Debian Packages
I've just downloaded the new 2.0.3, and when I tried to generate the debian packages, I got the following error: Lab:~/freeradius-server-2.0.3# dpkg-buildpackage -b -uc parsechangelog/debian: error: found start of entry where expected more change data or trailer, at file debian/changelog line 18 dpkg-buildpackage: unable to determine source package is I've tried not using root (using fakeroot), and in a diferent machine. The first try was a Debian 4 (Etch). The second was in a Debian 3.1 (Sarge). Version 2.0.2 works fine (I've redownloaded it and tried, just to make sure, and it builds fine) so it's something specific to 2.0.3. Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian Packages
Oh, ok. Tks. Roberto Alan DeKok wrote: rgreiner wrote: I've just downloaded the new 2.0.3, and when I tried to generate the debian packages, I got the following error: Lab:~/freeradius-server-2.0.3# dpkg-buildpackage -b -uc parsechangelog/debian: error: found start of entry where expected more change data or trailer, at file debian/changelog line 18 dpkg-buildpackage: unable to determine source package is This was pointed out on the list when 2.0.3 was released. The fix is a one-line change to debian/changelog, which is already in CVS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes for Cisco VPN
Hi, I'm installing a Cisco VPN service (using a Catalyst 6500 and a SPA-IPSEC-2G board), and was wondering what attributes the VPN board would accept/understand from the radius server (besides the basic ones like session-timeout), but couldn't find any document answering that. So, could somebody point me to such a document/page? Thank you very much, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using unlang to modify User-Name
Hi,
using unlang I'm trying to modify the User-Name from the user, but
something isn't working. Could somebody give me a hand?
What I'm doing (sample):
authorize {
if (NAS-IP-Address == 1.2.3.4) {
update request {
User-Name = test2;
}
}
..
Freeradius -X is giving the following:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 1.2.3.4 port 13675, id=26,
length=61
User-Name = "[EMAIL PROTECTED]"
User-Password = "teste"
NAS-IP-Address = 1.2.3.4
+- entering group authorize
++? if (NAS-IP-Address == 1.2.3.4)
? Evaluating (NAS-IP-Address == 1.2.3.4) -> TRUE
++? if (NAS-IP-Address == 1.2.3.4) -> TRUE
++- entering if (NAS-IP-Address == 1.2.3.4)
+++[request] returns notfound
++- if (NAS-IP-Address == 1.2.3.4) returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "domain.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "domain.com"
rlm_realm: Adding Stripped-User-Name = "test1"
rlm_realm: Adding Realm = "domain.com"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "test"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 26 to 1.2.3.4 port 13675
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 26 with timestamp +3
Ready to process requests.
I added the following to proxy.conf:
realm NULL {
}
realm domain.com {
}
The rest of the configuration files I left untouched.
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to modify User-Name
I've tried that, also with and without the semi-colon at the end. Same
result
Roberto
PS: Forgot to mention: running version 2.0.5 on Debian Etch
Ivan Kalik wrote:
> User-Name = "test2"
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 26/8/2008, "rgreiner" <[EMAIL PROTECTED]> pi¹e:
>
>
>> Hi,
>>
>> using unlang I'm trying to modify the User-Name from the user, but
>> something isn't working. Could somebody give me a hand?
>>
>> What I'm doing (sample):
>>
>> authorize {
>>if (NAS-IP-Address == 1.2.3.4) {
>>update request {
>>User-Name = test2;
>>}
>>}
>> ..
>>
>>
>> Freeradius -X is giving the following:
>> .
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on proxy address * port 1814
>> Ready to process requests.
