RE: radwho not working
Hi Alan, Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be. I was able to display all active users through my StrongSwan server, with the simple following command: # strongswan leases FreeRadius should be so easy! Thanks, Clint -Original Message- From: freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 03, 2013 3:10 PM To: FreeRadius users mailing list Subject: Re: radwho not working Clint Petty wrote: I am not blaming, I am just wanting to get the radwho command to work. That is *entirely* the wrong attitude. There is no just get it to work. There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read man radwho, you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/IP_Address/detail-20131003 file. Which isn't the radutmp file, is it? Again, man radwho says it reads the radutmp file. Again, your process should be something like this: - man radwho says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified? However I am still getting the same results with the radwho command, showing just the titles, with no connections? You other message indicates that the module is being used, and is returning ok. Does the radwho command print anything after the radutmp module returns ok ? It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
On 7 Oct 2013, at 22:39, Clint Petty cpe...@luthresearch.com wrote: Hi Alan, Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be. I was able to display all active users through my StrongSwan server, with the simple following command: # strongswan leases FreeRadius should be so easy! It is if you understand SQL, and don't insist on using arcane decade old modules and utilities. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: Hi Alan, Well I discovered a way to display a list of all active users without having to implement FreeRadius accounting, which BTW is not as straight forward as it should be. I was able to display all active users through my StrongSwan server, with the simple following command: # strongswan leases FreeRadius should be so easy! sigh RADIUS does a LOT more than strongswan. And yes, basic RADIUS really is easy. A large part of the difficulties are due to bad client implementations. No one wants to blame the client, so everyone blames FreeRADIUS. I've learned to deal with it, but that doesn't mean I have to like it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi Clint,
On Thu, Oct 03, 2013 at 09:53:57PM +, Clint Petty wrote:
...
[detail] expand: %t - Thu Oct 3 21:45:27 2013
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - test
++[radutmp] returns ok
++[exec] returns noop
From that, have you tried the following?
radwho -F /var/log/radius/radutmp
See also radwho(1).
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection: using the utmp/wtmp modules? what does your FreeRADIUS debug show when someone logging in? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains known good password. Ignoring
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
Login OK: [test] (from client localhost port 53 cli xx.xx.xx.150[32055])
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 80 to xx.xx.xx.79 port 40379
EAP-Message = 0x03010004
Message-Authenticator = 0x
User-Name = test
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 79 with timestamp +20
Cleaning up request 1 ID 80 with timestamp +20
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+me=company@lists.freeradius.org
[mailto:freeradius-users-bounces+me=company@lists.freeradius.org] On Behalf
Of a.l.m.bu...@lboro.ac.uk
Sent: Thursday, October 03, 2013 1:32 AM
To: FreeRadius users mailing list
Subject: Re: radwho not working
Hi,
I would like to display the active Radius connections. When I run radwho I
get the following results (showing nothing but the titles) even though I know
I have an active connection:
using the utmp/wtmp modules? what does your FreeRADIUS debug show when
someone logging in?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: Below is the results from radiusd -X (debug mode), while logging in: rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138 The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
Hi Alan, I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/IP_Address/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections? -Original Message- From: freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org [mailto:freeradius-users-bounces+cpetty=luthresearch@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, October 03, 2013 10:53 AM To: FreeRadius users mailing list Subject: Re: radwho not working cpetty wrote: Below is the results from radiusd -X (debug mode), while logging in: rad_recv: Access-Request packet from host xx.xx.xx.79 port 40379, id=79, length=138 The radwho file logs *accounting* packets. That is an *authentication* packet. You're blaming FreeRADIUS because the NAS never sends an Accounting-Request. Go fix the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi, I am not blaming, I am just wanting to get the radwho command to work. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/IP_Address/detail-20131003 file. However I am still getting the same results with the radwho command, showing just the titles, with no connections? same reponse - output of radiusd -X please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho not working
access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains known good password. Ignoring
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known good !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
Login OK: [test] (from client localhost port 61 cli xx.xx.xx.150[29608])
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to xx.xx.xx.79 port 50925
EAP-Message = 0x03010004
Message-Authenticator = 0x
User-Name = test
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host xx.xx.xx.79 port 48595, id=95,
length=136
Acct-Status-Type = Start
Acct-Session-Id = 1380824273-61
NAS-Port-Type = Virtual
Service-Type = Framed-User
NAS-Port = 61
NAS-Port-Id = ios
NAS-IP-Address = xx.xx.xx.79
Called-Station-Id = xx.xx.xx.79[4500]
Calling-Station-Id = xx.xx.xx.150[29608]
User-Name = test
Framed-IP-Address = xx.xx.xx.1
NAS-Identifier = strongSwan
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 61,Client-IP-Address =
xx.xx.xx.79,NAS-IP-Address = xx.xx.xx.79,Acct-Session-Id =
1380824273-61,User-Name = test'
[acct_unique] Acct-Unique-Session-ID = 145df3492fbbdbec.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = test, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - xx.xx.xx.79
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/xx.xx.xx.79/detail-20131003
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/xx.xx.xx.79/detail-20131003
[detail]expand: %t - Thu Oct 3 21:45:27 2013
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - test
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} - test
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 95 to xx.xx.xx.79 port 48595
Finished request 2.
Cleaning up request 2 ID 95 with timestamp +9
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 93 with timestamp +9
Cleaning up request 1 ID 94 with timestamp +9
Ready to process requests.
-Original Message-
From: freeradius-users-bounces+cpetty=company@lists.freeradius.org
[mailto:freeradius-users-bounces+cpetty=company@lists.freeradius.org] On
Behalf Of a.l.m.bu...@lboro.ac.uk
Sent: Thursday, October 03, 2013 2:17 PM
To: FreeRadius users mailing list
Subject: Re: radwho not working
Hi,
I am not blaming, I am just wanting to get the radwho command to work. I
have now turned on accounting info to be sent from the StrongSwan server to
the FreeRadius server. For I can see the accounting info in
/var/log/radius/radacct/IP_Address/detail-20131003 file. However I am
still getting the same results with the radwho command, showing just the
titles, with no connections?
same reponse - output of radiusd -X please
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Clint Petty wrote: I am not blaming, I am just wanting to get the radwho command to work. That is *entirely* the wrong attitude. There is no just get it to work. There *are* multiple pieces involved, each of which has to be verified. I'm trying to convince you to use a methodical approach. If you read man radwho, you'll see it uses accounting packets. That should indicate that you'll need to enable accounting. But you didn't do that. You were told to run the server in debugging mode, and you did once... but not the next time. The less you do yourself, and the more difficult you make it to help you, the less we're inclined to help. *THAT* is the goal of many of my responses. I have now turned on accounting info to be sent from the StrongSwan server to the FreeRadius server. For I can see the accounting info in /var/log/radius/radacct/IP_Address/detail-20131003 file. Which isn't the radutmp file, is it? Again, man radwho says it reads the radutmp file. Again, your process should be something like this: - man radwho says it needs the radutmp file. - is the radutmp module enabled? - if enabled, is it doing anything? - where is the file? - is it being modified? However I am still getting the same results with the radwho command, showing just the titles, with no connections? You other message indicates that the module is being used, and is returning ok. Does the radwho command print anything after the radutmp module returns ok ? It should. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho not working
I would like to display the active Radius connections. When I run radwho I get the following results (showing nothing but the titles) even though I know I have an active connection: # radwho Login Name What TTY When FromLocation # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radwho doesn't show full name
Hello, Could you please check and confirm whether it works for you in freeradius 2? Best regards Marek Dnia 5 kwietnia 2013 0:47 mkeram lt;mke...@o2.plgt; napisał(a): Hello, I have installed Debian Squeeze 6.0 with freeradius 2.1.10 + accel-ppp (PPPoE). Everything is working fine, but radwho and radwho -s doesn't return full username fetched from /etc/passwd. All users have real linux account and proper entry in /etc/freeradius/users. All details login and passwords are included in users file. In old freeradius 1.1.3 I got radwho output: zycha AnetaZych PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 -where AnetaZych is full name fetched from /etc/passwd in new I have: zycha zycha PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 Could you please advice where should I change configuration? I have made strace on radwho and I didn't find and information for checking file /etc/passwd. Please advice Best regards Marek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radwho doesn't show full name
Hello, I have installed Debian Squeeze 6.0 with freeradius 2.1.10 + accel-ppp (PPPoE). Everything is working fine, but radwho and radwho -s doesn't return full username fetched from /etc/passwd. All users have real linux account and proper entry in /etc/freeradius/users. All details login and passwords are included in users file. In old freeradius 1.1.3 I got radwho output: zycha AnetaZych PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 -where AnetaZych is full name fetched from /etc/passwd in new I have: zycha zycha PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 Could you please advice where should I change configuration? I have made strace on radwho and I didn't find and information for checking file /etc/passwd. Please advice Best regards Marek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radlast and radwho commands
I have a problem on the freeradius. When I was using this commands radwho and radlast it shows still login but some users doesnt connect. what is wrong , ı dont understand. Sorry for my bad english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
On Mon, Nov 19, 2012 at 2:28 PM, Angel L. Mateo ama...@um.es wrote:
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
I'm not sure about this. I have tried configuration with radutmp
line commented and uncommented. But the fact is that radwho is loggin
information, because radutmp is updated and if I use radwho -F file then I
can see is not empty.
