Re: Postgres
* Sparkes, David david.spar...@keymile.com [2009-10-15 11:21]: I would like to get Freeradius working with a PostgreSQL database: are there any handy HOWTOs or Tutorials that explain how to do this? It's pretty easy, just study the docs and sample configs. Just a warning: You might run into the same problem as me, so test it thorougly before putting it in production. I'm running Freeradius (latest version) against a PostgreSQL database, and it crashes every other day or so when running normally (as a deamon). It doesn't crash in debug mode (-X), so I have to let it run like that for a while more, until I have the time to debug it. Can't risk a sudden stop for the time being. -- Vegard Svanberg veg...@svanberg.no [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parameter to limit user traffic in RouterOS
* HugLeo hugocana...@gmail.com [2009-04-08 15:59]: I'was reading a mk documentation which website is [1]http://www.mikrotik.com/testdocs/ros/3.0/aaa/ppp.php and I've found in the session Monitoring Active PPP Users: limit-bytes-in (read-only: integer) - maximal amount of bytes the user is allowed to send to the router limit-bytes-out (read-only: integer) - maximal amount of bytes the router is allowed to send to the client You would have figured this out pretty easily by reading the docs, but you'd just do (I assume you use the users file as backend): usernameUser-Password == foo Mikrotik-Recv-Limit-Gigawords := 6, Mikrotik-Xmit-Limit-Gigawords := 6 BTW, MT's 3.0 doc is incomplete. Read the 2.9 manual (or the wiki) and check the RADIUS client topic. Are there a way to send that to RouterOS using radclient? Not sure what you mean by using radclient to send something to RouterOS. Radclient will talk to the RADIUS server, not another client. -- Vegard Svanberg veg...@svanberg.no [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: 802.1x CPE device with _wired_ supplicant support
Sorry for the OT. My alibi is that the device will authenticate through a switch and Freeradius. :-) I'm looking for a cheap 802.1x CPE device (broadband router like, you know, with a 4-port embedded switch, wan-port and wireless support) which can be an 802.1x supplicant on the wired WAN port. It's seems such devices are hard to find, and I'm surprised as to why the usual broadband router manufacturers don't implement this. Any suggestions on where to find / what devices to use? Thanks in advance. -- Vegard Svanberg veg...@svanberg.no [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius dies with Postgresql error
I'm using Freeradius with a Postgresql backend. Every two or three days, Freeradius dies. These are the last lines from the log file: Tue Feb 24 21:15:31 2009 : Auth: Login OK: [] (from client port 3 cli ) Tue Feb 24 21:16:34 2009 : Auth: Login OK: [] (from client port 3 cli ) Tue Feb 24 21:16:48 2009 : Auth: Login OK: [] (from client port 4 cli ) Tue Feb 24 21:18:32 2009 : Error: rlm_sql_postgresql: PostgreSQL Query failed Error: Tue Feb 24 21:18:32 2009 : Auth: Invalid user: [] (from client port 1509942 cli XX:XX:XX:XX:XX:XX) Then nothing (it's gone and has to be started up again). The problem is that this never happens if I run radiusd with -X, so I'm having trouble catching more info. Any clues? This is Freeradius 2.1.0 btw. I've just upgraded to 2.1.3 to see if the problem goes away. -- Vegard Svanberg veg...@svanberg.no [*tak...@irc (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* Vegard Svanberg [EMAIL PROTECTED] [2008-10-07 12:16]:
Perhaps you should bother reading the mysteriously named file README in
/certs directory before asking questions.
Seems the file got lost during the transition from 1.x. Thanks!
Hm, something is not working right, but I'm not sure where. Created (ca,
server, client) certificates per the instructions in the README file.
Enabled EAP-TLS in eap.conf and verified that paths etc are correct.
Then created the client certificate and imported it on the client. -X
gives me this before it fails:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1497
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] TLS 1.0 Handshake [length 0393], Certificate
-- verify error:num=20:unable to get local issuer certificate
[tls] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} - testuser2
Also, openssl can't verify the generated client certificate:
$ openssl verify -CAfile ca.pem client.pem
client.pem: /C=NO/ST=testprovincename/O=testorganization/CN=testuser2/[EMAIL
PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
Oh BTW, there is a small error in the README, on line 132 it reads:
The users certificate will be in commonName.pem,
i.e. [EMAIL PROTECTED].
This is wrong; the Makefile is using emailAddress.
--
Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-10-08 15:03]: Try with ca-server bundle: cat ca.pem server.pem cabundle.pem Use that as CAfile and export (appropriate version) to the clients. Worked great, thanks! Perhaps the Makefile should be updated? -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CA.all and CA.certs in Freeradius 2.x
The CA.all and CA.certs scripts seem to not be included in the Freeradius 2.x tarball anymore. Have they just been forgotten, or have they been replaced by other scripts, or are there other recommended ways of handling/generating certs in 2.x? -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all and CA.certs in Freeradius 2.x
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-10-07 12:13]: Perhaps you should bother reading the mysteriously named file README in /certs directory before asking questions. Seems the file got lost during the transition from 1.x. Thanks! -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
* Martin Silvero [EMAIL PROTECTED] [2008-10-03 21:02]: yes, I imported client.p12 and ca.der to the notebook, the checked again and are fine Can you please learn to quote and reply properly. Thanks. -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql: NUMERIC VALUE OUT OF RANGE error
Freeradius 2.1.0.
I have a NAS which sends a NAS-Port-Id attribute in the range
2147483648..2164260863. PostgreSQL doesn't like the query Freeradius
performs. It's choking when trying to insert for instance
'2163214239::integer' into the radacct table.
$ select 2163214239::integer;
ERROR: integer out of range
Example:
INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm,
NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets,
AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause,
ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay)
values('80f0079f', '5c9f0b7076dcc9c0', 'username', NULLIF('', ''),
'1.2.3.4', 2163214239::integer, 'Wireless-802.11', ('2008-09-26
09:52:52'::timestamp - '1'::interval - '3382'::interval), ('2008-09-26
09:52:52'::timestamp - '1'::interval), NULLIF('3382', '')::bigint, '', '',
(('0'::bigint 32) + '57743'::bigint), (('0'::bigint 32) +
'294709'::bigint), 'hotspot', 'XX:XX:XX:XX:XX:XX', 'Lost-Service', '',
'', NULLIF('192.168.12.94', '')::inet, 0)
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: Error integer out of range
rlm_sql_postgresql: Postgresql Fatal Error: [22003: NUMERIC VALUE OUT OF RANGE]
Occurred!!
[sql] Couldn't insert SQL accounting STOP record - ERROR: integer out of range
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Quick fixes...?
--
Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql: NUMERIC VALUE OUT OF RANGE error
* Alan DeKok [EMAIL PROTECTED] [2008-09-26 11:07]: $ select 2163214239::integer; ERROR: integer out of range It's treating the number as a signed 32-bit integer, and the number is greater than 2^31. And the NASPortId field in the default schema is VARCHAR, not integer. Hmm... the default queries add a ::integer to the NAS-Port-Id. Why? I didn't realize I could change the queries until now, so I just removed the integer cast. Works now. Thanks. -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
