reset sql counter every 30 minute
Hi Is that possible to reset the sql counter every 30 minute? Basically, i need to get user free access of 20 minutes, after 20 minutes NAS will logout the user. And the user is allow to login again after 30 minute. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy same realm but different authentication protocol to different server
Due some limitation, my partner is using two different server to handle different auth-type (PAP / EAP), said server1 only take PAP cannot handle EAP, server 2 take EAP cannot handle PAP. But their user (realm xyz.com), login at my location maybe authenticate by PAP or EAP, depending what kind of services they're selected. My challenge is how to proxy the same realm to two different server depending on the auth-type. - Original Message From: Alan Buxey To: FreeRadius users mailing list Sent: Fri, January 29, 2010 5:52:11 AM Subject: Re: proxy same realm but different authentication protocol to different server Hi, > Hi > > do u mean at proxy.conf yes - but for 2 servers, you want to use the server pool method (with 2.1.x) > then at"authorize" section yep alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy same realm but different authentication protocol to different server
Hi
do u mean at proxy.conf
realm xyz.com {
type= radius
authhost=
123.123.123.1:1812
accthost= 123.123.123.1:1813
secret = password
nostrip
}
realm xyz.com {
type= radius
authhost=
123.123.123.2:1812
accthost= 123.123.123.2:1813
secret = password
nostrip
}
then at"authorize" section
if (control:Auth-Type := "EAP") {
update
control {
{
Proxy-To-Realm
== "xyz.com"
}
if (control:Auth-Type := "PAP") {
update
control {
{
Proxy-To-Realm
== "xyz.com"
}
??? sound no logic, i'm really confuse right now.
thanks
- Original Message
From: Alan DeKok
To: FreeRadius users mailing list
Sent: Fri, January 29, 2010 12:38:25 AM
Subject: Re: proxy same realm but different authentication protocol to
different server
piston wrote:
> I've try below at the end of authorize section
>
> if (control:Auth-Type := "EAP") {
> update control {
>{
> Proxy-To-Realm == "xyz.com"
> }
> realm xyz.com {
Uh... the "realm" configuration goes into raddb/proxy.conf. It
doesn't go into the "authorize" section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy same realm but different authentication protocol to different server
I've try below at the end of authorize section
if (control:Auth-Type := "EAP") {
update control {
{
Proxy-To-Realm == "xyz.com"
}
realm xyz.com {
type= radius
authhost= 123.123.123.1:1812
accthost= 123.123.123.1:1813
secret = password
nostrip
}
}
if (control:Auth-Type := "PAP") {
update control {
{
Proxy-To-Realm == "xyz.com"
}
realm xyz.com {
type= radius
authhost= 123.123.123.2:1812
accthost= 123.123.123.2:1813
secret = password
nostrip
}
}
Got error while startup the freeradius
Error: /etc/freeradius/sites-enabled/default[212]: ERROR: No value given for
attribute {
Error: /etc/freeradius/sites-enabled/default[211]: Failed to parse "update"
subsection.
Error: /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize
section.
What is my mistake?
Thanks
KH
- Original Message
From: Alan Buxey
To: FreeRadius users mailing list
Sent: Fri, December 18, 2009 4:22:39 AM
Subject: Re: proxy same realm but different authentication protocol to
different server
Hi,
> Am I possible to do these?