That's odd. The only thing writing the utmp file should be accounting
section. Did you perhaps forgot to restart the server after making the
change?
Anyway, from a quick glance at radwho, the relevant change is probably
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2 . If
you know how to reverese a patch and build from source, you can try
reverting the patch (direct patch link:
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2.diff)
and see if it helps. I'm assuming you have a non-empty utmp file
already? If it works, then you found a bug and pinpoint the source. If
it doesn't, then it's something else.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
El 19/11/12 09:15, Fajar A. Nugraha escribió:
On Mon, Nov 19, 2012 at 2:28 PM, Angel L. Mateo ama...@um.es wrote:
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
I'm not sure about this. I have tried configuration with radutmp
line commented and uncommented. But the fact is that radwho is loggin
information, because radutmp is updated and if I use radwho -F file then I
can see is not empty.
That's odd. The only thing writing the utmp file should be accounting
section. Did you perhaps forgot to restart the server after making the
change?
Anyway, from a quick glance at radwho, the relevant change is probably
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2 . If
you know how to reverese a patch and build from source, you can try
reverting the patch (direct patch link:
https://github.com/FreeRADIUS/freeradius-server/commit/41960ed2.diff)
and see if it helps. I'm assuming you have a non-empty utmp file
already? If it works, then you found a bug and pinpoint the source. If
it doesn't, then it's something else.
Same configuration, with freeradius 2.2.0 but using radwho from 2.1.8
works. Instead of revert patching the file, I have copied radwho command
from previous folders, and it works without any problem.
So it seems that the problem is that now -F options is mandatory
instead of optional.
If this was the only problem, it wouldn't be any problem, but I'm
having the same problem with radzap:
/usr/bin/radzap -P 131833856 -u user -N ip localhost secret
radwho: No configuration information in radutmp section of radiusd.conf!
This same configuration with previous versions of radius works without
any problem.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
On Mon, Nov 19, 2012 at 4:25 PM, Angel L. Mateo ama...@um.es wrote: Same configuration, with freeradius 2.2.0 but using radwho from 2.1.8 works. Instead of revert patching the file, I have copied radwho command from previous folders, and it works without any problem. So it seems that the problem is that now -F options is mandatory instead of optional. At least you determined that it was a regression. The next step depends on whether a developer cares enough to fix this problem quickly. Of course it would be quicker if you could determine which changeset caused the regresession, or (even better) provide a patch to fix this :) If this was the only problem, it wouldn't be any problem, but I'm having the same problem with radzap: /usr/bin/radzap -P 131833856 -u user -N ip localhost secret radwho: No configuration information in radutmp section of radiusd.conf! This same configuration with previous versions of radius works without any problem. radzap is now a wrapper around radwho and radclient. If you say previos version's radwho can be used as-is as a simple drop-in, then the workaround should be to just rename or move 2.2.0-version somewhere else and put the working 2.1.x's version in your path. Personally, I don't use either radwho or radzap. I just use sql, plus some modified queries to automatically invalidate old sessions (e.g. since we use 1-hour interim-update interval, any accounting records that is not in stopped state that is over 2 hour old can be considered invalid). Hope you find the best solution. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
El 16/11/12 17:03, Alan DeKok escribió:
Angel L. Mateo wrote:
Hello,
I have a problem with radwho since I upgraded from 2.1.10 to 2.2.0.
The same configuration (I'm trying now the default configuration
installed from ubuntu packages) works with version 2.1.10 and not with
2.2.0. The error I get is;
radwho: No configuration information in radutmp section of radiusd.conf
You need to have a modules section, with radutmp listed in it.
In my modules section I have
modules {
...
$INCLUDE ${confdir}/modules/
..
}
and I have a file ${confdir}/modules/radutmp with content:
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
My config (for default virtual server) is:
Which doesn't really help.
What's in the modules directory?
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
I'm not sure about this. I have tried configuration with radutmp line
commented and uncommented. But the fact is that radwho is loggin
information, because radutmp is updated and if I use radwho -F file
then I can see is not empty.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho: No configuration information in radutmp section of radiusd.conf
Hello,
I have a problem with radwho since I upgraded from 2.1.10 to 2.2.0. The
same configuration (I'm trying now the default configuration installed
from ubuntu packages) works with version 2.1.10 and not with 2.2.0. The
error I get is;
radwho: No configuration information in radutmp section of radiusd.conf
My config (for default virtual server) is:
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
suffix
files
}
accounting {
detail
unix
#radutmp
attr_filter.accounting_response
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See Simultaneous Use Checking Queries in sql.conf
# sql
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
eap
}
I have tried it enabling and disabling radutmp in accounting section.
As I have already said, this same configuration works with 2.1.8
(default ubuntu package) but not with 2.2.0.
Any idea?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 86337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho: No configuration information in radutmp section of radiusd.conf
Angel L. Mateo wrote:
Hello,
I have a problem with radwho since I upgraded from 2.1.10 to 2.2.0.
The same configuration (I'm trying now the default configuration
installed from ubuntu packages) works with version 2.1.10 and not with
2.2.0. The error I get is;
radwho: No configuration information in radutmp section of radiusd.conf
You need to have a modules section, with radutmp listed in it.
My config (for default virtual server) is:
Which doesn't really help.
What's in the modules directory?
accounting {
detail
unix
#radutmp
Well, that won't help.
You're trying to use radwho, but aren't logging accounting
information. That means radwho will NEVER show you anything.
