Re: Assert Failed on Proxing
I've tried to install also from the source...but with no success, this is the error i get after the install: # radiusd -X radiusd: error while loading shared libraries: libfreeradius-radius-2.1.12.so: cannot open shared object file: No such file or directory there were no errors in configure make or make install procedures. Also, the old freeradius is still there, working.. Can you help me? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4952896.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
So...i've followed the instructions on this link.( http://wiki.freeradius.org/Build#Building+Debian+packages )..but compilation give me this error, libssl-dev is installed: make[7]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_dynamic_clients' Making all in rlm_replicate... /usr/bin/make -w -C rlm_replicate all make[7]: Entering directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate' /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c -fPIC -DPIC -o .libs/rlm_replicate.o libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -c rlm_replicate.c -o rlm_replicate.o >/dev/null 2>&1 /usr/bin/libtool --mode=link gcc -release 2.1.12 \ -module -export-dynamic -o rlm_replicate.la \ -rpath /usr/lib/freeradius rlm_replicate.lo rlm_replicate.c /home/apepa/fr212/freeradius-server-2.1.12/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread libtool: link: gcc -shared .libs/rlm_replicate.o -Wl,-rpath -Wl,/home/apepa/fr212/freeradius-server-2.1.12/src/lib/.libs -Wl,-rpath -Wl,/usr/lib/freeradius /home/apepa/fr212/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread-Wl,-soname -Wl,rlm_replicate-2.1.12.so -o .libs/rlm_replicate-2.1.12.so libtool: link: (cd ".libs" && rm -f "rlm_replicate.so" && ln -s "rlm_replicate-2.1.12.so" "rlm_replicate.so") libtool: link: ar cru .libs/rlm_replicate.a rlm_replicate.o libtool: link: ranlib .libs/rlm_replicate.a libtool: link: ( cd ".libs" && rm -f "rlm_replicate.la" && ln -s "../rlm_replicate.la" "rlm_replicate.la" ) for x in .libs/* rlm_replicate.la; do \ rm -rf /home/apepa/fr212/freeradius-server-2.1.12/src/modules/lib/$x; \ ln -s /home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate/$x /home/apepa/fr212/freeradius-server-2.1.12/src/modules/lib/$x; \ done make[7]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules/rlm_replicate' make[6]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules' make[5]: Leaving directory `/home/apepa/fr212/freeradius-server-2.1.12/src/modules' Making all in main... /usr/bin/make -w -C main all make[5]: Entering directory `/home/apepa/fr212/freeradius-server-2.1.12/src/main' /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c -fPIC -DPIC -o .libs/acct.o libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c acct.c -o acct.o >/dev/null 2>&1 /usr/bin/libtool --mode=compile gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/home/apepa/fr212/freeradius-server-2.1.12/src -DHOSTINFO=\"x86_64-pc-linux-gnu\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -c auth.c libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTI
Re: Assert Failed on Proxing
obviously, Phil... my questions , not well explained, was about upgrading the package. i can be sure that with this procedure i will have freeradius upgrade or two version of FR installed ? maybe this is another basic question.. but are you sure that i will get no problem with any dependencies? Thanks a lot -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924856.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
http://packages.debian.org/search?keywords=freeradius in this link i can't find any version to upgrade from 2.1.10, can you teel me how to upgrade to 2.1.12? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924574.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
http://wiki.freeradius.org/Debian can i go for it? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924551.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
ii freeradius 2.1.10+dfsg-2a high-performance and highly configurable RADIUS server ii freeradius-common2.1.10+dfsg-2FreeRADIUS common files ii freeradius-postgresql2.1.10+dfsg-2PostgreSQL module for FreeRADIUS server ii freeradius-utils 2.1.10+dfsg-2FreeRADIUS client utilities these are the packages installed on a debian 6 by apt-get -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924546.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assert Failed on Proxing
Hi all,
As you can see from the attached log, i was tring to do some proxy test,
the server crashed attempting to proxy against a not running freeradius
proxy ( i was only testing proxy action not authentication on other FR
servers) is it normal?