>
> 1. proxy realm xyz.com (PAP/CHAP) to server#1
>
> 2. proxy realm xyz.com (PEAP) to server#2
yes, in many varied ways you could doa check of Auth-Type
at the end of the authorise section..and then if realm = xyz.com
update the control to proxy to server1 it its PAP or CHAP
or if its EAP then proxy it to server2
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Thanks for your advice, learn a lots. - Original Message From: Josip Rodin To: FreeRadius users mailing list Sent: Sat, January 16, 2010 3:59:19 AM Subject: Re: freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user On Fri, Jan 15, 2010 at 08:55:24AM -0800, piston wrote: > i don't event know how i managed to delete all virtual server, managed to > solved the problem by copy back entire freeradius folder under /etc/ > > upgrade from 2.1.6 > 2.1.7 > 2.1.8 prelease was very smooth without > problem, basically i just executed dpkg -i command,but this time no luck. If you used dpkg -i, you might not have noticed the new freeradius-common package. In the future, to install/upgrade FreeRADIUS packages on Debian(-like) systems, just use the standard official repositories with APT, so that you get the tested packages with all the necessary dependencies resolved automatically. We haven't had 2.1.6 and earlier 2.1.x versions in there, but now we do. Also if you're running the stable distribution - the Debian packages built (backported) for release 5.0/lenny are available at the standard place: http://www.backports.org/ One just has to add another line to sources.list(5) and use the target release 'lenny-backports'. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
i don't event know how i managed to delete all virtual server, managed to solved the problem by copy back entire freeradius folder under /etc/ upgrade from 2.1.6 > 2.1.7 > 2.1.8 prelease was very smooth without problem, basically i just executed dpkg -i command,but this time no luck. anyway thanks for your answer. KH - Original Message From: Alan DeKok To: FreeRadius users mailing list Sent: Fri, January 15, 2010 3:10:12 PM Subject: Re: freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user piston wrote: > hi > > after upgrade 2.1.8 prelease to 2.1.8, i get No authenticate method > (Auth-Type) configuration found for the request: Rejecting the user You have managed to delete all of the virtual servers from raddb/sites-enabled. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.8 : No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
hi after upgrade 2.1.8 prelease to 2.1.8, i get No authenticate method (Auth-Type) configuration found for the request: Rejecting the user please help. here's my debug info radius2:/etc/freeradius# freeradius -Xxx Fri Jan 15 02:21:01 2010 : Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 15 2010 at 00:56:39 Fri Jan 15 02:21:01 2010 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Fri Jan 15 02:21:01 2010 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Jan 15 02:21:01 2010 : Info: PARTICULAR PURPOSE. Fri Jan 15 02:21:01 2010 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Jan 15 02:21:01 2010 : Info: GNU General Public License v2. Fri Jan 15 02:21:01 2010 : Info: Starting - reading configuration files ... Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/radiusd.conf Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/proxy.conf Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/clients.conf Fri Jan 15 02:21:01 2010 : Debug: including files in directory /etc/freeradius/modules/ Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/preprocess Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/always Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/logintime Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/smbpasswd Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/counter Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/detail Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/digest Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/smsotp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/cui Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/realm Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mschap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/ippool Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/expr Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/linelog Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/attr_filter Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/inner-eap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/unix Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/otp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/sql_log Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/etc_group Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/perl Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/policy Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/chap Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/exec Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/echo Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/detail.example.com Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/sradutmp Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/krb5 Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/expiration Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/pam Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/checkval Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/acct_unique Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/passwd Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mac2vlan Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/wimax Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/files Fri Jan 15 02:21:01 2010 : Debug: including configuration file /etc/freeradius/modules/mac2ip Fri Jan 15 02:21:01 2010 : Debug: including configur
Re: FreeRADIUS Server version 2.1.8 problem with Debian 5 64bit
It works! thanks. - Original Message From: Alexander Clouter To: freeradius-users@lists.freeradius.org Sent: Fri, January 1, 2010 1:19:17 AM Subject: Re: FreeRADIUS Server version 2.1.8 problem with Debian 5 64bit piston wrote: > > Trying to compile at my Debian 5 64bit server but fail. > No issue during > compiling pre 2.1.8. > > dpkg-buildpackage -b -uc > dpkg-buildpackage: set CFLAGS to default value: -g -O2 > dpkg-buildpackage: set CPPFLAGS to default value: > dpkg-buildpackage: set LDFLAGS to default value: > dpkg-buildpackage: set FFLAGS to default value: -g -O2 > dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 > dpkg-buildpackage: source package freeradius > dpkg-buildpackage: source version 2.1.8+git > dpkg-buildpackage: source changed by Josip Rodin > dpkg-buildpackage: host architecture amd64 > dpkg-checkbuilddeps: Unmet build dependencies: quilt <-- > dpkg-buildpackage: warning: Build dependencies/conflicts unsatisfied; > aborting. > dpkg-buildpackage: warning: (Use -d flag to override.) > Maybe I'm just being stupid but dare I suggest you read the error message and type 'aptitude install quilt'? Cheers -- Alexander Clouter .sigmonster says: Misuse may cause suffocation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Server version 2.1.8 problem with Debian 5 64bit
Hi Alan Trying to compile at my Debian 5 64bit server but fail. No issue during compiling pre 2.1.8. dpkg-buildpackage -b -uc dpkg-buildpackage: set CFLAGS to default value: -g -O2 dpkg-buildpackage: set CPPFLAGS to default value: dpkg-buildpackage: set LDFLAGS to default value: dpkg-buildpackage: set FFLAGS to default value: -g -O2 dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 dpkg-buildpackage: source package freeradius dpkg-buildpackage: source version 2.1.8+git dpkg-buildpackage: source changed by Josip Rodin dpkg-buildpackage: host architecture amd64 dpkg-checkbuilddeps: Unmet build dependencies: quilt dpkg-buildpackage: warning: Build dependencies/conflicts unsatisfied; aborting. dpkg-buildpackage: warning: (Use -d flag to override.) dpkg-buildpackage -b -uc -d dpkg-buildpackage: set CFLAGS to default value: -g -O2 dpkg-buildpackage: set CPPFLAGS to default value: dpkg-buildpackage: set LDFLAGS to default value: dpkg-buildpackage: set FFLAGS to default value: -g -O2 dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 dpkg-buildpackage: source package freeradius dpkg-buildpackage: source version 2.1.8+git dpkg-buildpackage: source changed by Josip Rodin dpkg-buildpackage: host architecture amd64 debian/rules clean debian/rules:52: /usr/share/quilt/quilt.make: No such file or directory make: *** No rule to make target `/usr/share/quilt/quilt.make'. Stop. dpkg-buildpackage: failure: debian/rules clean gave error exit status 2 KH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy same realm but different authentication protocol to different server
Hi Alan
Do you mean something like these?
if (Auth-Type == "PEAP") {
update control {
{
Proxy-To-Realm := "xyz.com"
}
realm xyz.com {
type= radius
authhost= 123.123.123.1:1812
accthost= 123.123.123.1:1813
secret = password
nostrip
}
}
}
if (Auth-Type == "PAP") {
update control {
{
Proxy-To-Realm := "xyz.com"
}
realm xyz.com {
type= radius
authhost= 123.123.123.2:1812
accthost= 123.123.123.2:1813
secret = password
nostrip
}
}
}
Thanks
KH
- Original Message
From: Alan Buxey
To: FreeRadius users mailing list
Sent: Fri, December 18, 2009 4:22:39 AM
Subject: Re: proxy same realm but different authentication protocol to
different server
Hi,
> Am I possible to do these?