session {
radutmp
Which again does nothing, because the radutmp file will be empty.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
2012/6/25 Fajar A. Nugraha l...@fajar.net: NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Well, I don't think that. NAS is sending its public IP, I mean the nat device IP, not its actual IP. Except that I am doing something wrong... Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin seb...@gmail.com wrote: Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with nas-ip-address behind NAT
Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with nas-ip-address behind NAT
NAS-IP-Address should be whatever the NAS sends, which can be its loopback/admin address, or it's private IP address in case of NAT. Packet-Src-IP-Address, on the other hand, is whatever the radius sees the packet coming from, which should be the NAS/firewal's public IP address in your case. -- Fajar On Mon, Jun 25, 2012 at 11:13 PM, Sergio Belkin seb...@gmail.com wrote: Hi, I wonder radwho can show the actual Nas-IP-Address os and not the Nat device IP nat. Another interesting option would be NAS-Identifier. Is that feasible? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
I have noticed that radwho command only return one entry at any time but obviously there are more than one people logged in $ sudo radwho Login Name What TTY When FromLocation d0c1b122dc d0c1b122dc75 shell S29 Fri 11:43 172.18.47.242 172.24.192.42 Any hint? Thanks Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
Luo, Frank Y.F. Mr. wrote: I have noticed that radwho command only return one entry at any time but obviously there are more than one people logged in $ sudo radwho Login Name What TTY When FromLocation d0c1b122dc d0c1b122dc75 shell S29 Fri 11:43 172.18.47.242 172.24.192.42 Any hint? Because there's only one person logged in. The others have all logged out. *Or* your NAS is broken, and is putting everyone on port 29. When a new login gets sent for port 29, the server assumes that it missed a logout, and just over-writes the entry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing radwho information or accounting request from rlm_perl
eluna wrote: As you can see the NAS-IP-Address attributes are different, and I need a method to get the value of the accounting request because when I need to for example deauthenticate a user, i need to know what access point is is actually associated to. Any solutions or hints are very much appreciated. Use a database to store the data. Find a common key, and look it up in the DB. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accessing radwho information or accounting request from rlm_perl
I need to get the NAS-IP-Address attribute from the Accounting request and not from the Access request because because I am working with a WDS environment. These are the access and accounting requests: rad_recv: Access-Request packet from host 10.33.0.33 port 1645, id=36, length=211 User-Name = user Framed-MTU = 1400 Called-Station-Id = 00-19-56-B0-90-18 Calling-Station-Id = 00-1B-77-89-00-15 Cisco-AVPair = ssid=SECURE Service-Type = Login-User Message-Authenticator = 0x04664bdb23657848c1dfe846b6e162f6 EAP-Message = 0x020c002b190017030100208aa24d178243e49e8315219bac17f793f2b933eec5b NAS-Port-Type = Wireless-802.11 NAS-Port = 10677114 NAS-Port-Id = 10677114 State = 0xec6d109ee561091c536a9f8f173c1470 NAS-IP-Address = 10.33.0.33 rad_recv: Accounting-Request packet from host 10.33.11.33 port 1646, id=43, length=231 Acct-Session-Id = 33C4 Called-Station-Id = 00-16-47-93-68-E2 Calling-Station-Id = 00-1B-77-89-00-15 Cisco-AVPair = ssid=SECURE Cisco-AVPair = vlan-id=123 Cisco-AVPair = nas-location=unspecified User-Name = user Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 13454 NAS-Port = 13454 Service-Type = Framed-User NAS-IP-Address = 10.33.11.33 Acct-Delay-Time = 0 As you can see the NAS-IP-Address attributes are different, and I need a method to get the value of the accounting request because when I need to for example deauthenticate a user, i need to know what access point is is actually associated to. Any solutions or hints are very much appreciated. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Accessing-radwho-information-or-accounting-request-from-rlm-perl-tp5695393.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho
Hi, I have freeradius installed with mpd for pppoe dialin users. If some users power off computer without disconnecting than session hangs up. When I run radwho it shows user is connected where as practically user is disconnected. Is there any script or utility which can clean up radwho. 2ndly how can I disconnect connected users by force. Best regards, Fazal Ahmed Malik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
On Tue, Mar 6, 2012 at 8:54 PM, Fazal Ahmed Malik f...@solacetel.com wrote: Is there any script or utility which can clean up radwho. radzap? Personally I just remove all reference to *radutmp in sites-available/* since I don't use it anyway. 2ndly how can I disconnect connected users by force. Your NAS needs to support it, e.g. using some administrative interface (telnet, snmp) or CoA: http://wiki.freeradius.org/Disconnect-Messages -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A lot of users connected with radwho
Hello everybody, I have a freeradius that autenticate users using mysql database. When I use the command radwho I saw a lot of users wich are old users. The question is, How should I disconnect those users so don't showed up with the radwho command? Regards Carina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho once again
On Mon, 15 Dec 2008 13:28:04 -0200, somebody ask about radwho. server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Answer was to uncomment sradutmp in accounting section. But I want to know, how to force radwho to read from existing /var/log/freeradius/radutmp? -- Kind regards - Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho once again
Mateusz Pałosz wrote: On Mon, 15 Dec 2008 13:28:04 -0200, somebody ask about radwho. server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Answer was to uncomment sradutmp in accounting section. But I want to know, how to force radwho to read from existing /var/log/freeradius/radutmp? Delete the sradutmp file from raddb/modules, and from the accounting section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho with exact match not happening
Dear All, I have configured a radius, its working fine, i am not get proper output in radwho commnad. when we give radwho -R -u username it will give all user that match name. but i want to grep an exact match. For, Example, abc, abc1, abc123,abc1264 user is connected. Now when i give radwho -R -u abc then it will give all user connected with abc/abc1... insted of exact match abc I have an automated script to disconnect an user with radzap, but it will not work in case of similar name bcos radwho giving me wrong output (multiple user output). Any one know how to grep an user with exact match via radwho or any other way to grep an exact user with nasip,nasport,etc.. Any help greatly appreciated Thanks in advance Regards Dilip -- View this message in context: http://freeradius.1045715.n5.nabble.com/radwho-with-exact-match-not-happening-tp4447383p4447383.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho with exact match not happening
djadav wrote: when we give radwho -R -u username it will give all user that match name. but i want to grep an exact match. For, Example, abc, abc1, abc123,abc1264 user is connected. Now when i give radwho -R -u abc then it will give all user connected with abc/abc1... insted of exact match abc radwho doesn't do that. You will need to modify the source code to radwho in order to add that feature. Or, store the login information in a database, and then use normal database queries. This is the recommended approach. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
ok, how would that be? how do I not use the freeradius NAS-Port as the key?
acct_unique is a module?
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
I just remove the the NAS-Port-up of the keys?
John
2011/3/25 Alan Buxey a.l.m.bu...@lboro.ac.uk
Hi,
Actually my NAS is sending the same port for all my users, but the door
that she is sending is NAS-Port = 29.
So your NAS is broken. I don't know why people do that...
Hello Cisco! :-)
Don't use radutmp. Instead, store the sessions in SQL, and edit the
SQL configuration.
and dont use the NAS-Port as one of the keys...because its always 29
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc
O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
Hi,
ok, how would that be? how do I not use the freeradius NAS-Port as the
key?
acct_unique is a module?
acct_unique {
��� key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
I just remove the the NAS-Port-up of the keys?
yes...maybe add something else to keep the entropy/randomness.perhaps
Called-Station-ID or Calling-Station-ID (check that you are getting those
before you drop them in). note that if you use IPv6 then this
needs changing to stop issues with NAS-IP-Address anyway...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
ok, how would that be? how do I not use the freeradius NAS-Port as the key?
acct_unique is a module?
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
I just remove the the NAS-Port-up of the keys?
John
2011/3/25 Alan Buxey a.l.m.bu...@lboro.ac.uk
Hi,
Actually my NAS is sending the same port for all my users, but the door
that she is sending is NAS-Port = 29.
So your NAS is broken. I don't know why people do that...
Hello Cisco! :-)
Don't use radutmp. Instead, store the sessions in SQL, and edit the
SQL configuration.
and dont use the NAS-Port as one of the keys...because its always 29
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc
O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho shows only the last user logged.
Hello guys, I have a question. I'm using freeradius 2.1.10 on debian squezze. I am using multiple databases for authentication, in an LDAP, and SQL in another. Each using a different Realm. Regarding the authentication, everything is working normally. But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Regards. John -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
joao...@gmail.com wrote: But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Your NAS is sending NAS-Port = 0 for all of the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
OK Alan, First thanks for listening. Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. How can I configure it? is the radius or the NAS? If the radius, how do I setup? Thanks. 2011/3/25 Alan DeKok al...@deployingradius.com joao...@gmail.com wrote: But when I try to check the server how many users are logged via the command radwho, it returns me only the last user who logged in, I think he should show everyone who is authenticated at this point right?? Your NAS is sending NAS-Port = 0 for all of the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
joao...@gmail.com wrote: Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... How can I configure it? is the radius or the NAS? The NAS. Read the NAS documentation. However, it will likely say *nothing* about this subject. If the NAS vendor understood RADIUS, they wouldn't have this problem. If the radius, how do I setup? Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
My NAS is cisco is a wireless controller. Any suggestions for settings? And I'm also keeping my sessions in SQL. Att. 2011/3/25 Alan DeKok al...@deployingradius.com joao...@gmail.com wrote: Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... How can I configure it? is the radius or the NAS? The NAS. Read the NAS documentation. However, it will likely say *nothing* about this subject. If the NAS vendor understood RADIUS, they wouldn't have this problem. If the radius, how do I setup? Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho shows only the last user logged.