>> rad_recv: Access-Request packet from host 1.2.3.4 port 13675, id=26,
>> length=61
>>User-Name = "[EMAIL PROTECTED]"
>>User-Password = "teste"
>>NAS-IP-Address = 1.2.3.4
>> +- entering group authorize
>> ++? if (NAS-IP-Address == 1.2.3.4)
>> ? Evaluating (NAS-IP-Address == 1.2.3.4) -> TRUE
>> ++? if (NAS-IP-Address == 1.2.3.4) -> TRUE
>> ++- entering if (NAS-IP-Address == 1.2.3.4)
>> +++[request] returns notfound
>> ++- if (NAS-IP-Address == 1.2.3.4) returns notfound
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>>rlm_realm: Looking up realm "domain.com" for User-Name =
>> "[EMAIL PROTECTED]"
>>rlm_realm: Found realm "domain.com"
>>rlm_realm: Adding Stripped-User-Name = "test1"
>>rlm_realm: Adding Realm = "domain.com"
>>rlm_realm: Authentication realm is LOCAL.
>> ++[suffix] returns ok
>> rlm_eap: No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns updated
>> ++[files] returns noop
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns updated
>> rad_check_password: Found Auth-Type
>> auth: type "PAP"
>> +- entering group PAP
>> rlm_pap: login attempt with password "test"
>> rlm_pap: Using CRYPT encryption.
>> rlm_pap: User authenticated successfully
>> ++[pap] returns ok
>> +- entering group post-auth
>> ++[exec] returns noop
>> Sending Access-Accept of id 26 to 1.2.3.4 port 13675
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 26 with timestamp +3
>> Ready to process requests.
>>
>>
>> I added the following to proxy.conf:
>> realm NULL {
>> }
>> realm domain.com {
>> }
>>
>> The rest of the configuration files I left untouched.
>>
>> --
>> -
>>Marcos Roberto Greiner
>>
>> Os otimistas acham que estamos no melhor dos mundos
>>Os pessimistas tem medo de que isto seja verdade
>> Murphy
>> -
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to modify User-Name
Yep, that did the trick. Tks :-) Ivan Kalik wrote: > Sorry. > > User-Name := "test2" > > Ivan Kalik > Kalik Informatika ISP > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS in WinXP
Hi, I've seen that Windows XP does not support EAP-TTLS out of the box. I know there is at least one package (from SecureW2) that adds this to windows. Could somebody suggest me which other packages do the same? Or should I use the one from SecureW2? We intend to implement 802.1x Campus wide (or at least analyze it's viability), but due to our policies we don't want open passwords in our database, so PEAP (which uses MS-CHAP, as far as I did understand), is not a viable option, despite being the only option native to WinXP. Could somebody give me hand? Tks. -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS in WinXP
[EMAIL PROTECTED] wrote: > Hi, > >> Hi, >> >> I've seen that Windows XP does not support EAP-TTLS out of the box. I >> know there is at least one package (from SecureW2) that adds this to >> windows. >> >> Could somebody suggest me which other packages do the same? Or should I >> use the one from SecureW2? >> > > open1x.sf.net, Funk Odyssey, Cisco Supplicant (was Aegis Meetinghouse) > > >> We intend to implement 802.1x Campus wide (or at least analyze it's >> viability), but due to our policies we don't want open passwords in our >> database, so PEAP (which uses MS-CHAP, as far as I did understand), is >> not a viable option, despite being the only option native to WinXP. >> > > errm, PEAP uses MSCHAPv2 which never passes the password - its a > challenge response method - and the password, depending on which > resource you use, doesnt need to be cleartext either. The other > option native to WinXP for 802.1X is EAP-TLS > > alan > Ok, then I got something wrong. Is there any link where I could get more details about ms-chapv2 inside PEAP, more exactly concerning this details about password? As far as I knew, ms-chapv2 would always require cleartext passwords in the database. Tks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.1.0 has been released.
Hi, I'm getting an error when trying to build debian packages. lab1:~/freeradius-server-2.1.0# dpkg-buildpackage -b -uc parsechangelog/debian: error: badly formatted trailer line, at file debian/changelog line 22 dpkg-buildpackage: unable to determine source package is Roberto Alan DeKok wrote: > We are happy to announce the release of Version 2.1.0 of the > FreeRADIUS server, with some major new features. > > Highlights include improved SNMP support, dynamically-defined clients, > much more flexible (and readable) debugging mode, WiMAX support, fast > reauthentication for PEAP and TTLS, and a command-line tool to > administer a running server. > > The administration tool can stop the server, HUP it, or in limited > cases, change the configuration of a running server, and cause just one > module to reload it's configuration. > > Alan DeKok. > > -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.1 has been released
Ok,
that made it work here.
