Here is the sql module being loaded: It shows the group queries so not sure why it doesn't process them # Loaded module rlm_sql # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "3306" login = "radius" password = "123456" radius_db = "radius" read_groups = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{User-Name}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" } post-auth { reference = ".query" } mysql { tls { } }rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql): Attempting to connect to database "radius"rlm_sql (sql): Initialising connection pool pool { start = 5 min = 4 max = 10 spare = 3 uses = 0 lifetime = 0 cleanup_delay = 5 idle_timeout = 60 spread = no }rlm_sql (sql): Opening additional connection (0)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (1)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (2)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (3)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Opening additional connection (4)rlm_sql_mysql: Starting connect to MySQL serverrlm_sql (sql): Processing generate_sql_clientsrlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nasrlm_sql (sql): Reserved connection (4)rlm_sql (sql): Executing query: 'SELECT id, nasname, shortname, type, secret, server FROM nas'rlm_sql (sql): Released connection (4) } # modulesradiusd: #### Loading Virtual Servers ####server { # from file /etc/raddb/radiusd.conf} # serverserver default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_usernameWARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap} # server defaultserver inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...}WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...}} # server inner-tunnelradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on auth address * port 1812 as server defaultListening on acct address * port 1813 as server defaultListening on auth address 127.0.0.1 port 18120 as server inner-tunnelOpening new proxy address * port 1814Listening on proxy address * port 1814Ready to process requests.
From: freeradius-users-request@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 113, Issue 129 To: freeradius-users@lists.freeradius.org Date: Mon, 29 Sep 2014 09:29:30 +0200
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Beginner need help (unrecognized clients) (Frank Wei) 2. Re: freeradius sql groups not working (James w)
----------------------------------------------------------------------
Message: 1 Date: Mon, 29 Sep 2014 05:09:58 +0000 From: Frank Wei <Frank.Wei@4rf.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: Beginner need help (unrecognized clients) Message-ID: <36A567FFA4FB734C89ABF498A70F83AE9615B3BA@4rf-nz-orion.local.4rf.com> Content-Type: text/plain; charset="us-ascii"
Dear friends,
I have added clients
client private-network-1 { ipaddr = 192.168.0.244 netmask = 24 secret = testing123-1 shortname = private-network-1 }
To the clients.conf.
And run command "radius -X". From the debug message I can see the added client loaded.
Then from my NAS (with IP 192.168.0.244) I sent a "authentication only" request to the server. The server showed me a message:
Ignored,.....Unrecognized client "192.168.0.244" port "1222".
What is wrong with my config?
Regards, Frank
-----Original Message----- From: freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org [mailto:freeradius-users-bounces+frank.wei=4rf.com@lists.freeradius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Thursday, 25 September 2014 6:49 p.m. To: FreeRadius users mailing list Subject: Re: Beginner need help
Hi,
My understanding is that source IP address of the Access-Request packets must be the NAS IP address which is "NAS-IP-Address". Apparently this is different to the Attribute description.
Could anybody explain?
sure.
the NAS-IP-Address is set by the NAS - so it SHOULD be its IP address in a nice world. okay thats clear....however, the packet might be reaching your RADIUS server via some other route - lets say, eg a NAT gateway, a RADIUS server (it has been proxied) or from some central controller (thinking of some of the WiFi solutions out there) - in which case the NAS-IP-Address is NOT the source IP address of the packet.
the NAS-IP-Address is also part of the RADIUS datagram - so you've already started to analyse the packet contents really before you can - eg how did you ensure the packet contents were correct, verify the message authenticator or ensured the content values by using the shared secret? you didnt.
the RADIUS datagram comes in. you see the source address of the packet. look up the client, get its shared secret, work on the packet.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).
