Changing the format of a date attribute
Hi everyone, Firstly, thanks Alan for your help with my acct_start_time problem, that was exactly what I was after. The only problem that remains for me is getting the value into a different format so I can store it in my database table. So I have the following setup currently: share/dictionary.freeradius: ATTRIBUTE FreeRADIUS-Acct-Session-Start-Time 2 date Then in my preacct section: update request { FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } Then I can use %{FreeRADIUS-Acct-Session-Start-Time} which is in the date format: "Dec 8 2009 09:14:14 GMT". The database field I will be writing into is a MySQL DateTime field, which is in the format "YYYY-MM-DD HH:ii:ss", eg: "2009-12-08 11:27:34" Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time attribute value into that date format? Any advice would be very much appreciated. Many thanks, Patric
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function... Alan DeKok.
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function... You sir are a genius :) It didnt even occur to me to do it in the SQL statement...
So now I have the following: STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s')) And that converts "Dec 8 2009 09:14:14 GMT" into "2009-12-08 09:14:14" Thanks so much! Patric
Hi again all :) Patric wrote:
Alan DeKok wrote:
Patric wrote:
Is there any way for me to get my FreeRADIUS-Acct-Session-Start-Time attribute value into that date format?
http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function...
So now I have the following:
STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'))
And that converts "Dec 8 2009 09:14:14 GMT" into "2009-12-08 09:14:14"
I have a curious problem trying to format the date field in my MySQL statement as shown above. In my sql/mysql/dialup.conf I have the following: accounting_start_query_alt = "UPDATE ${acct_table_new} \ SET \ acct_start_time = STR_TO_DATE('%{FreeRADIUS-Acct-Session-Start-Time}', '%M %d %Y %H:%i:%s'), \ ... The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with: 2009-12-08 09:14:14 instead Im ending up with: 2009-12-09 11:0126538264:AutoShapedVC As you can see the minutes were replaced with the Calling Station ID and the seconds were replaced with the Connect-Info... Is there any way for me to perhaps escape my format string, or some other work-around? Many thanks Patric
On 09-12-09 11:37 AM, Patric wrote:
The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with:
Use %% to escape the %. That should work. e.g. ' ... %%M %%d %%Y %%H:%%i:%%s' Alan DeKok.
Alan DeKok wrote:
On 09-12-09 11:37 AM, Patric wrote:
The problem with the above is that some of those formatting options ('%M %d %Y %H:%i:%s') are also defined as one-character variables, so instead of formatting the date with those options, its replacing each with the variable value, and when Im trying to end up with:
Use %% to escape the %. That should work. e.g.
' ... %%M %%d %%Y %%H:%%i:%%s'
Thanks Ill give that a go :) Patric
Hi, I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports: Udp 0 0 *:radius Udp 0 0 *:radius-acct I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number. How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server? Thanks, Alex __________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
If I recall, you said you're using an FC12. Try deactivating the FC firewall and try again. service iptables stop If it doesn't work, I would go after SELinux. Deactivating it could be helpful, at least just to give it a try. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote:
Hi,
I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports:
Udp 0 0 *:radius Udp 0 0 *:radius-acct
I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number.
How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server?
Thanks,
Alex
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote:
Hi,
I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports:
Udp 0 0 *:radius Udp 0 0 *:radius-acct
I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number.
How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server?
Thanks,
Alex
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Gera, it was a fire wall issue, even though when I installed F12 I did not select firewall, but it was running. Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc. Rrgds, Alex -----Original Message----- From: freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.o rg] On Behalf Of gera Sent: Wednesday, December 09, 2009 10:19 PM To: FreeRadius users mailing list Subject: Re: Testing radius server For testing, you can always use radtest. On Wednesday 09 December 2009 10:31:55 pm Alex Bahoor wrote:
Hi,
I'm getting trouble authenticating my AP to freeradius. When I type in a password on the AP, it reaches the radius server, however the server responds with ICMP destination unreachable to the AP. I can see radius is listening to the following ports:
Udp 0 0 *:radius Udp 0 0 *:radius-acct
I take it the above are port 1812 and 1813 respectfully. Right? I see the Cisco AP is sending request with destination port 1812. So, any clue as to why it sending the ICMP unreachable? It seems that the port numbers are not what I think they are, but netstat identifies the two ports as radius default, so it got to be right. But I know that icmp unreachable is only sent out (in this case), if the server cannot identify the destination port number.
How can I locally test that radius is serving the port above and the password. Like is there a way that I can use CLI to test the radius as if I'm the AP, but from the command line on the server?
