technically the Juniper ones should be registered aand unique. C You will find examples of the syntax of the matching rules in the openldap schema. It isn't particularly hard just tedious as all hell. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam-radius ?
IIRC (I had this set up and working but we had to opt for a different solution and I don't have a working configuration to use.) In your radiusd.conf you need the pam section uncommented the pam_auth = radiusd ^ this part needs to match up with your systems /etc/pam.d stuff like linux you need to create a radiusd file in /etc/pam.d/ or on solaris in the /etc/pam.conf you need to add entries beginning with radiusd or it could be the radius in the users section. (I had them linked to each other which is probably bad =) in your users file you need: DEFAULT Auth-Type := Pam pam-auth=radius, Fall-Through = Yes Greetings, I need some help with pam-radius and freeradius. I have a server that I need to do raduis Auth from for access to certian programs. I tried setting up pam-radius like the instructions state, but it keeps telling me that the radius server has not been specified. I put the configuration file where the instructions tell me to (/etc/raddb/server/pam.conf and pam_radius_auth.conf) as well as trying some of the alternate locations (/usr/local/etc) and it still doesn't detect it. Could someone point me to the right location for this file? Thank you in advance. -- ·William Ragsdale ·http://www.netonecom.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
