Freeradius-Users Digest, Vol 52, Issue 48

Nadir M. Aliyev nadir at ultel.net
Mon Aug 10 13:18:24 CEST 2009


echo
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799 disconnect 123

 

session removed successfully but I receive Disconnect-NAK (unsuccessfully)

 

Again this error :(((

 

 

Reply-Message = "Session Not Removed"

Error-Cause = Session-Context-Not-Removable

 

Cisco:

.

!

aaa server radius dynamic-author

 server-key 7 00554155

 port 3799

 auth-type any

!

.

 

 

 

-----Original Message-----
From: freeradius-users-bounces+nadir=ultel.net at lists.freeradius.org
[mailto:freeradius-users-bounces+nadir=ultel.net at lists.freeradius.org] On
Behalf Of freeradius-users-request at lists.freeradius.org
Sent: Monday, August 10, 2009 2:51 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 52, Issue 48

 

Send Freeradius-Users mailing list submissions to

      freeradius-users at lists.freeradius.org

 

To subscribe or unsubscribe via the World Wide Web, visit

      http://lists.freeradius.org/mailman/listinfo/freeradius-users

or, via email, send a message with subject or body 'help' to

      freeradius-users-request at lists.freeradius.org

 

You can reach the person managing the list at

      freeradius-users-owner at lists.freeradius.org

 

When replying, please edit your Subject line so it is more specific

than "Re: Contents of Freeradius-Users digest..."

 

 

Today's Topics:

 

   1. Re: Freeradius-Users Digest, Vol 52, Issue 47 (Gilbert Lo)

   2. Do not query LDAP if authenticated via proxy (Steven Carr)

   3. Mac based authentication (Sanhenra Sinaga)

   4. Re: radius server 2.1.6 not storing data in radacct

      table..help (Alan Buxey)

   5.  (Nadir M. Aliyev)

   6. Re: your mail (Alan Buxey)

 

 

----------------------------------------------------------------------

 

Message: 1

Date: Mon, 10 Aug 2009 01:36:58 -0700

From: "Gilbert Lo" <gilbertlo at stgeorges.bc.ca>

Subject: Re: Freeradius-Users Digest, Vol 52, Issue 47

To: freeradius-users at lists.freeradius.org

Message-ID:

      <fc.00802d7e01bfda553b9aca0027e19de6.1bfda56 at stgeorges.bc.ca>

Content-Type: text/plain; charset=UTF-8

 

Thank you for your message.  I am away until August 7th.  I will respond

to your message on my return .  For urgent matters, please contact

helpdesk at stgeorges.bc.ca .

Cheers,

Gilbert Lo

 

 

 

------------------------------

 

Message: 2

Date: Mon, 10 Aug 2009 09:39:22 +0100

From: Steven Carr <steven.carr at sunderland.ac.uk>

Subject: Do not query LDAP if authenticated via proxy

To: FreeRadius users mailing list

      <freeradius-users at lists.freeradius.org>

Message-ID: <4A7FDCBA.907 at sunderland.ac.uk>

Content-Type: text/plain; charset="utf-8"

 

Hi list,

 

I have the following question, not entirely sure how to stop FreeRADIUS

(Debian recompile 2.0.4) from doing this so any ideas would be grateful.

 

We are joining Eduroam and we have our FreeRADIUS set to proxy on the

DEFAULT realm and have a separate realm for our local domain.

 

If we pass a request to the proxy to be authenticated both before and

after the request has been proxied it queries our LDAP server to check

if the user exists.

 

> rad_recv: Access-Request packet from host 127.0.0.1 port 43386, id=216,
length=82

>     User-Name = "user at domain.com"

>     User-Password = "******"

>     NAS-IP-Address = 157.228.68.190

>     NAS-Port = 1

> +- entering group authorize

> ++[preprocess] returns ok

> ++[chap] returns noop

> ++[mschap] returns noop

>     rlm_realm: Looking up realm "domain.com" for User-Name =
"user at domain.com"

>     rlm_realm: Found realm "DEFAULT"

>     rlm_realm: Adding Realm = "DEFAULT"

>     rlm_realm: Proxying request from user user to realm DEFAULT

>     rlm_realm: Preparing to proxy authentication request to realm
"DEFAULT" 

> ++[suffix] returns updated

>   rlm_eap: No EAP-Message, not doing EAP

> ++[eap] returns noop

> ++[unix] returns notfound

> ++[files] returns noop

> rlm_ldap: - authorize

> rlm_ldap: performing user authorization for user at domain.com

> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

>     expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na
me:-%{User-Name}})) ->
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))