Tks.
Roberto
Alexandre Chapellon wrote:
> Sorry i made a mistake with my patch:
>
> --- 01-radiusd-to-freeradius.dpatch2008-09-24 22:41:26.0 -1000
> +++ 01-radiusd-to-freeradius.dpatch.new2008-09-25
> 09:41:05.0 -1000
> @@ -35,7 +35,7 @@
> -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
> +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid`
> #
> --pidfile = ${run_dir}/radiusd.pid
> +-pidfile = ${run_dir}/${name}.pid
> +pidfile = ${run_dir}/freeradius.pid
>
> is better.
>
> Alexandre Chapellon a écrit :
>> You don't have to delete the debian patch.
>> Changing the user seems to have been corrected and so it's now
>> unnecessary, but a new "bug" appeared in the patch as radiusd.conf
>> seems to have been modified.
>>
>> here is a little diff showing what to change in the patch so it works
>> (well works for me anyway):
>>
>> --- 01-radiusd-to-freeradius.dpatch2008-09-25 09:23:19.0
>> -1000
>> +++ 01-radiusd-to-freeradius.dpatch.new2008-09-25
>> 09:24:00.0 -1000
>> @@ -35,7 +35,7 @@
>> -# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
>> +# e.g.: kill -HUP `cat /var/run/freeradius/freeradius.pid`
>> #
>> --pidfile = ${run_dir}/${name}.pid
>> +-pidfile = ${run_dir}/radiusd.pid
>> +pidfile = ${run_dir}/freeradius.pid
>>
>>
>> orion a écrit :
>>> i`ve tried in a test environment with root uid/gid and no probs with
>>> read/write conf/log files.
>>> so it works ok in debug mode ( tested from another pc with ntradping ) .
>>>
>>> 2008/9/25 <[EMAIL PROTECTED]>:
>>>
Hi,
> i deleted the patch 01 line from the 00 file. but freeradius doesnt
> starts in normal mode.no errors,no open UDP,TCP port
> ( netstat -ntlp and netstat -nulp dont show nothing like 1812 ,1813 )
> , but in debug mode it`s ok.
>
its unable to read config files or unable to write to the
logfile or write the PID file etc. what does
radiusd -x (small x, partial debug) say?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling git-2.1.1 on debian
Hi, I'm trying to compile 2.1.1 on debian using the git version (the standard package stops at the beginning due to the problem with the patches for debian), and in the middle of the checking part it stopped with a message about "INSTALL_LTDL"not being definded (full output below). Could someone please give me a help? A quick googling didn't come up with anyting useable Thanks, Roberto dpkg-buildpackage: source package is freeradius dpkg-buildpackage: source version is 2.1.1-0 dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]> dpkg-buildpackage: host architecture i386 dpkg-buildpackage: source version without epoch 2.1.1-0 debian/rules clean dpatch deapply-all 02-dialupadmin-help not applied to ./ . 01-radiusd-to-freeradius not applied to ./ . rm -rf patch-stamp patch-stampT debian/patched dh_testdir dh_clean rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1 rm -f install-arch-stamp install-indep-stamp configure-stamp [ -f Make.inc ] && make distclean || true # The make clean forgets to remove this build directory [ -d src/modules/lib ] && rm -fr src/modules/lib || true # Put the original autotools files back in place [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub || true [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist config.guess || true debian/rules build test -d debian/patched || install -d debian/patched dpatch apply-all applying patch 01-radiusd-to-freeradius to ./ ... ok. applying patch 02-dialupadmin-help to ./ ... ok. dpatch cat-all >>patch-stampT mv -f patch-stampT patch-stamp dh_testdir # Update the autotools files if necessary # Force Build-Depends on autotools-dev for /usr/share/misc/config.