Re: Add LDAP groups as extra attributes
On Fri, Mar 15, 2013 at 2:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) Did you check the control list (config item tuple)? As far as I can tell, the module only provides the request packet, request-packet-vps It does however update the config if provided from the module function. -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 18:44, Arran Cudbard-Bell wrote: That'd be the LDAP-UserDN attribute… I know, but that attribute isn't presented to the python function call. Is there another way such as an environmental variable or just please update the source? :) regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 14 mar 2013, at 11:06, Phil Mayers p.may...@imperial.ac.uk wrote: On 03/13/2013 07:45 PM, Robin Helgelin wrote: First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be a pain. You might have to fall back on one of the scripting language modules, as Arran says. Yes, I ended up writing a small python script, works very nicely :) The only thing missing is if it's possible for the ldap module to set an attribute with the users full dn to be available for the python module. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add LDAP groups as extra attributes
Hi! I want to add the LDAP-users current groups as extra attributes to the authentication reply. Is it possible? I'm having a hard time finding documentation about this. Thanks! Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have magic behaviour hooks. Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0). Thanks, we're using the memberof overlay, and that might be working. First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? -- regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add LDAP groups as extra attributes
On 13 mar 2013, at 20:52, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Next problem seems to be that freeradius ignores when ldap is returning more than one group, am I correct? Ignores what? If you're talking about an xlat query, then yes, it'll only provide the first result. Yes, and there are no workarounds to that? More than editing the code I guess :) Would it be possible to another post-auth module to do this instead? As the ldap module itself seems not quite what I'm trying to do here. Regards, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dial up error and freeraius is down
Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Actually, I think I have enough bandwidth to handle 500 users request. But I can't understand what reason due to the problem and report these info in log. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Mark Holmes Sent: Friday, April 01, 2011 11:23 PM To: FreeRadius users mailing list Subject: RE: Dial up error and freeraius is down Hi, - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. You don't say what bandwith etc you are on or what spec the server is, but unless it's pretty low end I'd be surprised if that was the issue if you only have 500 users. Cheers, Mark -Original Message- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac.uk@lists.freerad ius.org] On Behalf Of Robin Sent: 01 April 2011 15:52 To: freeradius-users@lists.freeradius.org Subject: Dial up error and freeraius is down Hi Friends, I met a problem with FreeRADIUS2.1.9 (Mysql+centos, about 500 pppoe users)as below: In general, I found some users couldn't dial to radius and log information as below - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. - I have two guesses: - Brand width is insufficient from pppoe server to radius server; - Server running radius of capability is insufficient. Could you help me? Thank you very much. Robin Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Saturday, April 02, 2011 1:58 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down Hi, - Fri Apr 1 19:22:09 2011 : Error: Discarding duplicate request from client mpth12 port 40039 - ID: 129 due to unfinished request 10524 - Fri Apr 1 19:22:10 2011 : Error: Discarding conflicting packet from client mpth12 port 40039 - ID: 129 due to recent request 10524. almost always because your backend didnt answer in time. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dial up error and freeraius is down
Hi, Thanks your suggestion. I will clean records from radacct and check my reporting system if it effect freeradius operations. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: Saturday, April 02, 2011 10:41 AM To: FreeRadius users mailing list Subject: Re: Dial up error and freeraius is down On Sat, Apr 2, 2011 at 9:20 AM, Robin freerad...@itpm.net wrote: Hi, If I can understand it, my freeradius for some reason has slowed due to response behind time? I don't understand what you mean by my freeradius for some reason has slowed due to response behind time, but like Alan said, the cause of that log is usually because your backend (mysql?) didn't return timely response which cause the NAS to re-send the request. When FR received the duplicate request, it discards the request since it detects it's still processing the old one. Things you might want to check: - is there a bottleneck in your MySQL? Sometimes a reporting query locks the tables so other queries (like select/insert from FR) can't be processed. - how big is your radacct table? When unmaintained, it can have millions of records, and some FR feature (like sqlcounter, or simultaneous use checking) reads entries in radacct - how efficient is your sql schema? Having lots of indexes can speed up certain select queries, but it can kill write (insert/update/delete) performance. In other words, get a DBA, check your MySQL setup. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radkill