Hi, Actually my NAS is sending the same port for all my users, but the door that she is sending is NAS-Port = 29. So your NAS is broken. I don't know why people do that... Hello Cisco! :-) Don't use radutmp. Instead, store the sessions in SQL, and edit the SQL configuration. and dont use the NAS-Port as one of the keys...because its always 29 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
Please do the rest of us a favor and configure your mail client to use the correct data type when attaching files. Your log file came through as: Content-Type: application/octet-stream Which means mail clients think this is binary data and won't display it nor do they even know they can open a text editor on it. The Content-Type should have been text. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
attached is the complete debug log Try using Calling-Station-Id instead of NAS-Port for accounting. Alter (raddb/modules/)acct_unique to use Calling-Station-Id. And use sql for session and accounting. It's quicker and queries can be configured to use Calling-Station-Id instead of NAS-Port. Ivan Kalik Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and radtest
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with
Fedora core 12. The server starts without errors and authentication is working
fine. The problem I am having is with the radwatch displays no output and
radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 16 2009
at 08:28:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Regards, Ramzi Date: Wed, 9 Dec 2009 20:00:29 + From: a.l.m.bu...@lboro.ac.uk To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest ihi, accoridng to your output, it looks like localhost is mapping to ::1 which is the local box IPv6 address (like 127.0.0.1 is in IPv4 world) by default, FreeRADIUS wont be listing to IPv6 interface...if you configure it so that it is then this will work - otherwise change you command to eg radtest rsa hello 127.0.0.1 1812 testing123 or change your hosts file so that localhost maps to 127.0.0.1 first! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
A copy of the relevant parts of your users and clients config files would be great. If no body's logged in, it's fine if you see nothing on the radwho output On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote: hi, I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with Fedora core 12. The server starts without errors and authentication is working fine. The problem I am having is with the radwatch displays no output and radtest fails. output of the radtest - [r...@dia ~]# radtest rsa hello localhost 1812 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 42 to ::1 port 1812 User-Name = rsa User-Password = hello NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 42 socket 3 [r...@dia ~]# output of radwho - [r...@dia raddb]# radwho Login Name What TTY When FromLocation [r...@dia raddb]# [r...@dia ~]# radwatch A radiusd process already exists [r...@dia ~]# I have also attached the output of radiusd -X any help would be greatly appreciated _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920 09 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
Thank you gera, attached are copies for the users and clients.conf config
files. Normally when I run radwho and radlast I am authenticated with user rsa
so I should at least see my login :)
Regards,
Ramzi
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 13:09:57 -0700
A copy of the relevant parts of your users and clients config files would be
great.
If no body's logged in, it's fine if you see nothing on the radwho output
On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote:
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included
with Fedora core 12. The server starts without errors and authentication
is working fine. The problem I am having is with the radwatch displays no
output and radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right
from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s
ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920
09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULTGroup == disabled, Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
#
rsa Cleartext-Password := hello
Reply-Message = Hello, %{User-Name}
#
#
# This is a complete entry for steve. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := testing
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = std.ppp,
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#John Doe Cleartext-Password := hello
# Reply-Message = Hello, %{User-Name}
#
# Dial user back and telnet to the default host for that port
#
#DegCleartext-Password := ge55ged
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = 9,5551212,
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user dialbk has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host timeshare1.
#
#dialbk Cleartext-Password := callme
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = 9,1-800-555-1212
#
# user swilson will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file
Re: radwho and radtest
hi, got accounting details sent from NAS? why dont you run in debug mode when you are doing the tests? you can then see what is going on...and why things arent being recorded. what method of session tracking are you using? radutmp etc - check your config for the session information. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Yes, you have sent an authentication request. No accounting. So there is nothing for radwho to show. It displays accounting information. In case you weren't aware, radius server doesn't generate accounting information. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID
MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address =
193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
great, then I have to contact the fortinet guys to see why this is happening Date: Wed, 9 Dec 2009 22:08:56 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and radtest
Maybe I'm missing something, but is this shown while you do use the radtest
command? If so, then it's normal that you get nothing on radwho.
If you get nothing on radwho when using the NAS (and you didn't went so far
from the default freeradius configuration), then indeed you still need to
configure it to send accounting data to radius.
On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote:
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address =
193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id =
00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID =
cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201
0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 15:28:30 -0700
Maybe I'm missing something, but is this shown while you do use the radtest
command? If so, then it's normal that you get nothing on radwho.
If you get nothing on radwho when using the NAS (and you didn't went so far
from the default freeradius configuration), then indeed you still need to
configure it to send accounting data to radius.
On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote:
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address =
193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id =
00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID =
cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201
0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
hello Ivan attached is the complete debug log Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 putty.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho doesn't work
Hi all, Systems: CentOs v5.3, FreeRadius-server-2.1.6 + Openldap I d like to know who are logged on(uid, duration ...) so I did radwho but it said that the radutmp file is not found ... radwho: Error reading /usr/local/freeradius-server-2.1.6/var/log/radius/radutmp: No such file or directory Can anyone help me?I checked in the indicated directory and it was right (anyway, it's temporary file) Best regards! -- JJohnny RANDRIAMAMPIONONA Phone: +212663682554, +212533158575 National School of Applied Sciences ZIP 1818 TANGIER 9 -Morocco --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and location
Hi All, I've just started with FreeRADIUS and noticed that when running radwho the 'location' field seems empty. (FreeRADIUS 2.1.7 from the source on Ubuntu 8.04LTS) There doesn't seem to be a configuration option/tweak anywhere I can find, or am I missing something? The reason I'm interested is that we're wanting to limit simultaneous-use on some kind of 'grouping' not per-unique-username and I'm wondering if radwho/location might be an obvious place to track that (if I could just work out how to get the info in there). Thanks, Phil P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho and location
I've just started with FreeRADIUS and noticed that when running radwho the 'location' field seems empty. (FreeRADIUS 2.1.7 from the source on Ubuntu 8.04LTS) There doesn't seem to be a configuration option/tweak anywhere I can find, or am I missing something? Location should be Framed-IP-Address allocated to the user. If it's not in accounting Start packet ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho error: Is this minor typo error in rpm packaging?
Hi, I have rpm based freeradius package installed in my CentOS 5.3 box. In the course of experimentation, I noticed that radwho gives me following error: == /var/log/radius/sradutmp: No such file or directory == I guess this is a minor typo error in rpm package. Actually radwho should be looking for radutmp file not sradutmp. If this is true, when can I expect the new fixed package? Thanks and Regards -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
Hi, I've just installed Freeradius 2.1.3 on a Debian Lenny, but I'm getting the following error with radwho: server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Radlast works. There is no sradutmp, but there is a radutmp file. How do I set radwho to use this file? Tks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
Uncomment sradutmp in accounting section of the virtual server you are using (probably default) for accounting. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, rgreiner mrgrei...@gmail.com piše: Hi, I've just installed Freeradius 2.1.3 on a Debian Lenny, but I'm getting the following error with radwho: server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Radlast works. There is no sradutmp, but there is a radutmp file. How do I set radwho to use this file? Tks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
It is working now. Thank you very much. Roberto t...@kalik.net wrote: Uncomment sradutmp in accounting section of the virtual server you are using (probably default) for accounting. Ivan Kalik Kalik Informatika ISP Dana 15/12/2008, rgreiner mrgrei...@gmail.com pi¹e: Hi, I've just installed Freeradius 2.1.3 on a Debian Lenny, but I'm getting the following error with radwho: server:~# radwho radwho: Error reading /var/log/freeradius/sradutmp: No such file or directory Radlast works. There is no sradutmp, but there is a radutmp file. How do I set radwho to use this file? Tks, Roberto -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL radwho radsqlwho
Here's what I'm using. It very likely will not work out-of-the-box on
a stock freeradius, and it's PostgreSQL-specific.