* if [ -e config.sub.dist ]; then rm config.sub; else mv config.sub config.sub.dist; fi if [ -e config.guess.dist ]; then rm config.guess; else mv config.guess config.guess.dist; fi ln -s /usr/share/misc/config.sub config.sub ln -s /usr/share/misc/config.guess config.guess ./configure \ --build i486-linux-gnu \ --config-cache \ --prefix=/usr \ --exec-prefix=/usr \ --mandir=/usr/share/man \ --sysconfdir=/etc \ --libdir=/usr/lib/freeradius \ --datadir=/usr/share \ --localstatedir=/var \ --with-raddbdir=/etc/freeradius \ --with-logdir=/var/log/freeradius \ --with-system-libtool --disable-ltdl-install \ --with-large-files --with-udpfromto --with-edir \ --enable-developer \ --with-rlm-sql-postgresql-lib-dir=`pg_config --libdir` \ --with-rlm-sql-postgresql-include-dir=`pg_config --includedir` configure: creating cache config.cache checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl.exe... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for AIX... no checking whether gcc needs -traditional... no checking whether we are using SUNPro C... no checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... 64 checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking whether byte ordering is bigendian... no checking for gmake... no checking for make... /usr/bin/make checking for lt_dlinit in -lltdl... yes configure: WARNING: not overwriting libltdl at /usr, force with `--enable-ltdl-install' checking build system type... i486-pc-linux-gnu checking host system type... i486-pc-linux-gnu checking for a sed that does not truncate output... /bin/sed checking for fgrep... /bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s
Re: Compiling git-2.1.1 on debian
Thanks for the tip, but in the mean time I found out why the default
2.1.1 package did not compile.
In the debian/patches/01-radiusd-to-freeradius.dpatch file, on line 38,
the following line:
-pidfile = ${run_dir}/radiusd.pid
Must be changed to
-pidfile = ${run_dir}/${name}.pid
Doing that, the standard 2.1.1 package compiles fine.
Thank you for your help,
Roberto
Alexandre Chapellon wrote:
> try compiling using bundled libtools
> remove "--with-system-libtool" from debian/rules
> then relaunch dpkg-builpackages
>
> Le 05.11.2008 09:53, rgreiner a écrit :
>
>> Hi,
>>
>> I'm trying to compile 2.1.1 on debian using the git version (the
>> standard package stops at the beginning due to the problem with the
>> patches for debian), and in the middle of the checking part it stopped
>> with a message about "INSTALL_LTDL"not being definded (full output
>> below). Could someone please give me a help? A quick googling didn't
>> come up with anyting useable
>>
>> Thanks,
>>
>> Roberto
>>
>> dpkg-buildpackage: source package is freeradius
>> dpkg-buildpackage: source version is 2.1.1-0
>> dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]>
>> dpkg-buildpackage: host architecture i386
>> dpkg-buildpackage: source version without epoch 2.1.1-0
>> debian/rules clean
>> dpatch deapply-all
>> 02-dialupadmin-help not applied to ./ .
>> 01-radiusd-to-freeradius not applied to ./ .
>> rm -rf patch-stamp patch-stampT debian/patched
>> dh_testdir
>> dh_clean
>> rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1
>> rm -f install-arch-stamp install-indep-stamp configure-stamp
>> [ -f Make.inc ] && make distclean || true
>> # The make clean forgets to remove this build directory
>> [ -d src/modules/lib ] && rm -fr src/modules/lib || true
>> # Put the original autotools files back in place
>> [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub
>> || true
>> [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist
>> config.guess || true
>> debian/rules build
>> test -d debian/patched || install -d debian/patched
>> dpatch apply-all
>> applying patch 01-radiusd-to-freeradius to ./ ... ok.
>> applying patch 02-dialupadmin-help to ./ ... ok.