You should read below link firstly. http://wiki.freeradius.org/index.php/FAQ#radkill Robin _ From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of john decot Sent: Monday, December 20, 2010 10:41 AM To: freeradius-users@lists.freeradius.org Subject: Radkill Hi, I have problem with some user not being terminate even logout. After googling I came know about radkill. Can anyone post some howto about radkill. Thank you, Rgds, John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Hi , I find issue user who use MPPE128 method all. (In my RouterOS, login user's encoding is MPPE128 statefull) Can I set freeradius to disable MPPE128 or other encryption method? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, December 13, 2010 1:28 AM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: Actually after I switch freeradius authentication to RouterOS, the issue will disappear. Well... the RADIUS server never talks to the PPPoE server after the Access-Accept. So *anything* that happens after that is the responsibility of the PPoE server. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. The only way the SQL sockets affect users is *during* the login process. If FreeRADIUS can't access the DB because all of the sockets are in use, it will reject the user. If the user gets an Access-Accept, it doesn't matter if there were 50 SQL sockets, or 50,000 SQL sockets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL connection setup
Hi Friends, There is a configuration in SQL.conf. Num_sql_socks= I would like to know if this value is set to smaller, fx. 20, can it cause breaking stream or disconnecting for DSL users? If I set it to larger, can it cause MySQL problem of “Too many connection”. I can’t find details information about this setting in SQL.conf file. I want to know what policy of setting numbers is. Thank you very much. Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Dear Alan, Actually after I switch freeradius authentication to RouterOS, the issue will disappear. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. I think that I still need monitor these issue users consistently. But I can't understand why it has to be like this. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, December 12, 2010 11:34 PM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: When I only use Mikrotik RouterOS as PPPoE server to authenticate my DSL users, all is ok. But when I add FreeRaiuds as radius server and RouterOS as pppoe server, I find some users of using p2p video on demand will break stream of lost connection. At the time, user has to disconnect the DSL link manually and re-dial to network. When user log in again, about 1-2 minutes, user will break stream of lost connection again. Is it because I don’t set Freeradius correctly? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Break Stream disconnecting when use freeradius authentication.
Hi Alan, I set an interval of 5 minutes in pppoe server to send user's acctsessiontime etc. to Freeradius. Does it mean after login process, pppoe server and freeradius still communicate each other? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, December 13, 2010 1:28 AM To: FreeRadius users mailing list Subject: Re: Break Stream disconnecting when use freeradius authentication. Robin wrote: Actually after I switch freeradius authentication to RouterOS, the issue will disappear. Well... the RADIUS server never talks to the PPPoE server after the Access-Accept. So *anything* that happens after that is the responsibility of the PPoE server. I just set num_sql_socks from 50 to 256 in sql.conf and set max_connections from default 100 to 500 in Mysql. It follows that part of issue users' report symptom of break stream disappearing temporarily. The only way the SQL sockets affect users is *during* the login process. If FreeRADIUS can't access the DB because all of the sockets are in use, it will reject the user. If the user gets an Access-Accept, it doesn't matter if there were 50 SQL sockets, or 50,000 SQL sockets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Break Stream disconnecting when use freeradius authentication.
Hi Friends, I find a strange issue. When I only use Mikrotik RouterOS as PPPoE server to authenticate my DSL users, all is ok. But when I add FreeRaiuds as radius server and RouterOS as pppoe server, I find some users of using p2p video on demand will break stream of lost connection. At the time, user has to disconnect the DSL link manually and re-dial to network. When user log in again, about 1-2 minutes, user will break stream of lost connection again. P.S. If user uses download software, the issue will not appear. Is it because I don’t set Freeradius correctly? Thank you. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to avoid to be disconnected as Lost-Carrier?