------------------------------
Message: 2 Date: Mon, 29 Sep 2014 07:29:26 +0000 From: James w <spyda46@hotmail.com> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: Re: freeradius sql groups not working Message-ID: <DUB123-W2A21F9FBF92014A289545B2BA0@phx.gbl> Content-Type: text/plain; charset="iso-8859-1"
Does anybody have any suggestions, could this be a bug ? Shall i try another version, its running on RHEL 7 Free radius version 3.0.1
From: freeradius-users-request@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 113, Issue 128 To: freeradius-users@lists.freeradius.org Date: Mon, 29 Sep 2014 04:06:31 +0200
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: How to send disconnect message to the NAS? (Alan DeKok) 2. Re: EAP and rlm_perl. Is it possible to build custom logic for VPN peers? (Oleksandr Yermolenko) 3. Re: EAP and rlm_perl. Is it possible to build custom logic for VPN peers? (Oleksandr Yermolenko) 4. version 2.2.5 repo (Rando Nakarmi) 5. Re: version 2.2.5 repo (Alan DeKok) 6. Re: EAP and rlm_perl. Is it possible to build custom logic for VPN peers? (Alan DeKok) 7. Re: Problem in Module Statistics in freeradius (Himanshu Pandey)
----------------------------------------------------------------------
Message: 1 Date: Sun, 28 Sep 2014 11:08:16 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to send disconnect message to the NAS? Message-ID: <54282460.1090603@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Xin wrote:
Thanks a lot for your reply, I have understood I can use update control section to control send or not. And one more question, what is the virtual server in home_server_pool section. Just find the server originate-coa.example.com section?
The behavior is documented in that file.
If this is right, can you tell me the usage of pre-proxy section? I have already understand the purpose of the post-proxy is to handle the COA/DM response.
Read the file. This is documented.
Alan DeKok.
------------------------------
Message: 2 Date: Sun, 28 Sep 2014 18:52:59 +0300 From: Oleksandr Yermolenko <aae@sumix.com> To: Alan DeKok <aland@deployingradius.com> Subject: Re: EAP and rlm_perl. Is it possible to build custom logic for VPN peers? Message-ID: <54282EDB.20904@sumix.com> Content-Type: text/plain; charset=utf-8; format=flowed
Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or EAP-TLS ...) with rlm_perl. What does that mean? can I use authenticate, authorize, accounting hooks (or post_auth)? I looked at example.pl.
Just put "perl" in somewhere eap.conf file?
You can run the perl module when the server receives a packet. It doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any EAP type.
What do you want to *do* in rlm_perl? Knowing that probably more useful, and will get you a better answer.
authenticate a lot of VPN clients (currently I can choose EAP method), keeping them in mysql or ldap. According their properties give a personal access to different local resources. Accounting: updating start/stop/alive messages. POD if it's possible for strongswan.
Alan DeKok.
------------------------------
Message: 3 Date: Sun, 28 Sep 2014 18:52:59 +0300 From: Oleksandr Yermolenko <aae@sumix.com> To: Alan DeKok <aland@deployingradius.com> Subject: Re: EAP and rlm_perl. Is it possible to build custom logic for VPN peers? Message-ID: <54282EDB.20904@sumix.com> Content-Type: text/plain; charset=utf-8; format=flowed
Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or EAP-TLS ...) with rlm_perl. What does that mean? can I use authenticate, authorize, accounting hooks (or post_auth)? I looked at example.pl.
Just put "perl" in somewhere eap.conf file?
You can run the perl module when the server receives a packet. It doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any EAP type.
What do you want to *do* in rlm_perl? Knowing that probably more useful, and will get you a better answer.
authenticate a lot of VPN clients (currently I can choose EAP method), keeping them in mysql or ldap. According their properties give a personal access to different local resources. Accounting: updating start/stop/alive messages. POD if it's possible for strongswan.
Alan DeKok.
------------------------------
Message: 4 Date: Sun, 28 Sep 2014 19:14:18 +0000 From: Rando Nakarmi <randonakarmi@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: version 2.2.5 repo Message-ID: <CAG+85v_XJ_v8cJGu-tMqi+eWNSsnME=7mZcv5yqAhB6d9K+_KA@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
HI,
I see both in RHEL and epel , the freeradius version 2.1.12-4 is available but not the 2.2.5 which is the newest version on 2.x.x series.
I am used to do yum, where can I get version 2.2.5 in yum repo for RHEL base linux.
R