>> dpatch cat-all >>patch-stampT
>> mv -f patch-stampT patch-stamp
>> dh_testdir
>> # Update the autotools files if necessary
>> # Force Build-Depends on autotools-dev for /usr/share/misc/config.*
>> if [ -e config.sub.dist ]; then rm config.sub; else mv config.sub
>> config.sub.dist; fi
>> if [ -e config.guess.dist ]; then rm config.guess; else mv config.guess
>> config.guess.dist; fi
>> ln -s /usr/share/misc/config.sub config.sub
>> ln -s /usr/share/misc/config.guess config.guess
>> ./configure \
>> --build i486-linux-gnu \
>> --config-cache \
>> --prefix=/usr \
>> --exec-prefix=/usr \
>> --mandir=/usr/share/man \
>> --sysconfdir=/etc \
>> --libdir=/usr/lib/freeradius \
>> --datadir=/usr/share \
>> --localstatedir=/var \
>> --with-raddbdir=/etc/freeradius \
>> --with-logdir=/var/log/freeradius \
>> --with-system-libtool --disable-ltdl-install \
>> --with-large-files --with-udpfromto --with-edir \
>> --enable-developer \
>> --with-rlm-sql-postgresql-lib-dir=`pg_config --libdir` \
>> --with-rlm-sql-postgresql-include-dir=`pg_config
>> --includedir`
>> configure: creating cache config.cache
>> checking for gcc... gcc
>> checking for C compiler default output file name... a.out
>> checking whether the C compiler works... yes
>> checking whether we are cross compiling... no
>> checking for suffix of executables...
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether gcc accepts -g... yes
>> checking for gcc option to accept ISO C89... none needed
>> checking for g++... no
>> checking for c++... no
>> checking for gpp... no
>> checking for aCC... no
>> checking for CC... no
>> checking for cxx... no
>> checking for cc++... no
>> checking for cl.exe... no
>> checking for FCC... no
>> checking for KCC... no
>> checking for RCC... no
>> checking for xlC_r... no
>
Re: Compiling git-2.1.1 on debian
Yes,
the version in git does have this correction. With default 2.1.1, I
meant the 2.1.1 version in the ftp/http.
Roberto
Alexandre Chapellon wrote:
> Weired because it has been corrected for weeks in the git repository.
> maybe you should just update your git tree.
>
>
> Le 06.11.2008 01:32, rgreiner a écrit :
>> Thanks for the tip, but in the mean time I found out why the default
>> 2.1.1 package did not compile.
>>
>> In the debian/patches/01-radiusd-to-freeradius.dpatch file, on line 38,
>> the following line:
>>
>> -pidfile = ${run_dir}/radiusd.pid
>>
>> Must be changed to
>>
>> -pidfile = ${run_dir}/${name}.pid
>>
>> Doing that, the standard 2.1.1 package compiles fine.
>>
>> Thank you for your help,
>>
>> Roberto
>>
>> Alexandre Chapellon wrote:
>>
>>> try compiling using bundled libtools
>>> remove "--with-system-libtool" from debian/rules
>>> then relaunch dpkg-builpackages
>>>
>>> Le 05.11.2008 09:53, rgreiner a écrit :
>>>
>>>
>>>> Hi,
>>>>
>>>> I'm trying to compile 2.1.1 on debian using the git version (the
>>>> standard package stops at the beginning due to the problem with the
>>>> patches for debian), and in the middle of the checking part it stopped
>>>> with a message about "INSTALL_LTDL"not being definded (full output
>>>> below). Could someone please give me a help? A quick googling didn't
>>>> come up with anyting useable
>>>>
>>>> Thanks,
>>>>
>>>> Roberto
>>>>
>>>> dpkg-buildpackage: source package is freeradius
>>>> dpkg-buildpackage: source version is 2.1.1-0
>>>> dpkg-buildpackage: source changed by Alan DeKok <[EMAIL PROTECTED]>
>>>> dpkg-buildpackage: host architecture i386
>>>> dpkg-buildpackage: source version without epoch 2.1.1-0
>>>> debian/rules clean
>>>> dpatch deapply-all
>>>> 02-dialupadmin-help not applied to ./ .
>>>> 01-radiusd-to-freeradius not applied to ./ .