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.25.18.123 port 39869, id=98,
length=215
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "40:61:86:9C:6D:F9"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "wlan1"
User-Name = "ap...@newradius.it"
NAS-Port = 2150629460
Acct-Session-Id = "80300054"
Framed-IP-Address = 10.29.66.3
Vendor-14988-Attr-10 = 0x0a1d4203
CHAP-Challenge = 0xb68620a7e997208ee43593bf739602b6
CHAP-Password = 0x563096c0c85e3e1b1bec92d585dc44496b
Service-Type = Login-User
WISPr-Logoff-URL = "http://10.29.66.1/logout";
NAS-Identifier = "AP Test Vincenzo"
NAS-IP-Address = 172.25.18.123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy auth_by_SSID {...}
+++? if (Called-Station-Id != /:WiNET-TR5G/ && User-Name =~ /cpe/ )
? Evaluating (Called-Station-Id != /:WiNET-TR5G/ ) -> TRUE
? Evaluating (User-Name =~ /cpe/) -> FALSE
+++? if (Called-Station-Id != /:WiNET-TR5G/ && User-Name =~ /cpe/ ) -> FALSE
++- policy auth_by_SSID returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.25.18.123/auth-detail-20111021
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/172.25.18.123/auth-detail-20111021
[auth_log] expand: %t -> Fri Oct 21 11:57:05 2011
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "newradius.it" for User-Name =
"ap...@newradius.it"
[suffix] Found realm "newradius.it"
[suffix] Adding Stripped-User-Name = "apepa"
[suffix] Adding Realm = "newradius.it"
[suffix] Proxying request from user apepa to realm newradius.it
[suffix] Preparing to proxy authentication request to realm "newradius.it"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -> apepa
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> apepa
[sql] sql_set_user escaped user --> 'apepa'
rlm_sql (sql): Reserving sql socket id: 43
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'apepa' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'apepa' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = 'apepa' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = 'apepa' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='apepa' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='apepa' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id,
GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName =
'TNNET' ORDER BY id
rlm_sql_postgresql: query: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = 'TNNET' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in group TNNET
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id,
GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName =
'TNNET' ORDER BY id
rlm_sql_postgresql: query: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHER
Re: Debug mode doesn't start
yes you right! debug helps if one knows what to look for... ;-) was a ctrl+v ctrl+c keyboard-user syncronization problem... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Debug-mode-doesn-t-start-tp4879265p4879329.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debug mode doesn't start
http://freeradius.1045715.n5.nabble.com/file/n4879265/proxy.conf proxy.conf
hi all,
After some modification to the proxy.conf freeradius doesn't start anymore
terminating without errors or messages what is going wrong?:
root@host:/etc/freeradius# /usr/sbin/freeradius -X
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14
2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/postgresql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 512000
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
Re: Authentications types by usernames
Hi Fajar could be... but i cannot control all the types of authentication that can happens to be configured, i'm looking for some default value that cannot be changed by users -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentications-types-by-usernames-tp4852921p4853865.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentications types by usernames
Yes there two kind of mikrotik nas, one is a cpe to connect users lan by 5GHz
wireless bridge and the ohter is a classical access point to give access to
wireless clients.
I've inserted this at the end of policy section in policy.conf but seems not
to be read:
i can still get authenticated with user usercpe01 on a 2.4GHz access-point
that has Called-Station-Id = hotspot1
if(Called-Station-Id =~ /:([^:]*)^/){
switch "%{1}" {
case 'hotspot1' {
if(User-Name = 'usercpe01'){
reject
}
}
case 'WiNET-TR5G' {
if(User-Name != 'usercpe01'){
reject
}
}
}
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authentications-types-by-usernames-tp4852921p4853837.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentications types by usernames
http://freeradius.1045715.n5.nabble.com/file/n4853189/connection5g.log connection5g.log http://freeradius.1045715.n5.nabble.com/file/n4853189/connection24.log connection24.log These are the logs, i cant see anty connect-info attributehave to add as a reply atttribute or in the nas config? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentications-types-by-usernames-tp4852921p4853189.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentications types by usernames
Hi All, I'm using Freeradius 2.1, Users that connects to the my network by wireless clients at 2.4GHz get authenticated by username and password, but there also CPE that connect at 5GHz and authenticate thelmselves by username and EAP to give access to wired lan users ( not supplicant ). Is it possible to deny usernames used by cpe on the 2.4GHz net? Can i force username used on cpe only to pass the EAP auth too? if yes..how? it'a matter of policy.conf? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentications-types-by-usernames-tp4852921p4852921.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi, I'm having the same problem on another Freeradius 1.1.6, tried to modify in the same way but i dont know where to insert the eap action, there is non policy.conf file and cannot find the same configurations in other files. I can't upgrade this freeradius , also because has been heavily modified by other consultants, including default tables and query. Is it possible to do the same thing in this version? where i've to modify? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4845036.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
Hi Arran, Thank you that works great! -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4842017.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP authentication accept, user not found
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP authentication accept, user not found
Hi all,
I'm wondering if my freeradius is acting correctly against the request
below:
This Mikrotik CPE is authenticathing by an EAP certificate and ad a username
with password is requested.