>     expand: dc=domain,dc=com -> dc=domain,dc=com

> rlm_ldap: ldap_get_conn: Checking Id: 0

> rlm_ldap: ldap_get_conn: Got Id: 0

> rlm_ldap: performing search in dc=domain,dc=com, with filter
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))

> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: search failed

> rlm_ldap: ldap_release_conn: Release Id: 0

> ++[ldap] returns notfound

> ++[expiration] returns noop

> ++[logintime] returns noop

> ++[pap] returns noop

> Sending Access-Request of id 112 to 194.83.56.233 port 1812

>     User-Name = "user at domain.com"

>     User-Password = "******"

>     NAS-IP-Address = 157.228.68.190

>     NAS-Port = 1

>     Proxy-State = 0x323136

> Proxying request 1 to home server 194.83.56.233 port 1812

> Sending Access-Request of id 112 to 194.83.56.233 port 1812

>     User-Name = "user at domain.com"

>     User-Password = "******"

>     NAS-IP-Address = 157.228.68.190

>     NAS-Port = 1

>     Proxy-State = 0x323136

> Going to the next request

> Waking up in 0.9 seconds.

> rad_recv: Access-Accept packet from host 194.83.56.233 port 1812, id=112,
length=25

>     Proxy-State = 0x323136

> +- entering group post-proxy

>   rlm_eap: No pre-existing handler found

> ++[eap] returns noop

> +- entering group authorize

> ++[preprocess] returns ok

> ++[chap] returns noop

> ++[mschap] returns noop

>     rlm_realm: Proxy reply, or no User-Name.  Ignoring.

> ++[suffix] returns noop

> ++[eap] returns noop

> ++[unix] returns notfound

> ++[files] returns noop

> rlm_ldap: - authorize

> rlm_ldap: performing user authorization for user at domain.com

> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details

>     expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na
me:-%{User-Name}})) ->
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))

>     expand: dc=domain,dc=com -> dc=domain,dc=com

> rlm_ldap: ldap_get_conn: Checking Id: 0

> rlm_ldap: ldap_get_conn: Got Id: 0

> rlm_ldap: performing search in dc=domain,dc=com, with filter
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))

> rlm_ldap: object not found or got ambiguous search result

> rlm_ldap: search failed

> rlm_ldap: ldap_release_conn: Release Id: 0

> ++[ldap] returns notfound

> ++[expiration] returns noop

> ++[logintime] returns noop

> ++[pap] returns noop

>   rad_check_password:  Found Auth-Type 

>   rad_check_password: Auth-Type = Accept, accepting the user

> Login OK: [user at domain.com/******] (from client localhost port 1)

> +- entering group post-auth

> ++[exec] returns noop

> Sending Access-Accept of id 216 to 127.0.0.1 port 43386

> Finished request 1.

> Going to the next request

> Waking up in 4.9 seconds.

> Cleaning up request 1 ID 216 with timestamp +10

> Ready to process requests.

 

How can I stop it from doing this? it is a waste of time and an

unnecessary connection/query to our LDAP server as it is never going to

be authenticated by our LDAP server.

 

Thanks

 

Steve

 

-- 

Steven Carr

Systems Development Officer

SLS/ITS/Systems - (0191) 515 3953

 

-------------- next part --------------

A non-text attachment was scrubbed...

Name: signature.asc

Type: application/pgp-signature

Size: 258 bytes

Desc: OpenPGP digital signature

Url :
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2009081
0/c3747637/attachment.bin>

 

------------------------------

 

Message: 3

Date: Mon, 10 Aug 2009 05:03:07 -0400 (EDT)

From: Sanhenra Sinaga <if06071 at students.del.ac.id>

Subject: Mac based authentication

To: freeradius-users at lists.freeradius.org

Message-ID: <1766013.28391249894987160.JavaMail.root at students>

Content-Type: text/plain; charset=utf-8

 

Dear all,

 

 

I'm a new network administrator in one school. I've just installed hotspot
using mikrotik and freeradius as radius server. I want to make mac address
(client) as username and password for authentication. In this case, i want
filtering mac address (calling-station-id) as username and password, so that
client can authenticate directly.

 

Please help me to configure freeradius so that i can implement that i
explain before. 