>>>> rm -rf patch-stamp patch-stampT debian/patched
>>>> dh_testdir
>>>> dh_clean
>>>> rm -f build-arch-stamp build-indep-stamp libltdl/stamp-h1
>>>> rm -f install-arch-stamp install-indep-stamp configure-stamp
>>>> [ -f Make.inc ] && make distclean || true
>>>> # The make clean forgets to remove this build directory
>>>> [ -d src/modules/lib ] && rm -fr src/modules/lib || true
>>>> # Put the original autotools files back in place
>>>> [ -f config.sub.dist ] && rm config.sub && mv config.sub.dist config.sub
>>>> || true
>>>> [ -f config.guess.dist ] && rm config.guess && mv config.guess.dist
>>>> config.guess || true
>>>> debian/rules build
>>>> test -d debian/patched || install -d debian/patched
>>>> dpatch apply-all
>>>> applying patch 01-radiusd-to-freeradius to ./ ... ok.
>>>> applying patch 02-dialupadmin-help to ./ ... ok.
>>>> dpatch cat-all >>patch-stampT
>>>> mv -f patch-stampT patch-stamp
>>>> dh_testdir
>>>> # Update the autotools files if necessary
>>>> # Force Build-Depends on autotools-dev for /usr/share/misc/config.*
>>>> if [ -e config.sub.dist ]; then rm config.sub; else mv config.sub
>>>> config.sub.dist; fi
>>>> if [ -e config.guess.dist ]; then rm config.guess; else mv config.guess
>>>> config.guess.dist; fi
>>>> ln -s /usr/share/misc/config.sub config.sub
>>>> ln -s /usr/share/misc/config.guess config.guess
>>>> ./configure \
>>>> --build i486-linux-gnu \
>>>> --config-cache \
>>>> --prefix=/usr \
>>>> --exec-prefix=/usr \
>>>> --mandir=/usr/share/man \
>>>> --sysconfdir=/etc \
>>>> --libdir=/usr/lib/freeradius \
>>>> --datadir=/usr/share \
>>>> --localstatedir=/var \
>>>> --with-raddbdir=/etc/freeradius \
>>>> --with-logdir=/var/log/freeradius \
>>>> --with-system-libtool --disable-ltdl-install \
>>>> --with-large-files --with-udpfromto --with-edir \
>>>> --enable-developer \
>
Two databases
Hi, is there any reference text I could use to see how to configure a Freeradius server to use two different mysql databases? What I need is, depending on the realm of the user, I have to check his password in one of two different databases. Thank you, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup-admin sql table creation error
I was making some tests with the freeradius 2 install, and found that the creation schema for the "badusers" table for dialupadmin (in the /dialup_admin/sql/mysql folder) has 2 problems: # # Table structure for table 'badusers' # CREATE TABLE badusers ( id int(10) DEFAULT '0' NOT NULL auto_increment, UserName varchar(30), IncidentDate datetime DEFAULT '-00-00 00:00:00' NOT NULL, Reason varchar(200), Admin varchar(30) DEFAULT '-', PRIMARY KEY (id), KEY UserName (UserName), KEY Date (Date) ); The first is in the 'id' creation line. Starting with version 4.11 (I think its this version), MySQL does not accept having a default value when you use auto_increment. So, "id int(10) NOT NULL auto_increment" would be the correct entry. The second problem is in the last line. There is a reference to 'Date' beeing used as key, but the 'Date' was not created. There is no reference creating it. Checking version 1.1.7, the line was " Date datetime DEFAULT '-00-00 00:00:00' NOT NULL,". Now, was it removed because it's no longer used, or was it removed by accident, ir should it be renamed to the "IncidentDate" field? I guess it would be the last option Thanks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
autenticating with realm null only in one NAS
I need to configurate freeradius to allow NULL realms only from one or
two NAS, and all the other must have a realm in the login. What would be
the best way to do this?
(using freeradius 2.0.2, in a Debian etch platform.)