Thanks,
Alex
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________
The message was checked by ESET NOD32 Antivirus.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Hi,
Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc.
hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := "testpassword" alan
Alan, Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them. Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information. root@Crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "cisco" User-Password = "cisco" NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = "cisco" User-Password = "cisco" NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do? ++[chap] returns noop ;I can tell that chap was not selected as a protocol, right? ++[mschap] returns noop ;as above [suffix] No '@' in User-Name = "cisco", looking up realm NULL ;why @ is expected in a name or password? [suffix] No such realm "NULL" ;what this mean? ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop ++[unix] returns notfound ;what is this? ++[files] returns noop ? ++[expiration] returns noop ? ++[logintime] returns noop ? [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ;I do have a password (cisco). ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ? Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> cisco attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 187 to 127.0.0.1 port 43663 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=20 [root@Crest raddb]# Cleaning up request 5 ID 187 with timestamp +411 Ready to process requests. Rgrds, Alex -----Original Message----- From: freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 2:07 AM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi,
Now I know it's a config issue in the clients.conf, as radtest is failing. I set user name and password, but radius is sending a reject. This is the first time I'm using radius. So please bear with me. Can some one mail me example of the minimum required configuration that needed for the radius to work, no EAP or MSCAP ..etc.
hey, guess what - 'radiusd -X' this will be far more useful than throwing random recommendations to you. have you followed basic guidance regarding hwo to use clients.conf eg testuser Cleartext-Password := "testpassword" alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information from ESET NOD32 Antivirus, version of virus signature database 4674 (20091209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4676 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them.
Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information.
root@Crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "cisco" User-Password = "cisco" NAS-IP-Address = 127.0.0.1 NAS-Port = 200 rad_recv: Access-Request packet from host 127.0.0.1 port 43663, id=187, length=57 User-Name = "cisco" User-Password = "cisco" NAS-IP-Address = 127.0.0.1 NAS-Port = 200 +- entering group authorize {...} ++[preprocess] returns ok ;what is preprocess and what does it do?
Well, read the debug of server startup and it will be clearer. Don't ask us what's in the bit you coudn't be bothered to read.
++[chap] returns noop ;I can tell that chap was not selected as a protocol, right?
Correct.
++[mschap] returns noop ;as above
Yes.
[suffix] No '@' in User-Name = "cisco", looking up realm NULL ;why @ is expected in a name or password?
suffix is enabled by default. Lots of people have user@domain type username that it makes sense for it to be default option. If you don't have such usernames you can comment it out.
[suffix] No such realm "NULL" ;what this mean?
No @ in username.
++[suffix] returns noop [eap] No EAP-Message, not doing EAP ;eap is not auth protocol. ++[eap] returns noop
Same as chap and mschap.
++[unix] returns notfound ;what is this?
System passwords. Again enabled by default as enough people use it. You can comment it out if you are not using it.
++[files] returns noop ?
You don't have that user entry in users file (people have told you to put the password there but you haven't).
++[expiration] returns noop ?
Password expiration. Another module enabled by default.
++[logintime] returns noop ?
Does what says on the tin.
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ;I do have a password (cisco).
No, you don't. Or should I say - where did you store that password?
++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it's arguments. ?
No password - no authentication. You haven't stored password for this user in any place server looked. Ivan Kalik
Ivan, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to RFC1855 <http://www.faqs.org/rfcs/rfc1855.html> . The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline -----Original Message----- From: freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.o rg] On Behalf Of tnt@kalik.net Sent: Thursday, December 10, 2009 10:58 AM To: FreeRadius users mailing list Subject: RE: Testing radius server
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ;I do have a password (cisco).
No, you don't. Or should I say - where did you store that password? I edited /etc/raddb/clients.conf. Below is the only thing I edited in this file. And I take it it's wrong, so please point me to the right lines. # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } # Ivan Kalik Rgrds, Alex __________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Alex, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to <http://www.faqs.org/rfcs/rfc1855.html> RFC1855. The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline <tim> Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996. # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } <tim> You need to put users in the users file. Tim
Tim, Go ahead and take my out of this list. I had enough of this. Alex _____ From: freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.o rg] On Behalf Of Tim Sylvester Sent: Thursday, December 10, 2009 1:41 PM To: 'FreeRadius users mailing list' Subject: RE: Testing radius server Alex, Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I'm not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to <http://www.faqs.org/rfcs/rfc1855.html> RFC1855. The reason I'm having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it's written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with. Now let's go to answer your questions. Please see in-inline <tim> Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996. # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # client 1.2.3.100/24 { secret = cisco shortname = cisco } <tim> You need to put users in the users file. Tim __________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Alex, as stated at the end of every message from this list, everyone can do that: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Greetings and good luck. On Thu, Dec 10, 2009 at 3:48 PM, Alex Bahoor <alexbahoor@sbcglobal.net>wrote:
Tim,
Go ahead and take my out of this list.