Hi, I have 200 users in a small area network (PPPoE, LAN network). I use Mikrotik RouterOS as PPPoE server use Freeradius as Radius server. I find that some “Lost-Carrier” issue due to lost connection (around 8%-10% users). I judged that cable had been interfered intermittently. But I would like to keep connection instead of disconnection when the issue happened. What do I set Freeradius that increase intervals or times of checking communication? Because it were, users will avoid to disconnect and not be ware of cable interfering when it happen really. Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lost package after use FreeRadius
Hi, About address/ip pool/pppoe users setting configuration, I had used these profiles to a small area network (PPPoE, LAN network) successfully. Under the circumstances, I met the problem too. After I changed line from user house to my switch, it's ok. Now I'm using FreeRadius with same configuration in other small area network (PPPoE, DSL network). Even if I changed telephone line from user house to my DSL concentrator, these issues of lost package still is exist. At this time, I find one of reason of user offline is lost-Carrier in FreeRadius radacct table. Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Marinko Tarlac Sent: Saturday, November 20, 2010 5:23 PM To: FreeRadius users mailing list Subject: Re: Lost package after use FreeRadius Strange situation but you should check default profile which is set on Mtik. It should contain valid DNS server(s), valid Local Address, valid Remote Address (ip pool for pppoe users) and that pool must exist on Mtik (IP - Pool). Of course, all addresses which you have in ip pools must be properly routed. On 11/19/2010 5:00 PM, Robin wrote: Dear Freeradius, At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? P.S When I change RouterOS to pppoe and radius server again (disable freeradius), it will all be ok. Thank you very much. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users. html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lost package after use FreeRadius
Dear Freeradius, At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? P.S When I change RouterOS to pppoe and radius server again (disable freeradius), it will all be ok. Thank you very much. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lost package after use FreeRadius
Dear Alan, Actually, only about 5-10% users have this problem. If it's access-accept attributes issue, why will not all users lose package or not visit website? Where can I find any documents about this? Thanks. Robin -Original Message- From: freeradius-users-bounces+freeradius=itpm@lists.freeradius.org [mailto:freeradius-users-bounces+freeradius=itpm@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, November 20, 2010 12:30 AM To: FreeRadius users mailing list Subject: Re: Lost package after use FreeRadius Robin wrote: At first, I use RouterOS(Mikrotik) as pppoe server and radius server. Now I use RouterOS as pppoe server and user FreeRadius as radius server. After changing as above, we find some pppoe users can dial up successfully via freeradius, but their internet transportation will lost package even can’t visit any website. I would like to know, how to explain the situation? What am I supposed to solve this problem? Make FreeRADIUS send back an Access-Accept containing the same attributes as sent by Access-Accept by the Mikrotik server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to raise numbers of request/sec in Freeradius
Hi Alan, Thanks your reply firstly. I use Mysql to authentication. When I use a PPPOE client to call FreeRADIUS one time,that’s all ok. I create 200 pppoe accounts as dialing client in Mikrotik server. When I use them to call FreeRADIUS at the same time, I find only about 5-20 successful logins by sec. I don’t know how to increase the numbers? If you have any details information, I can provide to you. Expect to your help. Thank you very much! Robin -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Friday, October 22, 2010 5:18 PM To: FreeRadius users mailing list Subject: Re: How to raise numbers of request/sec in Freeradius Robin wrote: I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? When authentication is from the users file, the server can do 10K requests/s. The issue isn't FreeRADIUS. It's something else. So... what are you doing with the authentication requests? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to raise numbers of request/sec in Freeradius
Hi, I use Freeradius2 to authenticate user login. I use the tools of Evolynx Radius Load Test to test number of request by second. I find only max 20-25 requests/sec in Freeradius. Can I raise the number via editing configuration files? Thanks. Robin Lu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Details of attrbiutes in SQL Table
Hi, I already installed run FreeRADIUS in my server successfully (FreeRADIUS with CenterOS, Mikrotik RouterOS). I knew usage of some attributes in SQL tables. For example, Insert into TABLE radgroupcheck, add a group name and attribute - Simultaneous-Use:=1 to limit only 1 user to login. Etc. In wiki or manuals or configuration files (sql.conf/dialup.conf/scheme.sql), I haven’t found details of instructions, how many attributes can be used and how do it write? I wish to know how to do, for example as below: - How to add a record to “radreply” table to set any attributes? (ex. Set timeout length to user) - How to add a record to “”radcheck” table to set any attributes? (ex. Set poolname to user) …. Thank you very much! Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with PAM authentication