#!/usr/local/bin/perl
#
use Time::Local;
use DBI;
use Getopt::Std;
$SQL_HOST=pgsql.example.com;
getopts('ah');
if ($opt_h) {
print STDERR EOF;
usage: radsqlwho [-a] [-h] [logname]
-a anonymous output
-h print this help message
logname print only records for this logname
EOF
exit;
}
$logname = $ARGV[0];
my $datasource = dbi:Pg:dbname=radius;host=$SQL_HOST;
my $dbh = DBI-connect($datasource) ||
die Could not connect:$DBI::errstr;
my $sth = $dbh-prepare(qq[SET DATESTYLE TO 'Postgres';]);
unless ($sth-execute) {
print SET DATESTYLE failed: . $DBI::errstr . \n;
}
$sth-finish;
my $sth = $dbh-prepare(qq[SET TIME ZONE 'Africa/Mogadishu';]);
unless ($sth-execute) {
print SET TIME ZONE failed: . $DBI::errstr . \n;
}
$sth-finish;
unless (length($logname)) {
$query=SELECT
username
,nasipaddress
,modulationtype,framedipaddress,nasportid,split_part(connectspeed,
'-', 1) AS connectspeed, to_char(now() - acctstarttime, 'HH24:MI:SS')
AS sessiontime, to_char(acctstarttime, 'HH24:MI Mon DD') AS starttime
FROM radacct WHERE acctstoptime IS NULL ORDER BY acctstarttime;
} else {
$logname=$dbh-quote($logname);
$query=SELECT
username
,nasipaddress
,modulationtype,framedipaddress,nasportid,split_part(connectspeed,
'-', 1) AS connectspeed, to_char(now() - acctstarttime, 'HH24:MI:SS')
AS sessiontime, to_char(acctstarttime, 'HH24:MI Mon DD') AS starttime
FROM radacct WHERE username=$logname AND acctstoptime IS NULL ORDER BY
acctstarttime;
}
detail_format;
my $sth = $dbh-prepare(qq[$query]);
unless ($sth-execute) {
print SELECT failed: . $DBI::errstr . \n;
}
if ($sth-rows) {
my $hash_ref;
while ($hash_ref = $sth-fetchrow_hashref) {
$username=$hash_ref-{username};
$framedip=$hash_ref-{framedipaddress};
$modtype=$hash_ref-{modulationtype};
$speed=$hash_ref-{connectspeed};
$sesstime=$hash_ref-{sessiontime};
$starttime=$hash_ref-{starttime};
if ($opt_a) {
$username='';
}
write;
}
}
$sth-finish;
$dbh-disconnect;
sub detail_format
{
$%=0;
$-=0;
$==59;
$^ = DETAIL_TOP;
$~ = DETAIL;
}
format DETAIL_TOP =
Login IDIP Address Modulation Speed Time When
.
format DETAIL =
@ @ @ @ @
@
$username, $framedip, $modtype, $speed, $sesstime, $starttime
.
--
Have you man unlanged today?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Tuc at T-B-O-H.NET wrote: Ok, wasn't aware of the functionality. I don't see a radsneeze, so I'm guessing you pipe them back in via echoing it to radclient? Yes. I'd love to help, but I'm a C compiler (I can find includes/functions and missing libraries) and not a C programmer. Is this something I should put a bug report in about a race condition or Dealing with slow NAS accounting or some other title? Is there someone on the list that maybe would be interested in working on a patch (I'm a great tester. :) ) File a bug report. But there are no plans to work on it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Copy the configs to a test machine. Run radsniff on the production machine to grab packets. Play them back on the test machine. Run radiusd -X on the test machine. Ok, wasn't aware of the functionality. I don't see a radsneeze, so I'm guessing you pipe them back in via echoing it to radclient? But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD The NAS is delaying the accounting packets. DD-WRT running O-L-D Chillispot. Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) No. The way to fix it is to fix the code so that the user is marked conditionally logged in for 10-20 seconds after the Access-Accept. if there's no Accounting start, that record is erased. Otherwise, the accounting start marks the users as really logged in. That way, when the second login request comes, the server discovers that the first user is likely to be logged in, and rejects the second request. I'd love to help, but I'm a C compiler (I can find includes/functions and missing libraries) and not a C programmer. Is this something I should put a bug report in about a race condition or Dealing with slow NAS accounting or some other title? Is there someone on the list that maybe would be interested in working on a patch (I'm a great tester. :) ) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use and radwho
Hi, I haven't been given authorization to do a radiusd -X yet, but I'm seeing something in my logs that I don't get . User is logging in from multiple times, so I put on Simultaneous-Use and it goes against the radutmp. So I test it by hand and I get in radius.log Wed Jun 11 17:30:45 2008 : Auth: Multiple logins (max 1) : [regtum14/TESTING] (from client localhost port 1812) Ok, good. So I reset the device and make sure it gets an: Wed Jun 11 18:17:04 2008 : Info: rlm_radutmp: NAS 192.168.75.39 restarted (Accounting-On packet seen) Wed Jun 11 18:17:04 2008 : Info: rlm_sql (sql): received Acct On/Off packet But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Tuc at T-B-O-H.NET wrote: I haven't been given authorization to do a radiusd -X yet, Copy the configs to a test machine. Run radsniff on the production machine to grab packets. Play them back on the test machine. Run radiusd -X on the test machine. But it seems somehow they are able to race it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/CHAP-Password] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD The NAS is delaying the accounting packets. Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) No. The way to fix it is to fix the code so that the user is marked conditionally logged in for 10-20 seconds after the Access-Accept. if there's no Accounting start, that record is erased. Otherwise, the accounting start marks the users as really logged in. That way, when the second login request comes, the server discovers that the first user is likely to be logged in, and rejects the second request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho radzap problem
Hi again, I think i found a solution I dont know why but i had to give -d parameter to show the default config path, my config path is under freeradius but it searches for radiusd so..it made the problem. So is there a way to change default path for radzap/radwho etc? Hello, I am using rlm_perl script for authentication. And logging radacct in sql. But it is strange that, i couldnt use radwho radzap radlast etc for a while.. had the error file not found etc.. So i manually created the files with touch. Now i can see theres records inside files, but still i cant see any data with radwho or radlast commands. And also, i can not zap staled sessions too with radzap, even i tried to clean sql log with a cleanstale.php script , some of my users still seem online. I am attaching the radiusd.conf file and i wonder if smbody can help me about this situation. Thanks a lot.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho radzap problem
Oguzhan Kayhan wrote: Hello, I am using rlm_perl script for authentication. And logging radacct in sql. But it is strange that, i couldnt use radwho radzap radlast etc for a while.. had the error file not found etc.. So i manually created the files with touch. Now i can see theres records inside files, but still i cant see any data with radwho or radlast commands. The contents of the files are created from accounting packets. Those packets are required to have certain data for them to go in radutmp/radwtmp. See debug mode for more information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho radzap problem
Hello, I am using rlm_perl script for authentication. And logging radacct in sql. But it is strange that, i couldnt use radwho radzap radlast etc for a while.. had the error file not found etc.. So i manually created the files with touch. Now i can see theres records inside files, but still i cant see any data with radwho or radlast commands. And also, i can not zap staled sessions too with radzap, even i tried to clean sql log with a cleanstale.php script , some of my users still seem online. I am attaching the radiusd.conf file and i wonder if smbody can help me about this situation. Thanks a lot. radiusd.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About radwho
Hello, I run freeradius 1.1.7. when I use the radwho command, I get : radwho: Error reading /usr/local/var/log/radius/radutmp: No such file or directory I looked in /usr/local/var/log/radius/ and didn't find radutmp file. I didn't read in the documentation that this file is to be created manually. Can you say me why radiusd didn't create it at the first time ? Do I have to create it now ? Regards. -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho does not show me any user
Hello,
When I use the radwho utility to know actually connected radius users.
