I have been using
freeradius .9.1 for some time now. I have been seeing a problem in that the
responses are coming back on port 1029 rather than the 1812 expected. I have not
found or seen anything that addresses this. It seems that it is grabbing the
first "non-privledged" port, but I may
In which file i must do the modifications, and which modifications
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alain
Perry
Envoyé : mercredi 23 juin 2004 17:45
À : Freeradius-Users (E-mail)
Objet : Re: radius access-reject
rlm_ldap: no dialupAccess
No, any DB (mysql,postgresql..etc) is just a mirror of user files.
Auth-Type := Reject is workin in any DB.
- Original Message -
From: Linda Pagillo [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 24, 2004 11:36 AM
Subject: Re: Suspending Users
No, i did not overlook
Check your /etc/services file. If a port is not specified in the radius
config, radius looks to /etc/services for the port. If none is
specified there then I guess it takes the first non-prevlidged port.
Mark C.
Brian Andrus wrote:
I have been using freeradius .9.1 for some time now. I have
Linda Pagillo wrote:
If you just want suspended, then I would add a column suspended
and edit the sql query in sql.conf. If you need more complex checking
that can't be done with sql queries, then you might look at the exec
or perl modules to execute external scripts.
This means, for
I've the same problem with WinXP. I looked in the eapol.log that the XP
didn't receive EAPOL-key within 5 second, that's why after 5 seconds the
connection drop. In the Radius log everything is fine (Access-Accept). I
tried do PEAP with another AP, and it's working without accounting (just
Hi,
I have 2 NULL files in var/log/radius and etc/raddb
What are these ?
I use freeradius-0.9.3
Thank you,
Andrei
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hy all,
Here is my Problem, hope someone is able to help me.
I use freeradius 0.9.3 on debian. I will ask our companys ad for authentication. The
AD is build up in the following way:
Ou=users,Ou=(fifferent ous), dc=my,dc=company,dc=de
If i ask for a user with basedn Ou=unit,
Linda wrote:
No, i did not overlook that. According to the FAQ, that is only suppose to
be used if Freeradius is set up to use the flat user file, if i'm correct.
In my case, i'm using the MySql setup.
yes you are correct.
-
List info/subscribe/unsubscribe? See
Hi,
I think there is a bug in check-radiusd-config in 0.9.3. This has been
tested in Solaris 6 and the easiest way to reproduce this is to add some
garbage to the top part of radiusd.conf. For example right after the
prefix etc definitions:
$INCLUDE $a_file_that_does_not_exist
When
Hi,
I am trying to get the dialup_admin script to work. I'm using
dialup_admin that was bundled with Freeradius 1.0.0 prerelease 3.
The steps I've taken so far:
1) Set up mysql server and have it running on localhost.
2) Used radclient to check that Radius could authenticate users via
mysql
oops,
me being silly, I have added the link with a higher privelege than the
apache server is running. thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le jeu 24/06/2004 à 08:08, TANGUY ERIC a écrit :
In which file i must do the modifications, and which modifications
Hum, as I said, you need to modify the LDAP entry for your user... That
means not modifying a file, but adding a dialupAccess attribute to
your user LDAP profile. Of course, the
hi all,
I am using freeradius-1.0.0-pre1 and have configured users file for
authentication and this works fine.
when i tried using mysql for authentication i get the segmentation fault
error.
With freradius-0.9.3 both authentication and accounting work fine when i use
mysql.
This is the debug
Linda Pagillo [EMAIL PROTECTED] wrote:
No, i did not overlook that. According to the FAQ, that is only
suppose to be used if Freeradius is set up to use the flat user file,
No. It gives an *example* using the users file, because not
everyone has SQL/LDAP/whatever installed.
if i'm correct.
Hello,
I use freeradius 0.9.3 on debian.
In my radiusd.conf i configured two different ldap instances.
In my user file i have configured different LDAP Groups with different Auth-Types
(Ldap instances)
snip users-file
DEFAULT Huntgroup-Name == ciscovpn, Ldap-Group == G-VPN-GCC,
[EMAIL PROTECTED] wrote:
Now, when a user tries to get authenticated the ldap_groupcmp() always
uses one ldap instance even when the auth-type for the user is a
different ldap-instance.