Can anyone help me to configure PAM authentication with freeradius ? can anyone have step by step guide for pam authentication or suggest me the tutorials to follow Any tips and guide on this issue will be highly appreciated. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Server and Ldap-Group
Hi ya, Today I have installed the *new* Freeradius 2.0 release and tested the virtual server setup. I was just wondering what will be the best solution to check on LDAP Groups. (Ldap-Group) Check them (as before) in the users file, or somewhere in the virtual server configuration with a switch/case statement. .. switch %{control:Ldap-Group} { case WebUsers { update reply { NS-User-Group = WebUsers } } case MailUsers { update reply { NS-User-Group = MailUsers } } case ... { } } ... Kind regards, -- Robin Gruyters Network and Security Engineer Betronic Nederland B.V. I: http://yirdis.com I: http://betronic.nl P: +31 (0)20 5659191 F: +31 (0)20 5659190 pgpe6Vzfcjnb5.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication
Thanks Pshem for your quick answer. I expect answer like folowing rlm_ldap: user jjeep authorized succesfully modcall[authorize]: module ldap returns ok But I got rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 Thanks Robin Pshem Kowalczyk wrote:Freeradius expects exactly one answer: rlm_ldap: object not found or got ambiguous search result kind regards Pshem On 22/05/07, xuebin gong [EMAIL PROTECTED] wrote: Hi, All, I am new user and want to integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication. Our operating system is Fedora 5 Linux. (1)Install freeRadius-1.1.6 After following the instruction of installation in http://.freeradius.org, install freeRadius-1.1.6 on Fedora Linux 5, run radius server in debug mode radiusd -X .. Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. FreeRadius was installed succeefully. (2)Configure freeRadius-1.1.6 (2.1) Configure radiusd.conf (2.1.1) LDAP module ldap{ server = 10.0.0.118 identity = cn=Manager,dc=mtcable,dc=net password = mtncnl1970 basedn = dc=mtcable,dc=net filter = uid=%{Stripped-User-Name:-%{User-Name}} start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } (2.1.2) authorize module uncomment ldap line authorize{ .. ldap .. } (2.1.3) authenticate module uncomment block ldap block: authenticate{ .. Auth-Type LDAP { ldap } .. } (2.2) edit /usr/local/etc/raddb/users Uncomment the following lines: DEFAULT Auth-Type = LDAP Fall-Through = 1 (3)Install openLDAP (4)Configure openLDAP (5)Add one LDAP entry for testing dn: uid=jjeep, ou=radius, rccd=AAA3140018f, dc=mtcable,dc=net userPassword:: aabbccdd cn: jeep uid: jjeep radiusAuthType: local radiusSimultaneousUse: 1 homeDirectory: // objectClass: top objectClass: posixAccount objectClass: radiusprofile uidNumber: 7012 gidNumber: 100 After add this entry to LDAP, we reset the password to 88 (5)Test After run test command line radtest jjeep 88 localhost 1 testing123 The following is information from running Radiusd -X: .. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=192, length=57 User-Name = jjeep User-Password = 88 NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jjeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jjeep radius_xlat: 'uid=jjeep' radius_xlat: 'dc=mtcable,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.118:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mtcable,dc=net/mtncnl1 970 to 10.0.0.118:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mtcable,dc=net, with filter uid=jjeep rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for req uest 0 rlm_pap: WARNING! No known good password found for the use r. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login
Re: Integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication
Thanks Pshem for your quick answer. I expect answer like folowing rlm_ldap: user jjeep authenticated succesfully modcall[authenticate]: module ldap returns ok But I got rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 0 Thanks Robin Pshem Kowalczyk wrote: Freeradius expects exactly one answer: rlm_ldap: object not found or got ambiguous search result kind regards Pshem On 22/05/07, xuebin gong [EMAIL PROTECTED] wrote: Hi, All, I am user and want to integrate freeradius v1.1.6 and openLADP v2.3.32 for authorization and authentication. Our operating system is Fedora 5 Linux. (1)Install freeRadius-1.1.6 After following the instruction of installation in http://.freeradius.org, install freeRadius-1.1.6 on Fedora Linux 5, run radius server in debug mode radiusd -X .. Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. FreeRadius was installed succeefully. (2)Configure freeRadius-1.1.6 (2.1) Configure radiusd.conf (2.1.1) LDAP module ldap{ server = 10.0.0.118 identity = cn=Manager,dc=mtcable,dc=net password = mtncnl1970 basedn = dc=mtcable,dc=net filter = uid=%{Stripped-User-Name:-%{User-Name}} start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } (2.1.2) authorize module uncomment ldap line authorize{ .. ldap .. } (2.1.3) authenticate module uncomment block ldap block: authenticate{ .. Auth-Type LDAP { ldap } .. } (2.2) edit /usr/local/etc/raddb/users Uncomment the following lines: DEFAULT Auth-Type = LDAP Fall-Through = 1 (3)Install openLDAP (4)Configure openLDAP (5)Add one LDAP entry for testing dn: uid=jjeep, ou=radius, rccd=AAA3140018f, dc=mtcable,dc=net userPassword:: aabbccdd cn: jeep uid: jjeep radiusAuthType: local radiusSimultaneousUse: 1 homeDirectory: // objectClass: top objectClass: posixAccount objectClass: radiusprofile uidNumber: 7012 gidNumber: 100 After add this entry to LDAP, we reset the password to 88 (5)Test After run test command line radtest jjeep 88 localhost 1 testing123 The following is information from running Radiusd -X: .. rad_recv: Access-Request packet from host 127.0.0.1:32771, id=192, length=57 User-Name = jjeep User-Password = 88 NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jjeep, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jjeep radius_xlat: 'uid=jjeep' radius_xlat: 'dc=mtcable,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.118:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mtcable,dc=net/mtncnl1 970 to 10.0.0.118:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=mtcable,dc=net, with filter uid=jjeep rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for req uest 0 rlm_pap: WARNING! No known good password found for the use r. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by jjeep with password 88 radius_xlat: 'uid=jjeep' radius_xlat: 'dc=mtcable,dc=net' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn
Wiki
Is it possible to get a wiki going on the freeradius site, or at least a link to an official-unofficial wiki. I know that people have pdf's and notes on various sites, but it would be great if the people in charge were willing to designate an official place for wiki. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Wed, 23 Nov 2005, Alhagie Puye wrote: I have followed the steps in the howto and everything seems to work fine but FreeRADIUS is ignoring MS-CHAP. I'm using ntradpingmaybe that's a wrong utility for this instance. I don't think you can properly test this with NTRadPing, but I have not been able to figure it out. I have set my wireless access point to use radius and the results I am getting are very different. I would suggest testing a tool that more closely resembles your production gear. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote: A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf This is a god-send. I have one debian specific error rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. it seems that the shared object is not shipped when I did apt-get install freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote: Hi list, A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf thanks for this. I change to use the /dev/random as per your tutorial but radiusd hangs. When I change the random_file back to the original then it works random_file = ${raddbdir}/certs/random In my tls section of eap.conf I have tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/random } But when I run radiusd -X it just hangs there after getting to the following. rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/cert-srv.pem tls: certificate_file = /etc/freeradius/certs/cert-srv.pem tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /dev/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) And Strace shows 13519 open(/etc/freeradius/certs/demoCA/cacert.pem, O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=1350, ...}) = 0 13519 open(/etc/freeradius/certs/cert-srv.pem, O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0 13519 open(/etc/freeradius/certs/cert-srv.pem, O_RDONLY|O_LARGEFILE) = 6 13519 fstat64(6, {st_mode=S_IFREG|0644, st_size=2429, ...}) = 0 13519 stat64(/dev/random, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0 13519 open(/dev/random, O_RDONLY) = 6 [EMAIL PROTECTED] /usr/lib/ssl ]# ls -la /dev/random crw-rw-rw- 1 root root 1, 8 Nov 2 12:02 /dev/random [EMAIL PROTECTED] /usr/lib/ssl ]# ls -la /dev/urandom cr--r--r-- 1 root root 1, 9 Nov 2 12:02 /dev/urandom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
On Tue, 22 Nov 2005, charles schwartz wrote: Hi list, A lot of people on this list would like to integrate Active Directory with FreeRADIUS in order to provide a transparent user authentication login process. There are at least 2 ways to integrate AD: LDAP and NTLM. I've written a tutorial about how to do this with NTLM (winbind, ntlm_auth). The Windows supplicants are configured to work with PEAP and MSCHAPv2. You can download it from here: http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I think everything is very close, but all I have to test with is NTRadPing. Would it be possible if someone can comment on the fields that I need to fill in for NTRadPing in order to test my AD account properly. I have already gotten NTRadPing to work against a hard coded user, as well as a unix account, but I have no idea which options I need to set to test the AD account. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tool for testing machine authentication