>
> 1. proxy realm xyz.com (PAP/CHAP) to server#1
>
> 2. proxy realm xyz.com (PEAP) to server#2
yes, in many varied ways you could doa check of Auth-Type
at the end of the authorise section..and then if realm = xyz.com
update the control to proxy to server1 it its PAP or CHAP
or if its EAP then proxy it to server2
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy same realm but different authentication protocol to different server
Hi, Am I possible to do these? 1. proxy realm xyz.com (PAP/CHAP) to server#1 2. proxy realm xyz.com (PEAP) to server#2 I'm using freeradius 2.1.7 Thank you KH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of Version 2.1.8
i guess this version also solved "ASSERT FAILED event.c[2682]: request->ev != NULL" issue? - Original Message From: Bjørn Mork To: FreeRadius users mailing list Sent: Sun, December 6, 2009 9:46:38 PM Subject: Re: Pre-release of Version 2.1.8 Alan DeKok writes: > Bjørn Mork wrote: >> Alan DeKok writes: >> >>> I've put a pre-release of version 2.1.8 on the web site: >>> >>> http://git.freeradius.org/pre/ >> >> Hmm, they were both a bit small. I see 14 and 20 bytes. Something >> probably went wrong with the packacking script? > > Yup. Let me fix that in a bit... Looks very promising so far. I've not seen any problems yet. I'd vote for this as the best FreeRADIUS release ever :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Hi, It's not a major concern, just happen it is ucommented for previous version (from 1.x to 2.1.3), and the change log wasn't mention this changes. So for those less experiance freeradius users might have some issue, if you guys think it is fine as it is just ignore it, or atleast put a line on the change log. Thanks - Original Message From: Alan DeKok To: FreeRadius users mailing list Sent: Wednesday, May 13, 2009 2:17:50 AM Subject: Re: Proposed release of 2.1.6 piston wrote: > Dear Alan > > Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. > > Hope you can take look on this. Perhaps you could explain why this is a problem, and what you would like me to do about it. Again... it's only a *DEFAULT* configuration. It is not meant to use used when you upgrade from one version to another. If you want to enable SQL, you already have to un-comment the various "sql" entries in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. Is uncommenting one more in radiusd.conf that much of an issue? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed release of 2.1.6
Dear Alan Same issue as 2.1.5 (debian OS), $INCLUDE sql.conf is commented by default. Hope you can take look on this. Thanks - Original Message From: Alan DeKok To: FreeRadius users mailing list Sent: Tuesday, May 12, 2009 9:33:04 PM Subject: Proposed release of 2.1.6 We plan on releasing 2.1.6 this week. Please test the pre release at: http://git.freeradius.org/pre/ If there are any concerns, problems, errors, etc., please let us know before we release the final version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
Thanks. Got is resolve. By the way this version of freeradius is 2.1.4 or 2.1.5? A bit confuse here. From: Marinko Tarlac To: FreeRadius users mailing list Sent: Monday, April 13, 2009 3:20:08 PM Subject: Re: Debian lenny with freeradius 2.1.4/2.1.5 sql module fail. Similar problem here... $INCLUDE sql.conf was commented in modules section Removing # was the solution. By default, this was ok in older versions . On Mon, Apr 13, 2009 at 7:42 AM, piston wrote: IBM x3550 server install Debian lenny. Download freeradius from ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, compile and install. Question: 1. freeradius -v showing freeradius 2.1.5, was this correct? 2. trying to using mysql as database, ucomment sql in site-available/default, running debug mode got such error /etc/freeradius/sites-enabled/default[152]: Failed to find module "sql". /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. 3. On the same server download, compile & install freeradius 2.1.3 with mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian lenny with freeradius 2.1.4/2.1.5 sql module fail.
IBM x3550 server install Debian lenny. Download freeradius from ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.4.tar.gz, compile and install. Question: 1. freeradius -v showing freeradius 2.1.5, was this correct? 2. trying to using mysql as database, ucomment sql in site-available/default, running debug mode got such error /etc/freeradius/sites-enabled/default[152]: Failed to find module "sql". /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section. 3. On the same server download, compile & install freeradius 2.1.3 with mysql, no problem. What could be the problem on the version 2.1.4/2.1.5? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy questions
You should also uncommed or add IPASS under authorizes section and preacct
section.
Good luck!
- Original Message
From: Sebastien Boucher
To: freeradius-users@lists.freeradius.org
Sent: Thursday, March 26, 2009 12:05:22 AM
Subject: proxy questions
i don't know if this was asked before but here it goes :
we are currently using FreeRADIUS Version 1.1.1 that authenticates
local users via LDAP
I am trying to setup an IPASS realm for another company and can't get any
success .. here is what i have done so far:
i have the following in radiusd.conf
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = yes
ignore_null = yes
}
i also uncommented IPASS in authorize and preacct
and this is what i have in proxy.conf
realm IPASS {
type = radius
authhost = server.ip.here:1812
accthost = server.ip.here:1813
secret =
retry_delay = 10
retry_count = 3
dead_time= 1
nostrip
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
this what i get when i run radiusd in debug :
rad_recv: Access-Request packet from host nas.ip.address:1645, id=82, length=168
Framed-Protocol = PPP
User-Name = "IPASS/u...@company.com"
User-Password = "somepassword"
Called-Station-Id = "5143174746"
Calling-Station-Id = "5148776026"
Cisco-NAS-Port = "Async1/8/97"
NAS-Port = 3013
NAS-Port-Type = Async
Service-Type = Framed-User
NAS-IP-Address = nas.ip.address
Acct-Session-Id = "0017A2FD"
NAS-Identifier = "NAS01.MTLCNDS."