I had enough of this.
Alex
------------------------------
*From:* freeradius-users-bounces+alexbahoor=sbcglobal.net@ lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor<freeradius-users-bounces%2Balexbahoor> =sbcglobal.net@lists.freeradius.org] *On Behalf Of *Tim Sylvester *Sent:* Thursday, December 10, 2009 1:41 PM
*To:* 'FreeRadius users mailing list' *Subject:* RE: Testing radius server
Alex,
Please try to be less arrogant when you answer me. I have not touched linux or Solaris for 9 years. And I’m not a developer, and an RF engineer. I know many of you are software developers. We should not delve into the Silicon Valley notion of RTFM--instead should adhere to RFC1855<http://www.faqs.org/rfcs/rfc1855.html> . The reason I’m having very basic questions is because the wiki is counter intuitive and way cryptic to me; it's written with idea in mind that users used the product and familiar with it. I have used steel belted radius for a long time, never had a problem with it, because it’s written for *not* developers. I'm at loss with this product, even though I have about 28 years of networking, RF and wireless experience in testing and installation, and close to CCIE certified. I'd like to continue use the product, with all the help I can get from you guys, but with dignity. If this won't work with this group, may be I should just bite the bullet and buy steel belted and get over with.
Now let's go to answer your questions. Please see in-inline
<tim> Blah, blah blah ... 22 years ago I worked for Al Gore and we spent two days driving around Iowa talking about Gigabit Fiber Optic networks and the Internet. So, I guess you could say that I helped Al Gore invent the Internet. Then I went to work for Cisco in 1996.
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
client 1.2.3.100/24 {
secret = cisco
shortname = cisco
}
<tim> You need to put users in the users file.
Tim
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________
The message was checked by ESET NOD32 Antivirus.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I had enough of this.
what? free support pointing out the same suggestions and help every time? just a _little_ bit of reading would have informed you of the basics...but I think there _could_ be issues and am open to suggestions to fix the docs/guides for newcomers (and I've used all the alternatives to FreeRADIUS so know what you face on those platforms) so - please point out the weaknesses that you faced alan
Alan, I don't know what your capacity in freeradius, but I sure hope this product is comparable to steel belt or Cisco's ACS, which are very costly. Abstract I'm not a hacker, and have not used free software in this capacity before. I'm spoiled in using purchased software, which uses GUIs all the time. So my expectations are little different. While six years working with Sun Microsystems, I kept hearing all the time difficulty was the nature of Solaris, and Unix. The most elegant OS, Solaris, unfortunately did not go any where, and Sun went under. Why? Because it was not user friendly. You read man pages written by developers at 3:00 AM in the morning and expect to make sense out of them. Unfortunately, man pages have not improved at all. They still lack examples .etc. Freeradius is not an exception. The documentation is not user friendly at all. Document problems: Here is an example excerpt from a page on the web: CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a "radius secret password". For every client, also enter this "secret password" into the file /etc/raddb/clients.conf Allow me to tell you where my confusion is: 1-The "clients" becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP? 2-The "host" here meant to be the server? Why is it called host? 3-The "radius secret password" is defined again as "secret password" and "shared secret", all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous. 4-I looked up the "secret password" in the clients.conf, it was defined as "shared secret". All this confusion could have been eliminated by just using PSK (PreShared Key). 5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} 1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used. 2- The shortname is confusing, when a user login, all he/she has is name not a FQDN. When I saw this, first thing came to mind that this clients.conf file is not for my set up, but I used it any way. Adding to all this confusion is the file /etc/raddb/users which seems to be used for something, but it's not on the wiki, or at least not in a conspicuous spot. It took me quite some time to find out which platform I should have used. What's in the wiki is vague, not specific to specific versions. And what packages of freeradious I should have installed. Till Tim clarified this for me, I was at loss and frustrated. You have to understand, this is free software, compatibility, and interoperability is at a big question; I don't have the time test every OS to find out which one is good, soso, or even bad. It should have been stated clearly in the wiki under "operating systems", and which version of each OS you have tested. Take a look at this paragraph which clearly proves my point. The link under "several versions of Linux" would not bring up a page. And in the same page, all OSes listed have links to download the softwar, which is convenient, but did not tell me, what is there has been tested. Snippett from the wiki ------------------ Porting to other unix-like platforms should be easy. Due to the limited resources of the FreeRADIUS development team, we are not able to test each version on all platforms before release. In general we test on several versions of Linux and Solaris and FreeBSD appears to also be a popular deployment platform for our users so we hear about any issues on those platforms quickly. The website is not helpful in this too: You start with http://freeradius.org/list/users.html Click on the wiki tab Click on configuration: once you're there you would see a different configuration file than the one you mailed me (http://wiki.freeradius.org/CONFIGURATION_FILES), where is that one and how you get to it from the home page beats me. A picture is worth a thousand words. Network topologies, samples of clients.conf and radiusd.conf with various features from basic to complex security configuration can be downladed and used would save a lot time and confusion. If there is such samples, you would not hear from me. I hope this helps. Rgrds, Alex -----Original Message----- From: freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.org [mailto:freeradius-users-bounces+alexbahoor=sbcglobal.net@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Thursday, December 10, 2009 3:18 PM To: FreeRadius users mailing list Subject: Re: Testing radius server Hi,
I had enough of this.