On Wed, 23 Nov 2005, Johan Ramm-Ericson wrote: contribute to improve it. A while back there was a thread on the mailinglist to the effect of setting up a Wiki. Has this seen any progression? If not, I'll be glad to put in some effort to get this done. Also, I'm willing to pitch in on writing the documentation, however my freeradius experience is so recent that I'd probably only be able to do any good with well-defined tasks... I would love to see a wiki for this project. I am not an expert either, but I am doing trial and error, and would like to see a place where people are documenting their success. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: tool for testing machine authentication
On Mon, 21 Nov 2005, Konne wrote: Hi Norbert, i use the programm NTRadTest... on Windows machine and start freeradius with freeradius -X, for debug i just did a google on NTRadTest, but found nothing. Where can I download NTRadTest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: tool for testing machine authentication
On Mon, 21 Nov 2005, Cris Boisvert wrote: NTRADPING It's a windows tool that does exactly what your looking for. ok that seems to work. I can authenticate using a local unix account. Now I need to find documentation on how to connect my freeradius to AD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless+freeradius+AD
On Mon, 21 Nov 2005, King, Michael wrote: Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples. Hi Robin, Welcome to the club. I would need to use Microsoft IAS. Is this false ? Yes, That particular example used Microsoft IAS, but it is not required. Are people using Active Directory successfully ? Yes. Besides myself, there are many people on this list that are. I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well. You are already 3/4 of the way there, since the trickest part of my freeradius setup was getting winbind to talk to activedirectory Depending on your Linux distribution, you will just have to install freeradius. (Some distributions like Debian require a -disable-shared) Go thru the radiusd.conf and the eap.conf files, it's clearly commented on what you need to configure. You'll see a section marked: ntlm_auth = /path/to/ntlm_auth (Trimmed) You might need to modify this to: ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Don't hesitate to ask questions. There is a good Howto (unfortuantly, I don't have my bookmarks with me) but some others on the list hopefully will post it. Yes winbind kerberos stuff works well, and I got it previously working to enable TAC_PLUS to do active directory authentication. If anyone knows the site with a good howto I would greatly apprecieate it. Otherwise I am chugging along. I have gotten the windows program NTRadPing to authenticate non CHAP with a local UNIX account. I am not sure what fields I must enter to get MS-CHAP to test, or if there is even a difference between CHAP and MS-CHAP? Anyways I fuddled around with a bunch of different combinations and always get this in the logfile Auth: Login incorrect (rlm_chap: Clear text password not available): - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireless+freeradius+AD
On Sun, 20 Nov 2005, Alan DeKok wrote: Laker Netman [EMAIL PROTECTED] wrote: You're completely down the wrong path. AD is a database. It's a directory. Using anonymous bind, there is very little data you can get from it. Stop talking about solutions, as you don't know how the technology works. Instead, talk about your goals, independent of the underlying technology. My statement was intentionally flippant, though not meant to be disrepectfully so. It is the culmination of much frustration at finding lots of tangible data If you're talking about non-freeradius web sites, go complain to them. I'm not stupid, but I'm not perfect. THAT'S why I'm seeking help (not judgement) from the list. Let me be perfectly clear: No one will be able to help you if you cannot describe what you want in a manner they understand. So far, you've made it clear you're confused about the terminology, and you haven't articulated what you want to do. If there are useful docs I haven't found, tell me. If I don't fully understand what I'm reading and ask for help, either help me or don't. Part of helping you is asking you for information you haven't supplied. That information is needed to help you. If your response is to get upset, then everyone can only conclude you don't want to solve your problem. I have read the majority of your posts since 2002 Mr. DeKok. Clearly, you are quite knowledgable regarding RADIUS. However, your disdain for the mortals who wish to use a tool, rather than wonder at its mystical intricacies is evident on repeated occasions in your responses. So not everyone is as clever as you... insult or help, which produces a better outcome? For people who get angry when I ask for more information, insults. You choose which group you fall into. I don't have time to care what you think about me. Oh, excellent. I just joined this list hoping to query the members on finding more information on doing wireless+activedirectory+freeradius, unfortunately I could not find any good postings, or web toots/examples. I made a trip to my local bookstore