Joel MBA OYONE wrote:
so the HOW_TO about active diretory/freeradius seem to be enough. I
asked cause i noticed that most of the tips on www.freeradius.org point
to 1.1x and i use 2.0.x
Most of the tips don't refer specifically to 1.1.x.
2.0 is very much like 1.1.x in many respects.
Zahra Bahar wrote:
I have freeradius using ldap DS for aaa. my radius supports vpn users and
uses PAP.
what is the best way for secure user_passwords in connections?
Connections to what?
The protocols are already designed to be secure. Don't worry about it.
Alan DeKok.
-
List
It tried without Auth-Type = System, also tried Auth-Type = Local.
Processing the authenticate section of radius.conf
modcall: entering group authenticate for request 0
rlm_unix: [admin]: invalid password
modcall[authenticate]: module unix returns reject for request 0
modcall: leaving group
The O'Reilly book is good if you know absolutely nothing about RADIUS.
But 1/3 is from the RFC's (paraphrased), and another 1/3 is from the
FreeRADIUS documentation.
True. Book is not so good.
The Wiley book has about 30 pages on RADIUS, the rest is about
technologies that you don't use. And
I mean in this connections using PAP, user-password is clear-txt. (using chap
makes ldap server not to use encryption passwords in DS therefore I want to
use PAP). isn't it unsecure?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 6/17/08, Alan DeKok [EMAIL PROTECTED] wrote:
Graham Marsh wrote:
Hi all, I'm attempting to compile 2.0.5 on SLES10SP1 and getting the
following error. I noticed another similar posting but not sure if
there was any fix. Appreciate any advice, thanks, Graham:
..
RPM build errors:
Zahra Bahar wrote:
I mean in this connections using PAP, user-password is
clear-txt.
No. It's encrypted when it's sent over the network in RADIUS, and if
you use SSL to talk to LDAP, it's encrypted there, too.
(using chap makes ldap server not to use encryption
passwords in DS therefore
You have deleted the part of the debug which tells how is Auth-Type set.
Post the whole thing. BTW, now you do have admin account in /etc/passwd
but the password is wrong. It's still not using password from the users
file.
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, Guk Viktor [EMAIL
Graham Marsh wrote:
Thanks Alan. That got me past the error and everything seemed to be
running fine with the rpmbuild process until it encountered the
problem below. I searched the mailing list but couldn't turn up a
quick answer. Regards, GM.
Ah... that changed in 2.0.5, and the spec file
Hi,
I am running this query:
if (%{sql: SELECT COUNT(nas_ip) FROM `nas_ip` WHERE
nas_ip='127.0.0.1'}0){
redundant {
sql1
sql2
}
}
But the if (%{sql: SELECT COUNT(nas_ip) FROM `nas_ip` WHERE
nas_ip='127.0.0.1'}0) section always returns false even though the
database has the 'nas_ip' table
Is that table in the database sql instance is connecting to?
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, King, Adam [EMAIL PROTECTED] piše:
Hi,
I am running this query:
if (%{sql: SELECT COUNT(nas_ip) FROM `nas_ip` WHERE
nas_ip='127.0.0.1'}0){
redundant {
sql1
sql2
}
}
But the if (%{sql:
Thanks Alan. This works.
On Thu, Jun 12, 2008 at 11:02 AM, Alan DeKok [EMAIL PROTECTED]
wrote:
Gopinath Reddy N wrote:
But by way of hack if user knows some other valid user name in the
system he can use that as outer identity and get the policy setting of
that user. So to avoid that Iam
Yes, the database name is 'radius' and the table name is 'nas_ip'. Confusingly
at this testing stage the field in the table is also called 'nas_ip'
Thanks
Adam King
Network Engineer
[EMAIL PROTECTED]
InTechnology plc
Support 0845 120 7070
Telephone 01423 85
Facsimile 01423 858866
You have multiple sql instances. Are you sure that instance called
sql is connecting to that database? Or should it be sql1: or sql2:?