I tried to add the following in the Users file:
DEFAULT NAS-IP-Address=="1.2.3.4", Proxy-To-Realm := "realm1.com"
DEFAULT NAS-IP-Address=="1.2.3.5", Proxy-To-Realm := "realm1.com"
DEFAULT Realm == NULL, Auth-Type := Reject
Fall-Through = 1
In proxy.conf, I added the following entry at end of the file:
realm realm1.com {
pool = my_auth_failover
# nostrip
}
(I left the example entries from the file enabled.)
freeradius -X display:
In this entry, I did not use a realm in the login, still it connected.
Any ideas how would be the best way to configure this?
rad_recv: Access-Request packet from host 1.2.3.6 port 2890, id=10,
length=48
User-Name = "user1"
User-Password = "pass1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'rgreiner' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'rgreiner' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'rgreiner' ORDER BY priority
expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): User found in group dynamic
expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "pass1"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
+- entering group session
++[sql] returns noop
Login OK: [user1/pass1] (from client dsu24 port 0)
Sending Access-Accept of id 10 to 1.2.3.6 port 2890
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-MTU := 1500
Session-Timeout := 86400
Framed-Compression := Van-Jacobson-TCP-IP
Framed-Address := 255.255.255.254
Framed-Netmask := 255.255.255.0
Idle-Timeout := 3600
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 10 with timestamp +6
Ready to process requests.
Thank you very much,
Marcos Roberto Greiner
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: autenticating with realm null only in one NAS
Ok.
I will check it. Tks. ^_^
Roberto
Alan DeKok wrote:
rgreiner wrote:
I need to configurate freeradius to allow NULL realms only from one or
two NAS, and all the other must have a realm in the login. What would be
the best way to do this?
"unlang". Just write the logic you want...
authorize {
...
if ((NAS-IP-Address == 1.2.3.4) || (NAS-IP-Address == 2.3.4.5)) ...
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
compile error on 2.1.2: library libltdl/libltdlc.la
Hi, I just downloaded the new version for testing, but I got a compile error. Di somebody get something similar? I'm building debian packages, on Debian Lenny-RC1. To compile, I had to remove "--with-system-libtool" from debian/rules. Running dpkg-buildpackage -b -uc, I got the following error bellow after some time. Any ideas about how to proceed? Tks, Roberto . libtool: compile: gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server-2.1.2/src -I/root/freeradius-server-2.1.2/libltdl -I/root/freeradius-server-2.1.2/libltdl -Ilibeap -c mem.c -fPIC -DPIC -o .libs/mem.o libtool: compile: gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server-2.1.2/src -I/root/freeradius-server-2.1.2/libltdl -I/root/freeradius-server-2.1.2/libltdl -Ilibeap -c mem.c -o mem.o >/dev/null 2>&1 /bin/sh /root/freeradius-server-2.1.2/libtool --mode=link gcc -release 2.2.0 \ -module -export-dynamic -o rlm_eap.la \ -rpath /usr/lib/freeradius rlm_eap.lo eap.lo mem.lo rlm_eap.c eap.c mem.c /root/freeradius-server-2.1.2/src/lib/libfreeradius-radius.la libeap/libfreeradius-eap.la /root/freeradius-server-2.1.2/libltdl/libltdlc.la -lnsl -lresolv -ldl -lpthread libtool: link: cannot find the library `/root/freeradius-server-2.1.2/libltdl/libltdlc.la' or unhandled argument `/root/freeradius-server-2.1.2/libltdl/libltdlc.la' make[7]: *** [rlm_eap.la] Error 1 make[7]: Leaving directory `/root/freeradius-server-2.1.2/src/modules/rlm_eap' make[6]: *** [common] Error 2 make[6]: Leaving directory `/root/freeradius-server-2.1.2/src/modules' make[5]: *** [all] Error 2 make[5]: Leaving directory `/root/freeradius-server-2.1.2/src/modules' make[4]: *** [common] Error 2 make[4]: Leaving directory `/root/freeradius-server-2.1.2/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/freeradius-server-2.1.2/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/root/freeradius-server-2.1.2' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/freeradius-server-2.1.2' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
Hi, I've just installed Freeradius 2.1.3 on a Debian Lenny, but I'm getting the following error with radwho: server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Radlast works. There is no sradutmp, but there is a radutmp file. How do I set radwho to use this file? Tks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
It is working now. Thank you very much. Roberto t...@kalik.net wrote: > Uncomment sradutmp in accounting section of the virtual server you are > using (probably default) for accounting. > > Ivan Kalik > Kalik Informatika ISP > > Dana 15/12/2008, "rgreiner" pi¹e: > > >> Hi, >> >> I've just installed Freeradius 2.1.3 on a Debian Lenny, but I'm getting >> the following error with radwho: >> >> server:~# radwho >> radwho: Error reading /var/log/freeradius/sradutmp: No such file or >> directory >> >> Radlast works. There is no sradutmp, but there is a radutmp file. How do >> I set radwho to use this file? >> >> Tks, >> >> Roberto >> >> -- >> - >>Marcos Roberto Greiner >> >> Os otimistas acham que estamos no melhor dos mundos >>Os pessimistas tem medo de que isto seja verdade >> Murphy >> - >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Updating nas-port after authentication
Hi,
I'm trying to update NAS-Port in the MySQL database after the user logs
in, using the postauth_query query.