and just read in the oreilly 802.11 book on building wireless infrastructure that I would need to use Microsoft IAS. Is this false ? Are people using Active Directory successfully ? I have a linux box that is currently acting as a tacacs server while authenticating using winbind etc, and was hoping to make it a radius server as well. If anyone has any good links with an explanation on how to do this I would greatly appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi everyone, Finally, have it working.. I did not comment out the radutmp in radius.conf for the session database. I had uncommented sql, although lots of good that did. Thanks again, Robin At 03:26 PM 8/16/2005, you wrote: Robin [EMAIL PROTECTED] wrote: The detail files appear to be fine with start, alive and stop packets being listed, but radius.log and radwtmp and radutmp are empty. If radutmp is empty, the debug log will tell you why. Is it possible, I inadvertently set everything to log to the db only? Certainly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi,,, Once again, I apologize for my lack of understanding. I have been trying to read all debug messages and start radiusd with -X however the only files which get populated are ones created in the radacct directory. The detail files appear to be fine with start, alive and stop packets being listed, but radius.log and radwtmp and radutmp are empty. Is it possible, I inadvertently set everything to log to the db only? Sorry for testing your patience... I think once I get up this curve a bit, I should not have to ask these bad questions. Thank you, Robin At 05:09 PM 8/15/2005, you wrote: Robin [EMAIL PROTECTED] wrote: I still see no output in the radutmp file, even though during loading it says, A few problems: 1) If the server does not receive accounting packets, nothing will go into radutmp, OR into SQL. 2) if you configure Simultaneous-Use counting via SQL, you don't need radutmp When I have an account start time and end time in the radacct, does that not mean simul checking should be working? Why ask questions when you can read the debug log, and see exactly what the server is doing, and why? We don't know how you've configured your system, you've only given summaries. YOU know how you've configured your system. READ the debug logs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi again, I have been doing reading on the Simultaneous-use with the radutmp module and sql. I was hoping someone could help clarify some confusion I have. Using the Sql notes I inserted the Simultaneous attribute to the radgroupcheck table, although I did change the dialup attribute to dynamic as that is the group my login belongs to. Using the sql.conf I uncommented the simul_count_query (simul_verify_query was already uncommented). I still see no output in the radutmp file, even though during loading it says, Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = no radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) radacct has lots of details, |65 | 0090274649581b0d | 37805f4083612f79 | robyn| | 69.67.164.218 | 0 | Ethernet| 2005-08-15 15:45:00 | 2005-08-15 15:47:06 | 126 | | | | 704551 |55748 | 00-90-0E-00-B2-72 | 00-90-27-46-49-58 | Session-Timeout| || 10.59.1.2 | 0 | 0 | When I have an account start time and end time in the radacct, does that not mean simul checking should be working? Sorry for my lack of understanding on this process, I have read lots of docs, I think it's just going to take me a little longer to get it. :) Thank you again for all your help, Robin At 12:21 PM 8/11/2005, you wrote: Robin [EMAIL PROTECTED] wrote: Is there anyway to test for Simultaneous use without checkrad? Yes. The server already does this. As I said, the server maintains a database. The only purpose of checkrad is to catch corner cases. I have read past posts about using an sql only method and I understand this has it's own problems. However, if anyone has any docs which could help me out it's appreciated. The server comes with documentation for Simultaneous-Use, which includes documentation on configuring it via the radutmp module, and in SQL. Please read the documentation. Ideally I would like to have checkrad speak to the AP and it's probably possible except snmpwalk'ing the device does not appear to provide user login information. Then there's no use in having checkrad talk to the NAS, is there? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot snmp problem
Hi again, Is there anyway to test for Simultaneous use without checkrad? I have read past posts about using an sql only method and I understand this has it's own problems. However, if anyone has any docs which could help me out it's appreciated. Ideally I would like to have checkrad speak to the AP and it's probably possible except snmpwalk'ing the device does not appear to provide user login information. Thanks again for all the help, Robin At 03:04 PM 8/10/2005, you wrote: Robin [EMAIL PROTECTED] wrote: I'm not sure what is the best way to handle this. I can snmpwalk the device however the output does not appear to have information regarding logins. The manufacturer does not respond to queries so I'm hoping someone else may have worked with this device. The simplest way to deal with this is to set nastype = other. This will make the server believe it's database, and will not run checkrad. checkrad isn't necessary, but it can help catch some corner cases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with auth Mac addresses