It returns me an empty list since I'm actually connected and authenticated.
Yesterday, I saw that the radutmp file did not exist. So I created it with 600
permissions.
The radiusd.conf has been setup like this :
radutmp {
filename = ${logdir}/radutmp
Can you help me ?
Cordialement,
Patrice OLIVER
Chef du Projet Ville Hôpital
Responsable Réseaux Sécurité
HOSPICES CIVILS DE BEAUNE
Service Informatique
BP 104
21203 BEAUNE CEDEX
Tél. 33 3 80 24 44 09
Fax 33 3 80 24 45 90
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show me any user
OLIVER Patrice wrote: When I use the radwho utility to know actually connected radius users. It returns me an empty list since I'm actually connected and authenticated. Your NAS is not sending accounting packets. They are needed in order to create and update the database used by radwho. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show me any user
-Original Message- From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Fri, 23 Nov 2007 11:04:35 +0100 Subject: Re: radwho does not show me any user OLIVER Patrice wrote: When I use the radwho utility to know actually connected radius users. It returns me an empty list since I'm actually connected and authenticated. Your NAS is not sending accounting packets. They are needed in order to create and update the database used by radwho. Alan DeKok. Ok, Thanks. I look the NAS configuration. :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems With Radwho
Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous begin:vcard fn:Willem Gerber n:Gerber;Willem email;internet:[EMAIL PROTECTED] note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A= =0D=0A= www.e-destiny.co.za=0D=0A= =0D=0A= 011 695 5500 phone=0D=0A= 086 660 2933 fax x-mozilla-html:TRUE version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
Im seeing the authentication requests from the server and the reply packets. What would a accounting packet look like ? Sorry for asking. The traffic looks right to me if i do radius -X Regards Willem Gerber [EMAIL PROTECTED] wrote: Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous begin:vcard fn:Willem Gerber n:Gerber;Willem email;internet:[EMAIL PROTECTED] note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A= =0D=0A= www.e-destiny.co.za=0D=0A= =0D=0A= 011 695 5500 phone=0D=0A= 086 660 2933 fax x-mozilla-html:TRUE version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
It's not Access-Request but Accounting-Request. If you don't see them after the Access-Accept then your NAS is not sending accounting data. Ivan Kalik Kalik Informatika iSP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Im seeing the authentication requests from the server and the reply packets. What would a accounting packet look like ? Sorry for asking. The traffic looks right to me if i do radius -X Regards Willem Gerber [EMAIL PROTECTED] wrote: Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Chris Bradshaw wrote:
The debug output was pretty much the same as my first email. I have
attached it below anyway. This debug output was taken with freeradius
1.1.7 and the following configured:
* Enabled use_tunneled_reply copy_request_to_tunnel.
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
You still have it sending anonymous in the Access-Accept. Fix that.
Stop doing anything else until it sends the real user name.
Am I correct in saying that the NAS will send an Accounting-Request
using the User-Name it received in the previous Access-Accept?
Yes.
If so, how can it be the fault of the NAS if freeradius (in spite of
trying the settings above) is still sending an Access-Accept with
User-Name set to anonymous?
It's not. You're not configuring FreeRADIUS properly.
Put this at the TOP of the users file:
# test
DEFAULT
User-Name := bob
# end of test
verify that the final Access-Accept contains the user name bob, and
the accounting request contains the user name bob.
Then, delete that entry, and READ THE DEBUG LOG to see why the other
entry you have isn't being used.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Hi OKI tried using a User-Name of Bob as suggested, but still no joy. I have attached a complete log of everything from the moment I click OK on my Windoze laptop until the laptop says it has authenticated successfully.. Thanx in advance for any help. Chris. rad_recv: Access-Request packet from host 10.11.2.97:1645, id=15, length=147 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0019.a90e.f490 Calling-Station-Id = 0090.4b28.86b0 Service-Type = Login-User Message-Authenticator = 0x6c0296cf0997502a20b91d0ab5c7d475 EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = 262 NAS-IP-Address = 10.11.2.97 NAS-Identifier = d106-ap1240-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 15 to 10.11.2.97 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x6d038dc21b4b7ccc8be83157ba7f8d5d rad_recv: Access-Request packet from host 10.11.2.97:1645, id=16, length=157 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0019.a90e.f490 Calling-Station-Id = 0090.4b28.86b0 Service-Type = Login-User Message-Authenticator = 0xd9d6ade7b49bf14e276219d11e1ee016 EAP-Message = 0x020300060315 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = 262 State = 0x6d038dc21b4b7ccc8be83157ba7f8d5d NAS-IP-Address = 10.11.2.97 NAS-Identifier = d106-ap1240-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 16 to 10.11.2.97 port 1645 EAP-Message = 0x010400061520 Message-Authenticator = 0x State = 0x3fb35d32290c24764e9db533206bc16a rad_recv: Access-Request packet from host 10.11.2.97:1645, id=17, length=243 User-Name = anonymous Framed-MTU = 1400 Called-Station-Id = 0019.a90e.f490 Calling-Station-Id = 0090.4b28.86b0 Service-Type = Login-User Message-Authenticator = 0x933c7e115f5fde84cf641744c34d90b0 EAP-Message = 0x0204005c15800052160301004d0149030197874f93537273cc884c9764aade2de3d77fc2b7cb525ef666b7c6f2e654e0c320e7dfeb3f9185ff7a30f69ffdb50509b95586c30a3edef6c771e5ba95508d9b620002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 NAS-Port-Id = 262 State = 0x3fb35d32290c24764e9db533206bc16a NAS-IP-Address = 10.11.2.97 NAS-Identifier = d106-ap1240-1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: Running registered xlat function of module mschap for string 'User-Name' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Sending Access-Challenge of id 17 to 10.11.2.97 port 1645 EAP-Message = 0x0105040a15c0097b160301004a024603014704ce66e2b903fed180ce086543967f9c57c961badbd56be7b080c820177e053b5926050f37c369b4a610ca7ec09f31298036a35ab209957e7050a3ad000a00160301091e0b00091a00091700040830820404308202eca003020102020103300d06092a864886f70d01010405003081b7310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574696e672053657276696365 EAP-Message = 0x73311b301906035504031312776c616e63612e69747472616c65652e69653124302206092a864886f70d010901161574656368406c6973742e69747472616c65652e6965301e170d3035313030363039333734375a170d3135313030343039333734375a3081b9310b3009060355040613024945311530130603550408130c436f756e7479204b65727279310f300d060355040713065472616c65653120301e060355040a1317496e73746974757465206f6620546563686e6f6c6f6779311b3019060355040b1312436f6d707574696e67205365727669636573311d301b06035504031314776c616e74746c732e69747472616c65652e6965312430 EAP-Message =
Re: radwho question....