rlm_ldap: Entering ldap_groupcmp()
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for IPASS/u...@company.com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Reject of id
82 to 206.80.253.252 port 1645
i am sure i am missing something .. if i understand radius is trying
to validate it in LDAP before sending the proxy request to the other
server
any help would be very appreciated
thanks
seb
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to prevent endless proxy looping
Hi. I have a endless proxy looping problem. 1. problem username format: use...@my-realm@other-realm 2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's radiator radius server 3. on my partner then proxy back (nostrip) the same username base on @my-realm to my freeradius 4. so this username use...@my-realm@other-realm is bouncing in between my radius and my partner's radius endlessly 5. both my & partner cannot change the way we proxy, because it will impact on other proxy. Is there has any parameter which i can configure to terminate such proxy traffic? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.4 has been released
Dear Alan You might consider to take a look on the mysql module on freeradius 2.1.4. I have tried with Debian Lenny + mysql , error: mysql module not found. Same machine with 2.1.3, no such issue. Thanks - Original Message From: Johan Meiring To: FreeRadius users mailing list Cc: a.l.m.bu...@lboro.ac.uk Sent: Thursday, March 12, 2009 2:58:28 PM Subject: Re: Version 2.1.4 has been released Alan DeKok wrote: > Alan DeKok wrote: >> It's about time we have a formal testing process. I have some hosted >> machines with spare cycles. >> >> I'll install CruiseControl... > > Nope. > > After a quick review of "continuous integration" systems: > . > > I think it's easier just to write a few shell scripts && a cron job, > to do daily builds. > Suggest the following (similar to what samba does). When you are ready to release, you simply "snapshot" a rc1. (downloadable source.tar.gz), with suitable "not for production" warnings. Everyone then tries to install it on their production server immediately (because they LOVE the new features). You then get some very good testing for a week. If their are no complaints you release a production version. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy senario
Thanks Alan
With this:
if ("%{User-Name}" =~ /^ABC\//) {
update request {
Realm := 'another_realm'
}
}
The regex is working by now, but the other problem exist, the rewrite not
working properly.
freeradius acct log shown that:
Tue Mar 10 00:30:54 2009
Packet-Type = Access-Request
User-Name = "ABC/use...@my_realm"
NAS-Port = 101
NAS-IP-Address = 192.168.168.7
Stripped-User-Name = "use...@my_realm"
Realm = "another_realm"
Debug log:
rad_recv: Access-Request packet from host 192.168.168.7 port 3185, id=126,
length=65
User-Name = "ABC/use...@my_realm"
User-Password = "test"
NAS-Port = 101
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 79
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
expand: %{User-Name} -> ABC/use...@my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] expand: %t -> Tue Mar 10 00:22:03 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "use...@my_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop
if i modify as
if ("%{User-Name}" =~ /^ABC\//) {
update request {
User-Name := 'use...@another_realm'
}
}
radcct log:
Tue Mar 10 00:38:39 2009
Packet-Type = Access-Request
User-Name = "use...@another_realm"
NAS-Port = 101
NAS-IP-Address = 192.168.168.7
Debug log:
rad_recv: Access-Request packet from host 192.168.168.7 port 3226, id=134,
length=65
User-Name = "ABC/use...@my_realm"
User-Password = "test"
NAS-Port = 101
+- entering group authorize {...}
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
expand: %{User-Name} -> ABC/use...@my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] expand: %t -> Tue Mar 10 00:38:39 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "use...@another_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop
[suffix] Looking up realm "another_realm" for User-Name = "use...@another_realm"
[suffix] Found realm "another_realm"
[suffix] Adding Stripped-User-Name = "userid"
[suffix] Adding Realm = "another_realm"
[suffix] Proxying request from user userid to realm another_realm
[suffix] Preparing to proxy authentication request to realm "another_realm"
Question is, how to update the user-name accordingly?