The LDAP module registers a callback for LDAP-Group, and does not
provide a way to configure more than one
Roy, Daniel [EMAIL PROTECTED] wrote:
1) valid userid and password should authorize and authenticate against
SQL and MSCHAP ok;
That should work without any additional configuration.
2) valid userid but wrong password should authorize ok against SQL but
fail authentication against MSCHAP;
Manjunath M Prabhu [EMAIL PROTECTED] wrote:
Module: Loaded SQL
Segmentation fault
i get an error segmentation fault how do i correct it?
doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, 24 Jun 2004, Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
Now, when a user tries to get authenticated the ldap_groupcmp() always
uses one ldap instance even when the auth-type for the user is a
different ldap-instance.
The LDAP module registers a callback for LDAP-Group, and does
Guy Davies [EMAIL PROTECTED] wrote:
I recently upgraded from the CVS version of freeradius to 1.0.0-pre3.
Since then, my previously functional EAP/TLS config has stopped working.
I've modified the config to reflect the new use of eap.conf, rather than
the built-in eap module.
That shouldn't
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 24 June 2004 15:05
To: [EMAIL PROTECTED]
Subject: Re: EAP/TLS stopped working...
Guy Davies [EMAIL PROTECTED] wrote:
I recently upgraded from the CVS version of freeradius
Eric [EMAIL PROTECTED] wrote:
Did something change in the way that the hints file is processed in
the change from 0.9.3 to 1.0.0-pre3?
Yes.
DEFAULT Suffix == @local, Strip-User-Name = No
Try 'Strip-User-Name := No'
But it works for my tests, so I'm not sure what else is
Kostas Kalevras [EMAIL PROTECTED] wrote:
* Apr 2004, Kostas Kalveras [EMAIL PROTECTED]
- Add a per instance Ldap-Group attribute (of the form
instance-Ldap-Group) and register
a corresponding ldap_groupcmp function
So in other words, it's in there already...
Ah. But the module
Turtiainen, Tero [EMAIL PROTECTED] wrote:
I think there is a bug in check-radiusd-config in 0.9.3.
That script should probably be deleted, and not used...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simeon Penev [EMAIL PROTECTED] wrote;
rlm_eap: Underlying EAP-Type set EAP ID to 0
rlm_eap: reply code 0 is unknown, Rejecting the request.
Try the following patch:
http://lists.freeradius.org/pipermail/freeradius-devel/2004-June/007261.html
If it works, please say so, and we'll include
[EMAIL PROTECTED] sent:
Evan
I am trying to also add a customer attribute to return in the access-accept
i want to send
gnugk-lcr1 as a string.
i ahve added it into the radcheck table of mysql. and i notice that
normal dictionary defined attributes will show in the response, but not
my
Hello.
I managed to get my user-logins to authenticate against a freeradius server,
which in turn uses an openLdap server. This works now, but login is still
using /etc/passwd, because if I delet a user then I get 'User is unknown to
underlying authentication module'
I tried to delete the line
Hans,
I think all you have to do is comment out the unix line in the Authentication
section of the radiusd.conf file and restart the radius server.
Gary N. McKinney
Network Administrator
Computer Services Dept.
Brevard County Library System
-- Original Message
Hello all,
I'm brand new to freeradius and only just learning
OpenBSD, the worst of all possible combinations. I could use some help
with this issue.
I'm trying to install freeradius on
OpenBSD3.0.
When I tried to ./configure freeradius I got the following warning
messages:
checking
i do this modification, but now, i have an other problem
rad_recv: Access-Request packet from host 10.xxx.xxx.19:1645, id=204, length=111
Framed-Protocol = PPP
User-Name = a0327
CHAP-Password = 0x021373350363856f39d120a2119e9a4d8b
Calling-Station-Id = 2
On Thu, 24 Jun 2004, Alan DeKok wrote:
Kostas Kalevras [EMAIL PROTECTED] wrote:
* Apr 2004, Kostas Kalveras [EMAIL PROTECTED]
- Add a per instance Ldap-Group attribute (of the form
instance-Ldap-Group) and register
a corresponding ldap_groupcmp function
So in other words,
Thanks but I already did that.