 

 

Thanks's all

 

 

 

 

Sanhenra

 

 

------------------------------

 

Message: 4

Date: Mon, 10 Aug 2009 10:34:35 +0100

From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>

Subject: Re: radius server 2.1.6 not storing data in radacct

      table..help

To: FreeRadius users mailing list

      <freeradius-users at lists.freeradius.org>

Message-ID: <20090810093435.GA13680 at lboro.ac.uk>

Content-Type: text/plain; charset=us-ascii

 

hi,

 

fromt he debug looks like its not doing any SQL thing at all - 

ie you either havent configured the SQL stuff (uncomment

an 'include' statement in the cofngi to pull in sql.conf

or, because you arent using SQL for authentication/authorization

and only for logging you have to add 'sql' to the instantiate

section so the module gets fired up

 

alan

 

 

------------------------------

 

Message: 5

Date: Mon, 10 Aug 2009 15:40:12 +0500

From: "Nadir M. Aliyev" <nadir at ultel.net>

To: <freeradius-users at lists.freeradius.org>

Message-ID:

 
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAANJZwrxjEZEaUwy61645wl8KAAAAQ
AAAA623CuuOKtESprsBks9KekQEAAAAA at ultel.net>

      

Content-Type: text/plain; charset="koi8-r"

 

Dear All!

 

 

 

Have small problem with radclient.

 

 

 

I use radclient for disconnect users:

 

"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-

Key={SESSIONKEY}\nNAS-IP-Address=10.0.5.1" | radclient -x 10.0.5.1:3799

disconnect 123";

 

 

 

Users disconnects well.

 

But  instead of successfull i receive this message: 

 

 

 

ad_recv: Disconnect-NAK packet from host 10.0.5.1:3799, id=236, length=47

 

        Reply-Message = "No Matching Session"

 

        Error-Cause = Session-Context-Not-Found

 

 

 

 

 

Logs from cisco:

 

Aug 10 14:29:34 10.0.5.1 360982: 421932: Aug 10 14:26:00.414 AZST: POD:

Received Acct-Session-Id of 0002A89C

 

Aug 10 14:29:34 10.0.5.1 360983: 421933: Aug 10 14:26:00.414 AZST: POD:

Converted to internal Session-Id of 0002A89C

 

Aug 10 14:29:34 10.0.5.1 360984: 421934: Aug 10 14:26:00.414 AZST: POD:

10.0.5.2 user nadiritus 0.0.0.0 sessid 0x2A89C key 0x9F282A8D

 

Aug 10 14:29:34 10.0.5.1 360985: 421935: Aug 10 14:26:00.414 AZST: POD:

Line     User     IDB          Session Id Key

 

Aug 10 14:29:34 10.0.5.1 360986: 421936: Aug 10 14:26:00.414 AZST: POD: KILL

Virtual- nadiritus 10.0.5.25 0x2A89C    0x9F282A8D

 

Aug 10 14:29:34 10.0.5.1 360987: 421937: Aug 10 14:26:00.418 AZST: POD:

Added Reply Message: Session Not Removed

 

Aug 10 14:29:34 10.0.5.1 360988: 421938: Aug 10 14:26:00.418 AZST: POD:

Added NACK Error Cause: Session Context Not Removable

 

Aug 10 14:29:34 10.0.5.1 360989: 421939: Aug 10 14:26:00.418 AZST: POD:

Sending NAK from port 3799 to 10.0.5.2/54033

 

 

 

Anybody can help me? Why I reveice that session not removed? (but session

removed)

 

-------------- next part --------------

An HTML attachment was scrubbed...

URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2009081
0/025a9e8e/attachment.html>

 

------------------------------

 

Message: 6

Date: Mon, 10 Aug 2009 10:51:07 +0100

From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>

Subject: Re: your mail

To: FreeRadius users mailing list

      <freeradius-users at lists.freeradius.org>

Message-ID: <20090810095107.GA13695 at lboro.ac.uk>

Content-Type: text/plain; charset=us-ascii

 

Hi,

 

> I use radclient for disconnect users:

> 

>
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-

> Key={SESSIONKEY}\nNAS-IP-Address=10.0.5.1" | radclient -x 10.0.5.1:3799

> disconnect 123";

 

you're telling the NAS about itself (NAS-IP-Address) - perhaps it doesnt
like

that bit and the message you are getting is just its way of saying

that something wasnt quite right. ie try

 

"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799

disconnect 123";

 

?

 

 

alan

 

 

------------------------------

 

-

List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

 

End of Freeradius-Users Digest, Vol 52, Issue 48

************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090810/4eb3da32/attachment.html>


More information about the Freeradius-Users mailing list