Thanks
Piston
- Original Message
From: "a.l.m.bu...@lboro.ac.uk"
To: FreeRadius users mailing list
Sent: Monday, March 9, 2009 8:38:25 PM
Subject: Re: radius proxy senario
Hi,
> if ("%{User-Name}" =~ /"^ABC\/"/ ) {
if ("%{User-Name}" =~ /^ABC\// ) {
read a few online regex resources.
> ++? if ("%{User-Name}" =~ /"^ABC\/"/)
> expand: %{User-Name} -> ABC/use...@my_realm
> ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
> ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
this clearly states that the regex didnt match. you should scratch your head,
ponder
why, then check your regex. there are some current quirks and bugs in 2.1.3
with
regex - but this sort of form works in 2.1.3 okay ( i have several running)
your summary is right though - logically its all okay in your head - you look
for stuff beginning with ABC and then rewrite that logically (not for real!)
in the engine to be @another_realm which the realm module then handles.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy senario
I have trying both
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
update control {
Realm := 'another_realm'
}
}
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
update request {
Realm := 'another_realm'
}
}
Still not working.
Just make sure if I'm not understand wrongly. In the ideal case when receiving
access access ABC/use...@my_realm, i should able to transform this login id as
use...@another_realm, and proxy the login id base on another_realm at
proxy.conf.
Debugged log as below:
rad_recv: Access-Request packet from host 192.168.168.7 port 2469, id=42,
length=65
User-Name = "ABC/use...@my_realm"
User-Password = "test"
NAS-Port = 100
+- entering group authorize {...}
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /"^ABC\/"/)
expand: %{User-Name} -> ABC/use...@my_realm
? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Thank you
Piston
- Original Message
From: "a.l.m.bu...@lboro.ac.uk"
To: FreeRadius users mailing list
Sent: Monday, March 9, 2009 5:16:35 PM
Subject: Re: radius proxy senario
Hi,
>
> Hi
>
> I'm putting the following code under /etc/freeradius/site-available/default,
> authorize section just after preproccess
>
> if (User-Name =~ "^ABC\/") {
> update control {
> Realm == "%another_realm"}
> }
>
>
> But i'm getting such error:
>
> Expected regular expression at: "^ABC\/")
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
> }
>
> Need some guidance, this is the first time using unlang.
read the main page for unlang and the online documents - snippets
of logic code are not to be blindly used verbatim when supplied on
this list - however, this is a quick fix so:
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
update control {
Realm := 'another_realm'
}
}
however, I'd personally prefer (why? still not sure)
if ("%{User-Name}" =~ /"^ABC\/"/ ) {
update request {
Realm := 'another_realm'
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy senario
Hi
I'm putting the following code under /etc/freeradius/site-available/default,
authorize section just after preproccess
if (User-Name =~ "^ABC\/") {
update control {
Realm == "%another_realm"}
}
But i'm getting such error:
Expected regular expression at: "^ABC\/")
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
}
Need some guidance, this is the first time using unlang.
Thank you very much.