Chris Bradshaw wrote: OKI tried using a User-Name of Bob as suggested, Maybe. The debug log you posted is either NOT the full debug log (-X). OR, you have deleted all references to the files module from radiusd.conf. If you tell the server to NOT look at the users file, then do NOT be surprised when it doesn't look at the users file. I am just astonished at how much effort people put into breaking the configuration, and then doing even *more* work trying to fix it again. If you've put huge efforts into destroying the default configuration, then most of the suggestions here WILL NOT WORK, because they presume you haven't butchered the configuration to make it useless. Start off with the default configuration. Add the LDAP config, and EAP configuration for certificates. MAKE SURE IT USES THE users file. THEN try my suggestion. Odds are that it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Hi Thanx for your help. Its working now. I did have the files module commented out in the authorize sectionapologies. Thanx again. Chris. On 04/10/2007, Alan DeKok [EMAIL PROTECTED] wrote: Chris Bradshaw wrote: OKI tried using a User-Name of Bob as suggested, Maybe. The debug log you posted is either NOT the full debug log (-X). OR, you have deleted all references to the files module from radiusd.conf. If you tell the server to NOT look at the users file, then do NOT be surprised when it doesn't look at the users file. I am just astonished at how much effort people put into breaking the configuration, and then doing even *more* work trying to fix it again. If you've put huge efforts into destroying the default configuration, then most of the suggestions here WILL NOT WORK, because they presume you haven't butchered the configuration to make it useless. Start off with the default configuration. Add the LDAP config, and EAP configuration for certificates. MAKE SURE IT USES THE users file. THEN try my suggestion. Odds are that it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Hi. Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf, but I am still seeing the outer identity showing up when I use radwho. I have run radiusd -A -x and have appended the Access-Accept section to this email. The first line of the log shows the inner identity (my login, cwbshaw) successfully authenticating (via LDAP). I'd be grateful for any help you can offer. TIA Chris. rlm_ldap: user cwbshaw authenticated succesfully rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 TTLS: Got tunneled reply RADIUS code 2 Tunnel-Private-Group-Id:1 = 90 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 Sending Access-Accept of id 7 to 10.11.2.91:1645 Tunnel-Private-Group-Id:1 = 90 Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Type:1 = VLAN Session-Timeout = 900 MS-MPPE-Recv-Key = 0xcbc7be67c93e3a3452f943380ee4e2c053fdf02f874781ecfbacf6788fed419d MS-MPPE-Send-Key = 0xfd4d541226142098174d3a748263b2790e59dec67e76fdcc16654357a73e084c EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = anonymous rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=89, length=229 Acct-Session-Id = 2149 Called-Station-Id = 0011.5cc7.1be0 Calling-Station-Id = 0090.4b28.86b0 Cisco-AVPair = ssid=ittwlan Cisco-AVPair = vlan-id=90 Cisco-AVPair = nas-location=unspecified User-Name = anonymous Cisco-AVPair = connect-progress=Call Up Acct-Authentic = RADIUS Acct-Status-Type = Start NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 6965 NAS-Port = 6965 Service-Type = Framed-User NAS-IP-Address = 10.11.2.91 Acct-Delay-Time = 0 rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 Sending Accounting-Response of id 89 to 10.11.2.91:1646 On 02/10/2007, Alan DeKok [EMAIL PROTECTED] wrote: Chris Bradshaw wrote: I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. You really should upgrade, but that's another story. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')as a result its not possible to tell who is connected at any one time. The NAS is responsible for sending the anonymous user name. If you want the NAS to send something different, you have to send the inner tunnel user name back in the Access-Accept. See use_tunneled_reply in the configuration for the EAP module. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell 999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. Change the format of the printf command in radwho. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Chris Bradshaw wrote: Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf, but I am still seeing the outer identity showing up when I use radwho. As I said, you also have to send the inner tunnel name back in the Access-Accept. ... Sending Access-Accept of id 7 to 10.11.2.91:1645 ... User-Name = anonymous See? You're telling the NAS to use anonymous for the accounting logs. Set the User-Name in the reply for the inner tunnel session, and it will be used in the outer session, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Hi
Thanx for the reply.
Firstly, I have just upgraded freeradius to the latest version, but it
didn't make any difference.
I have also looked thru the documentation, and also searched the web
to see if I could find how this might be done. I found a thread on a
similar subject at:
http://www.nabble.com/EAP-TTLS-outer-identity---accounting-t3391290.html
this looks similar to the issue I am seeing.one of your
replies to this thread seems particularly relevant:
http://www.nabble.com/Re%3A-EAP-TTLS-outer-identity---accounting-p9573830.html
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply copy_request_to_tunnel (I already had
these enabled).
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
but it still makes no difference.radwho still returns
'anonymous' whenever I log in.
Not sure where I can go from here.
Thanx in advance for any help.
Chris.
On 03/10/2007, Alan DeKok [EMAIL PROTECTED] wrote:
Chris Bradshaw wrote:
Thanx for the reply. I do have 'use_tunneled_reply = yes' in eap.conf,
but I am still seeing the outer identity showing up when I use radwho.
As I said, you also have to send the inner tunnel name back in the
Access-Accept.
...
Sending Access-Accept of id 7 to 10.11.2.91:1645
...
User-Name = anonymous
See? You're telling the NAS to use anonymous for the accounting
logs. Set the User-Name in the reply for the inner tunnel session, and
it will be used in the outer session, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply copy_request_to_tunnel (I already had
these enabled).
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging
mode?
but it still makes no difference.radwho still returns
'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause
and effect.
1) ensure that the real user name is in the Access-Accept.
If not, make it appear there.
2) ensure that the accounting request contains the real user name
If it contains anonymous, buy a real NAS. Your NAS is broken.
After that, radwho *should* do the right thing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Hi
The debug output was pretty much the same as my first email. I have
attached it below anyway. This debug output was taken with freeradius
1.1.7 and the following configured:
* Enabled use_tunneled_reply copy_request_to_tunnel.
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
Am I correct in saying that the NAS will send an Accounting-Request
using the User-Name it received in the previous Access-Accept?
If so, how can it be the fault of the NAS if freeradius (in spite of
trying the settings above) is still sending an Access-Accept with
User-Name set to anonymous?
TIA
Chris.
rlm_ldap: user t00037191 authenticated succesfully
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
TTLS: Got tunneled reply RADIUS code 2
Tunnel-Private-Group-Id:1 = 90
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Type:1 = VLAN
Session-Timeout = 900
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
Sending Access-Accept of id 58 to 10.11.2.91 port 1645
Tunnel-Private-Group-Id:1 = 90
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Type:1 = VLAN
Session-Timeout = 900
MS-MPPE-Recv-Key =
0x916f89b88b0096fa19178e281a02f35c1291005c5942e5a2c5e1257e45d0e658
MS-MPPE-Send-Key =
0x63d4685ca902be7473bcf3d62d730a77c5fe4648aab0834fac5f41178a424a7d
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = anonymous
rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=143,
length=229
Acct-Session-Id = 2246
Called-Station-Id = 0011.5cc7.1be0
Calling-Station-Id = 0090.4b28.86b0
Cisco-AVPair = ssid=ittwlan
Cisco-AVPair = vlan-id=90
Cisco-AVPair = nas-location=unspecified
User-Name = anonymous
Cisco-AVPair = connect-progress=Call Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = 7190
NAS-Port = 7190
Service-Type = Framed-User
NAS-IP-Address = 10.11.2.91
Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
On 03/10/2007, Alan DeKok [EMAIL PROTECTED] wrote:
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply copy_request_to_tunnel (I already had
these enabled).
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging
mode?
but it still makes no difference.radwho still returns
'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause
and effect.
1) ensure that the real user name is in the Access-Accept.
If not, make it appear there.
2) ensure that the accounting request contains the real user name
If it contains anonymous, buy a real NAS. Your NAS is broken.
After that, radwho *should* do the right thing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
The fact that you have added that entry to the users file doesn't mean
that it will get matched and processed. You haven't posted the whole
debug so it's hard to be sure, but my guess is that this is the problem
(from users file):
# When an authentication request is received from the comm server,
# these values are tested. Only the first match is used unless the
# Fall-Through variable is set to Yes.
#
# A special user named DEFAULT matches on all usernames.
# You can have several DEFAULT entries. All entries are processed
# in the order they appear in this file. The first entry that
# matches the login-request will stop processing unless you use
# the Fall-Through variable.
#
Ivan Kalik
Kalik Informatika ISP
Dana 3/10/2007, Chris Bradshaw [EMAIL PROTECTED] piše:
Hi
The debug output was pretty much the same as my first email. I have
attached it below anyway. This debug output was taken with freeradius
1.1.7 and the following configured:
* Enabled use_tunneled_reply copy_request_to_tunnel.
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
Am I correct in saying that the NAS will send an Accounting-Request
using the User-Name it received in the previous Access-Accept?
If so, how can it be the fault of the NAS if freeradius (in spite of
trying the settings above) is still sending an Access-Accept with
User-Name set to anonymous?