The query I tried looks like this:
postauth_query = "UPDATE radcheck SET radcheck.value='%{NAS-Port}' \
WHERE radcheck.username = '%{User-Name}' \
and radcheck.attribute='NAS-Port'"
Before putting this line, I've inserted a line for each user in radcheck
with the contents being ('username', NAS-Port, =*,). I'm using the '=*' operator just for the tests. I intend to
change that later to '=='.
I've uncommented the 'sql' line in the post-authentication section in
the config line, but nothing is happening in the database. I've tried to
change the 'postauth_table' entry in sql.conf to "radcheck", but still
nothing. If I put the postauth_query query back to it's original value
(and the entry in sql.conf too), it works fine, inserting one entry
after each login. Did I do something wrong, or is my idea for updating
the NAS-Port just insane? Should I go for unlang instead?
Thanks,
Roberto
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Updating nas-port after authentication
t...@kalik.net wrote:
>> The query I tried looks like this:
>>
>>postauth_query = "UPDATE radcheck SET radcheck.value='%{NAS-Port}' \
>>WHERE radcheck.username = '%{User-Name}' \
>>and radcheck.attribute='NAS-Port'"
>>
>>
>
> More important is how does it look in the debug. Is it used? You should
>
Of course. If I had done this in first place, I would have seen my
mistake. I'm using <%{User-Name}> in the query, but I'm also using
domains, so the query ended up like WHERE radcheck.username =
'n...@domain'. Of course, there is no such user, so no update was done.
I'm using <%{Stripped-User-Name}> now, and it worked fine.
> change the op in the same time.
>
Yes, that's exactly what I intended to do. ^_^
Thanks a lot for the help,
Roberto
--
-
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with only some users. Monowall - Freeradius
t...@kalik.net wrote: >> I executed freeradius on debug mode, then I used the radtest command. >> >> The message is almost the same, >> > > Almost is the key word here. > > >> but the proxy (@dialup,usp.br - another >> radius server in another city) returns OK. >> >> Why using radtest it returns OK and using monowall it retorns Reject? >> > > Who knows (actually admin form the home server will know). Most likely > it's because NAS request has Called-Station-Id in it. Or it could be > NAS-Identifier. Or ... > Mr. Daniel, the reason you connection was rejected is quite clear at the end of the debug you sent: Sending Access-Reject of id 166 to 123.123.123.123 port 63026 Reply-Message = "\r\nYou are already logged in 2 times - access denied\r\n\n" We are getting this situation of multiple logins when people don't disconnect properly from monowall (monowall opens a popup window with a "logout" window). For that reason I've installed some clean-up scripts in our freeradius database. Just wait a couple o hours and it will be reset by itself. I'm responsible for the server that is resolving the accounting requests at the domain "dialup.usp.br". Please, next time, ask Rubens there at CIRP. If he doesn't has the answer, he knows our contact phone and e-mail. Roberto Greiner CCE-USP -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