Piston
- Original Message
From: "a.l.m.bu...@lboro.ac.uk"
To: FreeRadius users mailing list
Sent: Saturday, March 7, 2009 6:15:02 PM
Subject: Re: radius proxy senario
Hi,
> 1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
>
> 2. My own user's username in mysql radcheck table is store in
> usern...@xyz.com format
>
> 3. A person want me to proxy his prefix ABC/his-customer-usern...@myrealm to
> his radius server, i.e: ABC/his-customer-usern...@xyz.com
nasty. same realm but needs to be handled differently. okay. i'd say use unlang
for this. before prefix, realm etc are called in the auth stage, have a check
ie
quick pseudo-code whilst i have a coffee
if (user-name =~ "^ABC\/") {
update realm == "another_realm"
}
then in proxy.conf
another_realm {
blah blah
}
ie 'fake' the realm within the FreeRADIUS engine so that its got its own special
entry in proxy.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius proxy senario
Hi I need some opinions. Condition: 1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql. 2. My own user's username in mysql radcheck table is store in usern...@xyz.com format 3. A person want me to proxy his prefix ABC/his-customer-usern...@myrealm to his radius server, i.e: ABC/his-customer-usern...@xyz.com 4. The proxy has strip both prefix and suffix, which means when ABC/his-customer-usern...@xyz.com auth request come in, i have to forward only his-customer-username to his radius. I know i can using hint to strip his prefix, but i'm stuck at proxy config. I can't proxy xyz.com to his radius, otherwise my own user's username will also proxy to his radius server. How can i proxy his-customer-username without mess up my own user's username? It's sound a bit stupid, but i still keen to find out is that possible to achieve the objective or not. Thanks a lot!! Piston - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.1 with ubuntu server 8.04
Dear Alan Follow your guide, i manage to compile debian. Compilation result: - freeradius_2.1.1-0_i386.deb - freeradius-postgresql_2.1.1-0_i386.deb - freeradius-mysql_2.1.1-0_i386.deb - freeradius-ldap_2.1.1-0_i386.deb - freeradius-krb5_2.1.1-0_i386.deb - freeradius-iodbc_2.1.1-0_i386.deb - freeradius-dialupadmin_2.1.1-0_all.deb - freeradius-dbg_2.1.1-0_i386.deb But i notice the freeradius-utils package was not there, how can i compile the freeradius utilities package? Thanks - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Thursday, October 16, 2008 8:13:38 PM Subject: Re: freeradius 2.1.1 with ubuntu server 8.04 piston wrote: > I'm trying to building package, so how i got error during the process. I have > no problem to build freeradius 2.1.0 package at this pc. Grab the "stable" tar file. See git.freeradius.org for instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.1 with ubuntu server 8.04
Hi All Update, i found this error message under freeradius-server-2.1.1/debian/patches/01-radiusd-to-freeradius.dpatch patching file Make.inc.in Hunk #1 succeeded at 48 with fuzz 1. patching file raddb/radiusd.conf.in Hunk #1 succeeded at 66 with fuzz 2 (offset 33 lines). Hunk #2 FAILED at 128. Hunk #3 FAILED at 154. 2 out of 3 hunks FAILED -- saving rejects to file raddb/radiusd.conf.in.rej Thanks - Original Message From: piston <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Thursday, October 16, 2008 7:06:45 PM Subject: freeradius 2.1.1 with ubuntu server 8.04 Hi All I'm trying to building package, so how i got error during the process. I have no problem to build freeradius 2.1.0 package at this pc. Please assist. Below are the logs dpkg-buildpackage -b -uc dpkg-buildpackage: set CPPFLAGS to default value: dpkg-buildpackage: set CFLAGS to default value: -g -O2 dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 dpkg-buildpackage: set FFLAGS to default value: -g -O2 dpkg-buildpackage: set LDFLAGS to default value: -Wl,-Bsymbolic-functions dpkg-buildpackage: source package freeradius dpkg-buildpackage: source version 2.1.1-0 dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]> dpkg-buildpackage: host architecture i386 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . attempting to revert failed patch 01-radiusd-to-freeradius from ./: md5sums match, proceeding ... done (neither success nor failure guaranteed) rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] && make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] && rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub || true [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.1 with ubuntu server 8.04