The problem is that the CPE is authenticated with every username that
doesn't exist in radcheck.
why FR authenticate even with nonexistent username?
rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162,
length=175
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = "test155"
State = 0x06c5601b03c36da7f69234e83e184b70
NAS-Port-Id = "wlan2"
Calling-Station-Id = "00-0C-42-B3-D1-F5"
Called-Station-Id = "00-80-48-60-66-D9:WiNET-TR5G506106"
EAP-Message = 0x020600060d00
Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60
NAS-Identifier = "ced-wl3"
NAS-IP-Address = 10.25.66.8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log] expand: %t -> Mon Sep 26 16:35:21 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test155", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> test155
[sql] sql_set_user escaped user --> 'test155'
rlm_sql (sql): Reserving sql socket id: 19
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'test155' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='test155' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='test155' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 19
[sql] User test155 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 162 to 10.25.66.8 port 56485
MS-MPPE-Recv-Key =
0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440
MS-MPPE-Send-Key =
0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = "test155"
Finished request 69.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: racct and radpostauth
ok , thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4786505.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: racct and radpostauth
http://freeradius.1045715.n5.nabble.com/file/n4786389/freeradlogdebug freeradlogdebug that is the log. and the config s of jradius simulator i'm generating a request with jradius simulator with auth and start only option http://freeradius.1045715.n5.nabble.com/file/n4786389/jradiusreq2.png http://freeradius.1045715.n5.nabble.com/file/n4786389/jradiusreq2_config.png -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4786389.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: racct and radpostauth
Thnks Alan, but I modified only the necessary things in conf file to make fr works with sql. try to think at this situation: simultaneous user login is active. a nas send an auth req user accepted and logged user log off but stop packet doesnt arrive to the server, for a lot of reasons. user retry to log in ...maybe from another nas, we also have nas that doesnt communicate the power on/off state user is rejected due to check on simultaneous login but looking in radacct we can find two sessions for the same user without stoptime. with NAS connecting hundreds of clients...this may be a problem. so..this is a behaviour generated only by my test with jradius simulator ?? i see now that i mentioned jradius omitting the word simulator before, i'm not using jradius server but only the simulator to create requests and see the logs. -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4786209.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error in dialupadmin
yes i've passed the same "issue" after dialup admin installation. but what you reporting is not an error it is only the debug info on top of the pages that will remain there (and shows all the sql behind) until you dont remove the sql debug in admin.conf: # Uncomment to enable sql debug # #sql_debug: true maybe there is an error of no connection that you didnt pasted -- View this message in context: http://freeradius.1045715.n5.nabble.com/Error-in-dialupadmin-tp4783214p4785752.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: racct and radpostauth
Thanks Fajar, i'll try to implement this way, i dont want to query the nas by snmp, i have so many nas ( and of various vendor) and i'm not responsible of their configurations and so many concurrent connections that i prefer not to rely on this. Arran, i'm sorry if you felt alone sometimes ;-)but as i said to Fajar i've no control over the NAS devices so i prefer do all the possibleon the FR server. I was not talking about accounting-request but replies stored in radpostauth where by default the postauth query store records with username password op value end date. Maybe, and i'm not an expert of postgresql, can be possible to link these two tables with another ID ? cant see a field to use now, maybe is it possible to add a new field?? I said that because in my tests an access-rejected request is still recorded in radacct table with a start time and a NULL stoptime, but nothing can link this record to the record in radpostauth, time is different too, and that record in radacct can be misrepresented as an online user even from the simultaneous user check. Thanks all for you answer -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4785708.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: racct and radpostauth
>> My question is about the correlation beetwen the tables in subject, how can >> i correlate records without using timestamp but maybe a unique session >> id? > > Use the unique session ID. Ok, but that field is not present in radpostauth too...and i mean ...correlate between tables >> I think this would be helpful when listing online users, for example >> when >> there is no acctstoptime value in radacct and maybe that user in not >> online >> anymore, > > How do you know? doing the tests with jradius i've noticed that if you send an auth + start request without a stop you can create this situation, would be the case when the nas reboot or power down in the middle of the auth phase, and so you have this kind of entry in DB. >Do you want to link postauth records with accounting records using a shared unique ID? Yes reject auth are not stored but replies are, if configured to log them, would be helpful to modify the postauth query to insert the "unique session ID" in a new radpostauth field? I didn't made test in the real till now, and based on my tests i cant see two records in radacct with the same "unique session ID" so i cannot link them. Finally.. i also can check fro time to time the packets or byte fields to see if the sessios is still alive...but this metod would not be better than matching with replies in radpostauth , ...i believe. -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4785334.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
racct and radpostauth
Hi all, I'm testing freeradius 2 on a debian 6 with postgresql db. My question is about the correlation beetwen the tables in subject, how can i correlate records without using timestamp but maybe a unique session id? I think this would be helpful when listing online users, for example when there is no acctstoptime value in radacct and maybe that user in not online anymore, or just to sort out a list of the access request/accept/reject report not only by timestamp. In Dialupadmin the online user page list users only by null acctstoptime, but doesn't check( and how would it be possible ) if records belong to a rejected request in radpostauth. I'm testing the server not in the real but with the jradius simulator, with "Generate Unique Acct-Session-id" option on -- View this message in context: http://freeradius.1045715.n5.nabble.com/racct-and-radpostauth-tp4782906p4782906.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