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, King, Adam [EMAIL PROTECTED] piše:
Yes, the database name is 'radius' and the table name is 'nas_ip'.
Hi,
I'm running mysql + radius.
Now it happened, that a user is no longer connected, but radius still things
he is connected.
My NAS vpn server died; probably thats why. What do i have to do make this
straight?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have switched it to sql1: so the statement now reads
if(%{sql1: SELECT COUNT(nas_ip) FROM `nas_ip` WHERE
nas_ip='%{Packet-Src-IP-Address}' AND realm='adam'} 0 ) {
redundant {
sql1
sql2
}
}
Obviously the redundant section isn't being picked up at the moment
which is why it needed to be sql1: or
I'm not a 100% sure but I remember that DialupAdmin was serving some
scripts against that ... you might look into the DialupAdmin folder and
look for lib or a folder called like that where some scripts lieing arround.
Good luck,
Leander S.
Sascha Kiefer schrieb:
Hi,
I'm running mysql +
Hi,
we have a FR server (version 1.1.7) on a Redhat machine. We use it for dumping
accouting requests into a database. We have about 200 requests per second in
average.
Once in a while (1 per minute) we see a error in the log file:
Discarding duplicate request from client ... due to unfinished
In 2.0 you can also use unlang to update the request:
http://freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, King, Adam [EMAIL PROTECTED] piše:
I have switched it to sql1: so the statement now reads
if(%{sql1: SELECT COUNT(nas_ip) FROM `nas_ip` WHERE
Find and delete the open session(s) in mysql. If you have time on your
hands and you know when did the server fail you can create a query that
will close them by updating AcctStopTime and AcctSessionTime fields for
open sessions.
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, Sascha Kiefer
200 requests per second is not much for freeradius but it's a lot for
the database. It's highly likely that the database can't cope.
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, Michael Schwartzkopff [EMAIL PROTECTED] piše:
Hi,
we have a FR server (version 1.1.7) on a Redhat machine. We
How would such an query look like?
I'm also very interested in a solution.
Leander
Ivan Kalik schrieb:
Find and delete the open session(s) in mysql. If you have time on your
hands and you know when did the server fail you can create a query that
will close them by updating AcctStopTime and
Hi,
Iam trying to understand CHALLENGE RESPONSE behaviour. I have tried to
use CHAP protocol and issued the following.
echo 'User-Name=userX'; echo 'CHAP-Password=stealme' |
/usr/local/bin/radclient -x 192.168.11.94:1812 auth testing12
It gives me the following error:
User-Name=userX
Sending
Am Dienstag, 17. Juni 2008 15:00 schrieb Ivan Kalik:
200 requests per second is not much for freeradius but it's a lot for
the database. It's highly likely that the database can't cope.
We check this. DB response 3ms and the DB has 1000 threads. So no problem
here.
--
Dr. Michael
Michael Schwartzkopff wrote:
we have a FR server (version 1.1.7) on a Redhat machine. We use it for
dumping
accouting requests into a database. We have about 200 requests per second in
average.
Once in a while (1 per minute) we see a error in the log file:
Discarding duplicate request
Your response time must always be fast enough. If the DB lags
at any time you will have the timeout problem. Typically, this
can occur during checkpoints or other heavy I/O periods. What
is the response time under load?
Ken
On Tue, Jun 17, 2008 at 03:08:39PM +0200, Michael Schwartzkopff wrote:
Sudarshan Soma wrote:
Hi,
Iam trying to understand CHALLENGE RESPONSE behaviour. I have tried to
use CHAP protocol and issued the following.
echo 'User-Name=userX'; echo 'CHAP-Password=stealme' |
/usr/local/bin/radclient -x 192.168.11.94:1812 auth testing12
It gives me the following
Prompt, what to make in that case. In the file /etc/passwd there is
this line of " admin:x:500:500::/home/admin:/bin/bash ". How it
is necessary to assign password?