In the syslog, when I add 'debug' at the end of the line
authrequiredpam_radius_auth.so debug
I see, after a login attempt with a user not in /etc/passwd:
login[1769]: pam_radius_auth: Got user name testuser
login[1769]: pam_radius_auth: Sending
hi
i am using FreeRadius 0.9.3 wirh RedHat 9.
I try to run Freeradius, but i have an Error.
i think that the problem is not complicated, but i didn't find it. can some
one help me with this problem
Thanks
Thu Jun 24 12:07:19 2004 : Debug: sql: group_membership_query =
Thu Jun 24 12:07:19 2004
I don't know everything (far from that unfortunately) about FreeRADIUS,
but what's the point in using a user file if your user database is in a
LDAP directory (this is a real question, I'm probably just missing
something here) ?
About your new problem, I'm sorry, but I haven't used CHAP yet (and
Thu Jun 24 12:07:19 2004 : Error: Failed creating PID file
/usr/local/var/run/radiusd/radiusd.pid: Permission denied
I'm no guru, but it looks like radius is trying to create the radiusd.pid file, and
can't, because it doesn't have permissions. Make sure the user you're running radiusd
as has
I do have the following in the /etc/services file:
radius 1812/tcp# Radius
radius 1812/udp# Radius
radius-acct 1813/tcpradacct # Radius Accounting
radius-acct 1813/udpradacct # Radius
Brian Andrus [EMAIL PROTECTED] wrote:
And when I start freeradius up, it grabs 1812 and 1813 for listening. The
odd thing is that it seems to grab the first non-priviledged port for
sending out responses.
The server *should* send response FROM the port that the NAS sent
packets TO. If it
Good points.
Alan DeKok wrote:
Guy Fraser [EMAIL PROTECTED] wrote:
I have been quietly watching this thread, and the idea of setting up
a FIFO {First In First Out} buffer to handle inserts sounds like a
good idea, but may have some adverse consequences.
Like losing requests if the server
Brian,
That is the correct way for operation!
Radius Listens on Ports 1812 and 1813 ( for authentication and accounting
respectively) BUT responds back to the NAS on the first non-priviledged port the
system has available for use this is normal RFC operation in TCP/IP communications
for
Alan replied:
Eric [EMAIL PROTECTED] wrote:
Did something change in the way that the hints file is processed in
the change from 0.9.3 to 1.0.0-pre3?
Yes.
DEFAULT Suffix == @local, Strip-User-Name = No
Try 'Strip-User-Name := No'
Tried this and had no luck. The suffix still
I put a timestamp field in usergroup called expire_time and modified the
(postgre)sql.conf file to return a session time out that would not
exceed that
time, and would fail authentication if expire_time had been exceeded.
Unfortunatly that was just used to verify if it could be done, and I
Eric [EMAIL PROTECTED] wrote:
Out of frustration, I tried using an empty hints file. Everything
worked properly.
Very strange. Even worse, when I read the code in
src/main/valuepair.c, function presufcmp(), I don't understand how (or
why) it works.
I'll commit some cleanups which will
Hi list,
I'm sorry if this message is somehow lame, but I need to get some more
understanding of the different options offered by FreeRADIUS and the
standards to decide how to use it.
I want users to be able to authenticate over an insecure link (wireless
for example) and then to be able to use
I recently noticed that Cisco rejects Access-Accept unless they
originate from the same IP that auth was requested from. Another vendor
will accept them from any ip no matter who they were originally sent to.
Didn't find any mention in the RFC 2865 about the ip source of an accept
packet.
Now
I noticed this also.
The reason is that the directory is not created by the install.
If you create the /usr/local/var/run/radiusd directory, it should work.
Regards,
Thor.
- Original Message -
From: wadih jalad [EMAIL PROTECTED]
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL
Ted Kaczmarek [EMAIL PROTECTED] wrote:
Didn't find any mention in the RFC 2865 about the ip source of an accept
packet.