Hi All I'm trying to building package, so how i got error during the process. I have no problem to build freeradius 2.1.0 package at this pc. Please assist. Below are the logs dpkg-buildpackage -b -uc dpkg-buildpackage: set CPPFLAGS to default value: dpkg-buildpackage: set CFLAGS to default value: -g -O2 dpkg-buildpackage: set CXXFLAGS to default value: -g -O2 dpkg-buildpackage: set FFLAGS to default value: -g -O2 dpkg-buildpackage: set LDFLAGS to default value: -Wl,-Bsymbolic-functions dpkg-buildpackage: source package freeradius dpkg-buildpackage: source version 2.1.1-0 dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]> dpkg-buildpackage: host architecture i386 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . attempting to revert failed patch 01-radiusd-to-freeradius from ./: md5sums match, proceeding ... done (neither success nor failure guaranteed) rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] && make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] && rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub || true [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... failed. make: *** [patch-stamp] Error 1 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.0 default mysql schema don't have nasidentifier table
Thanks for let me know that i'm the first one in 10 years thought that nasidentifier is important. Cheers. - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Wednesday, September 24, 2008 2:44:55 PM Subject: Re: freeradius 2.1.0 default mysql schema don't have nasidentifier table piston wrote: > And the reason is? i thought nasidentifier is quite important attribute. > Anyway thanks for reply. This is the first time in almost 10 years that anyone has said it's important. And if it is important for you, you can edit the configuration to add it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.0 default mysql schema don't have nasidentifier table
And the reason is? i thought nasidentifier is quite important attribute. Anyway thanks for reply. - Original Message From: Alan DeKok <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Tuesday, September 23, 2008 8:28:22 PM Subject: Re: freeradius 2.1.0 default mysql schema don't have nasidentifier table piston wrote: > freeradius 2.1.0 default mysql schema don't have nasidentifier table. And the > mysql query in dialup.conf also don't have nasidentifier value. > > It is purposely left out the nasidentifier? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.1.0 default mysql schema don't have nasidentifier table
freeradius 2.1.0 default mysql schema don't have nasidentifier table. And the
mysql query in dialup.conf also don't have nasidentifier value.
It is purposely left out the nasidentifier?
My work around is adding nasidentifier and it's value as below.
accounting_start_query = " \
INSERT INTO ${acct_table1} \
(acctsessionid,acctuniqueid, username, \
realm,nasipaddress, nasidentifier, nasportid, \
nasporttype, acctstarttime,acctstoptime, \
acctsessiontime, acctauthentic,connectinfo_start, \
connectinfo_stop, acctinputoctets, acctoutputoctets, \
calledstationid, callingstationid, acctterminatecause, \
servicetype, framedprotocol, framedipaddress, \
acctstartdelay, acctstopdelay,xascendsessionsvrkey) \
VALUES \
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Identifier}',
'%{NAS-Port}', \
'%{NAS-Port-Type}', '%S', NULL, \
'0', '%{Acct-Authentic}', '%{Connect-Info}', \
'', '0', '0', \
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', \
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_stop_query_alt = " \
INSERT INTO ${acct_table2} \
(acctsessionid, acctuniqueid, username, \
realm, nasipaddress, nasidentifier, nasportid, \
nasporttype, acctstarttime, acctstoptime, \
acctsessiontime, acctauthentic, connectinfo_start, \
connectinfo_stop, acctinputoctets, acctoutputoctets, \
calledstationid, callingstationid, acctterminatecause, \
servicetype, framedprotocol, framedipaddress, \
acctstartdelay, acctstopdelay) \
VALUES \
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Identifier}',
'%{NAS-Port}', \
'%{NAS-Port-Type}', \
DATE_SUB('%S', \
INTERVAL (%{%{Acct-Session-Time}:-0} + \
%{%{Acct-Delay-Time}:-0}) SECOND), \
'%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', \
'%{Connect-Info}', \
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \
'%{%{Acct-Input-Octets}:-0}', \
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \
'%{%{Acct-Output-Octets}:-0}', \
'%{Called-Station-Id}', '%{Calling-Station-Id}', \
'%{Acct-Terminate-Cause}', \
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', \
'0', '%{%{Acct-Delay-Time}:-0}')"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