Message: 4
Date: Tue, 17 Jun 2008 09:33:31 +0100
From: "Ivan Kalik" [EMAIL PROTECTED]
Subject: Re: Problem in connecting to
UPDATE radacct SET AcctStopTime = 'time of breakdown', AcctSessionTime
= UNIX_TIMESTAMP('time of breakdown') - UNIX_TIMESTAMP(AcctStartTime)
WHERE AcctStopTime = 0 AND AcctStartTime 'time of breakdown'
Just rework accounting_onoff_query form sql.conf.
Ivan Kalik
Kalik Informatika ISP
Dana
Thanks a lot Alan. It worked.
(echo 'User-Name=userX'; echo 'CHAP-Password=secretpass') |
/usr/local/bin/radclient -x 192.168.11.94:1812 auth testing123
Sending Access-Request of id 85 to 192.168.11.94 port 1812
User-Name = userX
CHAP-Password =
admin:x:500:500::/home/admin:/bin/bash
That x means that you have assigned a password for this account. It's in
/etc/shadow.
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, Guk Viktor [EMAIL PROTECTED] piše:
Prompt, what to make in that case. In the file /etc/passwd there is
this
Am 17.06.2008 um 15:28 schrieb Guk Viktor:
Prompt, what to make in that case. In the file /etc/passwd there is
this line of admin:x:500:500::/home/admin:/bin/bash . How it is
necessary to assign password?
Are you sure that your password is there?
The x should be your password. If it is
Am Dienstag, 17. Juni 2008 15:05 schrieb Alan DeKok:
How can we monitor how any requests the RADIUS server gets?
Is this anything to worry?
You probably want to double-check your database. Tune it, optimize
it, upgrade the hardware, whatever.
Thanks for you mail.
Is there any utility
Alan,
Thanks, yes 2.0.5 ran out of box almost! Just got to customise the
certs, sometime after testing. Still have a couple of issues I can't
resolve, I'll post separately.
Thanks,
Neil.
Alan DeKok wrote:
Neil Marjoram wrote:
I am using a Netgear WAG102 Wireless access point to autorise
I have just installed 2.05 and have successfully linked to my ldap
server. I would like to build in MAC address checking on top of the user
name / password auth.
I read some docs and concluded that I could change access_attr = to
use radiusCallingStationId. I set the value of this in LDAP
I have read some posts on this, and I'm sorry I don't really understand.
1. Am I transmitting clear text over the network?
2. If I need to worry, then can someone tell me which bit of the config
I have to change as I grepped just about everything I could find, but
found nothing!
This is the
Michael Schwartzkopff wrote:
Is there any utility in FR to look after the actual performace? Like requests
per second, backlog queue, ...
No. The SNMP code exists, but it doesn't really work in 2.0. It
should be fixed at some point...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Neil Marjoram wrote:
I have read some posts on this, and I'm sorry I don't really understand.
1. Am I transmitting clear text over the network?
No.
2. If I need to worry, then can someone tell me which bit of the config
I have to change as I grepped just about everything I could find,
Neil Marjoram wrote:
I have just installed 2.05 and have successfully linked to my ldap
server. I would like to build in MAC address checking on top of the user
name / password auth.
...
Is there a way of getting Radius to check that the Calling-Station-Id
matches radiusCallingStationId
Hi, thanks for the help so far, the match based on the ip and the realm now
works! As mentioned below the redundant section from the sites-enabled/default
file does not process so the if statement needs sql1: or sql2: in there instead
of sql: and the redundant section picking up on the live
Hi everybody,
We currently use version 1.1.4 with SQL support for both authentication
and accounting. We also have proxy setting that sends accounting record
to a remote server but keep the authentication local using the following
setup:
retry_delay = 10
retry_count = 5
dead_time = 120
Roy Kartadinata wrote:
We currently use version 1.1.4 with SQL support for both authentication
and accounting.