I'm new at this and I was wondering if anyone can help me out configuring free radius for mac address authentication I have linux fedora 3 and one lan wifi. I need to install a server freeradius for mac address authentication (only, without certificates). I have a LAN with servers windows and with servers linux with dinamic IP.It's a LAN ethernet (switches Cisco 10/100/1000). I have windows clients with wifi and I need autentificación for mac (only). You can help me to configure the server Thank you I add in clients.conf client 192.168.0.6 { secret = passecret shortname = ap nastype = other } and in users 000F20-93DD75 Auth-TYPE := Local, User-Password == passecret in the linux server : radiusd -Xy Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no
Hotspot snmp problem
Hello, A couple of us at work have been playing with a hotspot controller (Internet Subscriber Server II ISS-4000) using freeradius and mysql for authentication. We are having problems with checkrad (totally to do with the AP not being nice). I'm not sure what is the best way to handle this. I can snmpwalk the device however the output does not appear to have information regarding logins. The manufacturer does not respond to queries so I'm hoping someone else may have worked with this device. Any help is appreciated, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with mac address authentication
I have linux fedora 3 and one lan wifi. I need to install a server freeradius for mac address authentication (only, without certificates). You can help me to configure the server Thank you _ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extras en MSN Motor. http://motor.msn.es/researchcentre/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Authentication
Hi everyone, I have just started using freeradius and have managed to setup access by username/password to my hotspot controller with mysql as the backend. It works fine and even sends back the session-timeout (1 hour for testing) so my controller forces users to re-authenticate. I created a few perl scripts for managing my customers, removing users from the rad tables after their time expires or else people could just login again and get another hour. Is this a correct way to manage users, or is there a method using accounting modules to prevent people from logging in after their time has expired? Thank you for any assistance, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco voip accounting
Hello, I was following src/billing/README to set up accounting for Cisco VoIP and came to this line. * In /etc/raddb/radiusd.conf add pgsql-voip to the accounting { section just after the line detail When I entered pgsql-voip into the accounting section I get the following.. Is the README up to date? Error: ERROR: Cannot find a configuration entry for module pgsql-voip. Thanks, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius accounting for gnugk
Hello, I'm running freeradius 0.9.3, using pgsql-voip.conf for recording accounting records. Have no problem using it with either Cisco or Quintum gateways, but when gnugk trys to send accounting records, I'm getting the following. Couldn't update SQL accounting STOP record - ERROR: invalid input syntax for type timestamp with time zone: CONTEXT: PL/pgSQL function strip_dot while casting return value to function's return type A check with sql trace shows following.. as you can see, some datas are missing such as h323-call-type, h323-call-origin, h323-conf-id... basically any of the Cisco VSA attributes. However, I do have with_cisco_vsa_hack turned on, and the setup does work with Cisco and Quintum which both uses Cisco VSA. INSERT into Stop(RadiusServerName, UserName, NASIPAddress, AcctTime,AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctDelayTime, H323RemoteAddress, CiscoNASPort, h323callorigin, h323confid, h323connecttime, h323disconnectcause, h323disconnecttime, h323gwid, h323setuptime) values('myservername', 'test', '192.168.0.100', now(), '10', '0', '0', '8186811', 'test', '0', NULLIF('', '')::inet, '', '', '', strip_dot(''), '', strip_dot(''), '', strip_dot('')); The detail file shows the following. Tue Nov 23 23:27:11 2004 Acct-Status-Type = Stop NAS-IP-Address = 192.168.0.100 NAS-Identifier = PPIGK002 NAS-Port-Type = Virtual Service-Type = Login-User Acct-Session-Id = 41a437810001 User-Name = test Framed-IP-Address = 192.168.1.26 Acct-Session-Time = 0 Calling-Station-Id = test Called-Station-Id = 8186811 h323-gw-id = PPIGK002 h323-conf-id = 7BA3CDEF 3220EF44 87036791 99198BF h323-call-origin = proxy h323-call-type = VoIP h323-setup-time = 23:26:57.000 PST Tue Nov 23 2004 h323-disconnect-time = 23:27:05.000 PST Tue Nov 23 2004 h323-disconnect-cause = 29 h323-remote-address = 192.168.1.26 Acct-Delay-Time = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = d993e611037d8547 Timestamp = 1101281231 I'm not sure if I just need to add something to the dictionary file or if it's something that needs to be configured. Thanks, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html