TIA
Chris.
rlm_ldap: user t00037191 authenticated succesfully
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
TTLS: Got tunneled reply RADIUS code 2
Tunnel-Private-Group-Id:1 = 90
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Type:1 = VLAN
Session-Timeout = 900
rlm_sql (sql): Processing sql_postauth
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
Sending Access-Accept of id 58 to 10.11.2.91 port 1645
Tunnel-Private-Group-Id:1 = 90
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Type:1 = VLAN
Session-Timeout = 900
MS-MPPE-Recv-Key =
0x916f89b88b0096fa19178e281a02f35c1291005c5942e5a2c5e1257e45d0e658
MS-MPPE-Send-Key =
0x63d4685ca902be7473bcf3d62d730a77c5fe4648aab0834fac5f41178a424a7d
EAP-Message = 0x03080004
Message-Authenticator = 0x
User-Name = anonymous
rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=143,
length=229
Acct-Session-Id = 2246
Called-Station-Id = 0011.5cc7.1be0
Calling-Station-Id = 0090.4b28.86b0
Cisco-AVPair = ssid=ittwlan
Cisco-AVPair = vlan-id=90
Cisco-AVPair = nas-location=unspecified
User-Name = anonymous
Cisco-AVPair = connect-progress=Call Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = 7190
NAS-Port = 7190
Service-Type = Framed-User
NAS-IP-Address = 10.11.2.91
Acct-Delay-Time = 0
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
On 03/10/2007, Alan DeKok [EMAIL PROTECTED] wrote:
Chris Bradshaw wrote:
However, I have tried the suggestions in this reply:
* Enable use_tunneled_reply copy_request_to_tunnel (I already had
these enabled).
* Have the following in the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`
And... what do you see in the Access-Accept when you run in debugging
mode?
but it still makes no difference.radwho still returns
'anonymous' whenever I log in.
Stop looking at radwho. It's output is WAY down the chain of cause
and effect.
1) ensure that the real user name is in the Access-Accept.
If not, make it appear there.
2) ensure that the accounting request contains the real user name
If it contains anonymous, buy a real NAS. Your NAS is broken.
After that, radwho *should* do the right thing.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho question....
Hi I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. Our wireless clients all use EAP/TTLS (via the SecureW2 client) and the access points are Cisco Aironet 1200's. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')as a result its not possible to tell who is connected at any one time. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell 999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. I was just wondering if anyone might know how to fix either of these problems? TIA Chris Bradshaw. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Chris Bradshaw wrote: I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. You really should upgrade, but that's another story. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')as a result its not possible to tell who is connected at any one time. The NAS is responsible for sending the anonymous user name. If you want the NAS to send something different, you have to send the inner tunnel user name back in the Access-Accept. See use_tunneled_reply in the configuration for the EAP module. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell 999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. Change the format of the printf command in radwho. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no session showed by radwho, but user still could not login
Config looks OK. Change type of the NAS you are testing to other. If
that stops multiple logins, problem is with radcheck script.
Ivan Kalik
Kalik Informatika ISP
Dana 16/5/2007, Trio [EMAIL PROTECTED] piše:
Im using nas with 'nas' table in my sql here the data
mysql select * from nas;
+++--+--+---+---+---
+---+
| id | nasname| shortname| type | ports | secret|
community | description |
+++--+--+---+---+---
+---+
| 1 | 129.47.26.224 | ap-cisco | cisco| 1812 | aironet03 |
| RADIUS Client |
| 2 | 129.47.26.111 | mikrotik | mikrotik | 1812 | free |
| RADIUS Client |
| 6 | 202.152.57.137 | mikrotik | mikrotik | 1812 | free | NULL
| RADIUS Client |
| 5 | 129.47.26.123 | kelapa-sawit | mikrotik | 1812 | utama | NULL
| RADIUS Client |
| 7 | 129.47.26.222 | linksys | linksys | 1812 | linksys | NULL
| RADIUS Client |
| 8 | 127.0.0.1 | localhost| other| 1812 | chilli| NULL
| RADIUS Client |
| 9 | 202.152.4.220 | utama| mikrotik | 1812 | utama | NULL
| RADIUS Client |
| 10 | 129.47.26.122 | apbaru | mikrotik | 1812 | free | NULL
| RADIUS Client |
+++--+--+---+---+---
+---+
And this is my session section in my radiusd.conf
session {
radutmp
#
# See Simultaneous Use Checking Querie in sql.conf
sql
}
Whats wrong with that my conf ?
Trio
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, May 16, 2007 3:02 AM
To: FreeRadius users mailing list
Subject: RE: no session showed by radwho, but user still could not login
Yes. You haven't set up session control properly. Check the nastype
entry in clents.conf and make sure that sql is not commented out in
session {} part of radiusd.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 15/5/2007, Trio [EMAIL PROTECTED] piše:
I change the sql now
This is my sql now..
mysql select * from radcheck where username='[EMAIL PROTECTED]';
++---+--++--+
| id | UserName | Attribute| op | Value|
++---+--++--+
| 57 | [EMAIL PROTECTED] | Simultaneous-Use | := | 1|
| 42 | [EMAIL PROTECTED] | Password | == | denpasar |
++---+--++--+
But I try with 2 pc, both using username [EMAIL PROTECTED], guess what happen?
All pc can connect perfectly :(
1 username can used by 2 pc in the same time.
Any one can explain this ?
thanks
trio
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dennis Skinner
Sent: Tuesday, May 15, 2007 8:51 PM
To: FreeRadius users mailing list
Subject: Re: no session showed by radwho, but user still could not login
Trio wrote:
:)
Please read my 1st email,there is a words
I want only 1 session for every user
It is not a boolean option. 0 means you want 0 sessions for every user
(i.e. they cannot login). 1 means 1 session, 2 means 2 sessions, etc...
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no session showed by radwho, but user still could not login
Hi, I have already checked my NAS and there is no session for [EMAIL PROTECTED], I try with radzap and still not working… the logs show the session still in thw SQL - check your tables for this session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no session showed by radwho, but user still could not login
Thanks for the reply, How to know that the session is still in SQL ? In radchek,radacct table ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 15, 2007 5:05 PM To: FreeRadius users mailing list Subject: Re: no session showed by radwho, but user still could not login Hi, I have already checked my NAS and there is no session for [EMAIL PROTECTED], I try with radzap and still not working. the logs show the session still in thw SQL - check your tables for this session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no session showed by radwho, but user still could not login
SELECT * FROM radacct WHERE AcctStopTime=0 will give you all sessions that database counts as open. Ivan Kalik Kalik Informatika ISP Dana 15/5/2007, Trio [EMAIL PROTECTED] piše: Thanks for the reply, How to know that the session is still in SQL ? In radchek,radacct table ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 15, 2007 5:05 PM To: FreeRadius users mailing list Subject: Re: no session showed by radwho, but user still could not login Hi, I have already checked my NAS and there is no session for [EMAIL PROTECTED], I try with radzap and still not working. the logs show the session still in thw SQL - check your tables for this session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: no session showed by radwho, but user still could not login
I don't think so, it's the result mysql select username,AcctStopTime from radacct WHERE AcctStopTime=0 - ; +---+-+ | username | AcctStopTime| +---+-+ | [EMAIL PROTECTED] | -00-00 00:00:00 | | [EMAIL PROTECTED] | -00-00 00:00:00 | | [EMAIL PROTECTED] | -00-00 00:00:00 | | [EMAIL PROTECTED] | -00-00 00:00:00 | +---+-+ 4 rows in set (0.00 sec) No [EMAIL PROTECTED] showed,so its not about sql isn't it ? bug ? any comment ? Need any help please -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 15, 2007 6:33 PM To: FreeRadius users mailing list Subject: RE: no session showed by radwho, but user still could not login SELECT * FROM radacct WHERE AcctStopTime=0 will give you all sessions that database counts as open. Ivan Kalik Kalik Informatika ISP Dana 15/5/2007, Trio [EMAIL PROTECTED] piše: Thanks for the reply, How to know that the session is still in SQL ? In radchek,radacct table ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 15, 2007 5:05 PM To: FreeRadius users mailing list Subject: Re: no session showed by radwho, but user still could not login Hi, I have already checked my NAS and there is no session for [EMAIL PROTECTED], I try with radzap and still not working. the logs show the session still in thw SQL - check your tables for this session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