Upgrade
What happened yesterday was both remote servers went down for 3 hours
and during that time our log was bombarded by the following error:
Proxy: No outstanding
Thanks, I guess my only option is to upgrade .. :)
Cheers,
Roy
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
s.org] On Behalf Of Alan DeKok
Sent: Tuesday, June 17, 2008 10:22 AM
To: FreeRadius users mailing list
Subject: Re: Proxy behavior
Roy Kartadinata
Hi, thanks for the help so far, the match based on the ip and the realm now
works! As mentioned below the redundant section from the sites-enabled/default
file does not process so the if statement needs sql1: or sql2: in there
instead of sql:
Wrong. The statement needs hose prefixes because
] returns ok
expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/172.16.27.18/auth-detail-20080617
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/172.16.27.18/auth-detail-20080617
orion wrote:
2008/6/13 Giovanni Lovato [EMAIL PROTECTED]:
# dpkg-buildpackage -b -uc
dpkg-buildpackage: source package is freeradius
dpkg-buildpackage: source version is 2.0.5-0
dpkg-buildpackage: source changed by Alan DeKok [EMAIL PROTECTED]
dpkg-buildpackage: host architecture i386
On Tue, Jun 17, 2008 at 11:10:11PM +0200, Giovanni Lovato said:
orion wrote:
2008/6/13 Giovanni Lovato [EMAIL PROTECTED]:
test -d debian/patched || install -d debian/patched
dpatch apply-all
applying patch 01-radiusd-to-freeradius to ./ ... failed.
make: *** [patch-stamp] Error 1
Hey,
I'm trying to set up freeradius with our ISP's APN (mobile network) service.
I've been using freeradius for sometime,and it works no problems.
I'm using the system authentication module, and again,no problems here.
My problem occurs when I want to use the 'dhcp' or ippool module.
Here's
If i understand right DHCP-Gataway-Ip-Address = dhcp relay ip address.
In dhcp offer (maybe ack / not tested) i can't set DHCP-Gateway-Ip-Address. By
default it should contain same as in discover/request (???)
DHCP-Gateway-Ip-Address.
In offer it's set to 0.0.0.0 .
-
List
Pool-Name :=
Ivan Kalik
Kalik Informatika ISP
Dana 17/6/2008, Frank James Wilson [EMAIL PROTECTED] piše:
Hey,
I'm trying to set up freeradius with our ISP's APN (mobile network) service.
I've been using freeradius for sometime,and it works no problems.
I'm using the system authentication
Haralds Ulmanis wrote:
If i understand right DHCP-Gataway-Ip-Address = dhcp relay ip address.
In dhcp offer (maybe ack / not tested) i can't set DHCP-Gateway-Ip-Address.
The gateway IP is contained in the offer, as set by the gateway.
By
default it should contain same as in
Jelle Langbroek wrote:
... The error that pops up while
authenticating OSX is the following (see below for extended logs):
Tue Jun 17 20:02:53 2008 : Error: TLS Alert read:warning:close notify
The client is telling the server that it's shutting down the TLS
connection.
Tue Jun 17 20:02:53
Hello All,
Thanks in advance.
Trying to authenticate login just using users file.
And getting the following failure:
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
rlm_eap: Handler failed in EAP/peap
rlm_eap:
Config:
dhcp DHCP-Discover {
jradius
update reply {
DHCP-Message-Type = DHCP-Offer
}
update reply {
DHCP-Gateway-IP-Address = 10.2.0.15
}
}
Sniffing packets:
3 8719.551007 10.2.0.15 x.x.x.x DHCPDHCP Discover
Raja Peer wrote:
Trying to authenticate login just using users file.
And getting the following failure:
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this
session.
That message means you're supposed to read the REST of
Thanks ofr your reponse Alan.
Here is the other error message
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [bob/no User-Password attribute] (from client myhost port
0)
PEAP:
Haralds Ulmanis wrote:
...
Sniffing packets:
3 8719.551007 10.2.0.15 x.x.x.x DHCPDHCP Discover -
Transaction ID 0xa9f950b3
Relay agent IP address: 10.2.0.15 (10.2.0.15)
4 8719.631210 x.x.x.x 10.2.0.15 DHCPDHCP Offer-
Transaction ID 0xa9f950b3
Relay
57 matches
Mail list logo