It should be the IP that the NAS sent the packet to.
Now to me it seems like rejecting the packets makes more sense when they
are not being sourced from the same IP
Hi,
I`m using freeradius+mysql to authentificate users.
Somehow, I got following debug from server.
--- Walking the entire request list ---Threads:
total/active/spare threads = 5/1/4Waking up in 5 seconds...Thread 2
handling request 2, (1 handled so
far) User-Name =
"someuser"
I need to be able to authenticate our 3030 Concentrator against
FreeRADIUS with OpenLDAP as the database. I'm using FreeRADIUS
1.0.0rc2. FreeRADIUS and OpenLDAP are working (using radtest I get
successful replies). However, when I add the freeradius server to the
Concentrators list of
Hello,
I am using FreeRADIUS-1.0.0pre3 with the MySQL backend. I have the threaded
server enabled, and I'm currently using 128 max threads with a database
connection pool of 64, although I have changed these numbers quite a bit in
my testing. Having read TFM, I realize these are a bit high, but
--- Walking the entire request list
---Threads: total/active/spare threads = 5/1/4Waking up in 5
seconds...Thread 2 handling request 2, (1 handled so
far) User-Name =
"someuser" User-Password =
"somepass"auth: No authenticate method (Auth-Type) configuration found for
Yesterday installed
freeradius-snapshot-20040623 openssl-SNAP-20040623in hopes of using
it for Wireless Authentication. I followed the instructions from the
different FreeRadius TLS How-to, and can successfully make authentication work
using the client user certificate.
My problem now is
Couple of things:
1. Make sure the CA certificate also exists in the Local Computer
Trusted Roots Store.
2. For Windows 2000, make sure that the machine name is in the CN or
subjAltName fields of the certificate. It can be just localpart of
fqdn, so if your fqdn of your machine is
Mike I think I've configured your suggestion, below is what freeradius
displays (With my Domain Name Changed) when I try and bring my laptop online
My Root CA Certificate is in the Trusted Root Certification Authorities
Store
I created a new Certificate with my computer name in the CN field
I'm
1. How do I limit the traffic for a user?
2. How do I shape the traffic for a user once they have gone over their
limit?
3. How to I limit the time slots for a user?
4. How do I control the amount of time a user has been on?
Users log in via pptpd (--version - PoPToP v1.1.3)
radiusd (-v -
Hi Ted,
Why would the Access-Accept packet NOT come from the same IP (radius
server) the request was sent to originally??? To do otherwise would open up
the NAS or AP to spoofing attacks...
What vendors are you referring to in terms of accepting Access-Accept
packets from an IP other than the
Keith,
There is a text document in the Docs directory under the source directory
where you un-tarred the source code called aaa.txt. It will answer some
of your questions. As for the others:
1. How do I limit the traffic for a user?
You dont, at least not with radius - unless there is a
Arnauld,
It almost looks like something in the supplicant is not configured properly
to use the certificate sent from the server during the handshake phase... I
have attached a copy of some of my notes (written to myself so some of the
meaning in the notes may not be exactly correct - but heck -
Wrong color [GRIN]...
Actually - I am adding things that are not in dialup_admin, such as
suspension of users, billing and integrating with email services for the
billing and setting up user email accounts - the simple stuff...
gm...
- Original Message -
From: Kostas Kalevras [EMAIL
Remove the Strip-User-Name = YES from the hints line. The hints
file will automatically add the Stripped-User-Name attribute. Its
important that you not alter the original User-Name attribute, which
is what the Strip-User-Name option will do.
--Mike
---
Michael
From: Gary McKinney
Sent: Friday, 25 June 2004 3:13 AM
Brian,
That is the correct way for operation!
Radius Listens on Ports 1812 and 1813 ( for authentication and accounting
respectively) BUT responds back to the NAS on
the first non-priviledged port the system has available for
Hi All,
How can I change or customise the default Daily Limits of 4 hours per day,
to some other value of my liking, (under Subscription Analysis) for a
particular user, under dialup_admin?
Thanx in advance.
Shannon
-
List info/subscribe/unsubscribe? See
62 matches
Mail list logo