what? free support pointing out the same suggestions and help every time? just a _little_ bit of reading would have informed you of the basics...but I think there _could_ be issues and am open to suggestions to fix the docs/guides for newcomers (and I've used all the alternatives to FreeRADIUS so know what you face on those platforms) so - please point out the weaknesses that you faced alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4677 (20091210) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
At 12:12 AM 12/11/2009, Alex Bahoor wrote:
For someone that claims words are important, you're not listening to the people trying to tell you you're using words wrong. random != dynamic for example client != user would be another example. The client is not the user. It's the physical device that's configured to uses RADIUS for authentication. cilents are defined in ./clients.conf The user is the one with an ID and a password. Users are defined in ./users (who they are, what their password is, where to go look for their information) And to get to your next question, ./huntgroups can be used to define the association between the two (which users can log into which clients) The docs might not be optimal, but they're offset by an amazing supportive and active email list (which I'll trade for docs any day really). That is, if you don't spend all your time claiming the application is broken and buggy.... The real question is, presuming you bear with it and get FR to work, will you write up and contribute documentation for what you've done to help others? Rick
On Fri, Dec 11, 2009 at 12:12 PM, Alex Bahoor <alexbahoor@sbcglobal.net> wrote:
I'm spoiled in using purchased software, which uses GUIs all the time. So my expectations are little different.
Alex, When you need more help than what's available freely, you can purchase support from networkradius (http://networkradius.com/services.html) I'm sure they'd be happy to help you with installation and configuration issues.
While six years working with Sun Microsystems, I kept hearing all the time difficulty was the nature of Solaris, and Unix.
I don't agree with you on that point, but to each his own oppinion.
The most elegant OS, Solaris, unfortunately did not go any where, and Sun went under. Why? Because it was not user friendly.
Just because it's not "popular" in desktop does not mean it "did not go anywhere". Solaris is widely used in enterprise server environment. There are also a lot of improvements in Solaris 10 and opensolaris, which makes it easier to use for desktop users.
It took me quite some time to find out which platform I should have used. What's in the wiki is vague, not specific to specific versions. And what packages of freeradious I should have installed. Till Tim clarified this for me, I was at loss and frustrated. You have to understand, this is free software, compatibility, and interoperability is at a big question; I don't have the time test every OS to find out which one is good, soso, or even bad. It should have been stated clearly in the wiki under "operating systems", and which version of each OS you have tested. Take a look at this paragraph which clearly proves my point. The link under "several versions of Linux" would not bring up a page. And in the same page, all OSes listed have links to download the softwar, which is convenient, but did not tell me, what is there has been tested.
When you have problems, it's usually easier to get help if you ask nicely, and be specific. For this particular case, if you ask "which OS works and tested", I'd point you to RHEL/Centos/Fedora http://wiki.freeradius.org/Red_Hat_FAQ Last, as Rick mentioned, if you find that current documentation/wiki needs updating, please contribute to make it better. -- Fajar
Alex Bahoor wrote:
I don't know what your capacity in freeradius, but I sure hope this product is comparable to steel belt or Cisco's ACS, which are very costly.
It's better.
A picture is worth a thousand words. Network topologies, samples of clients.conf and radiusd.conf with various features from basic to complex security configuration can be downladed and used would save a lot time and confusion. If there is such samples, you would not hear from me.
Unfortunately, your messages show that this isn't true. When you asked for *specific* help, you were given detailed answers. You (a) ignored the answers and asked the same question again, or (b) told them that the answer was wrong. No amount of documentation can make you understand when you refuse to understand. Alan DeKok.
Document problems: Here is an example excerpt from a page on the web:
CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a "radius secret password". For every client, also enter this "secret password" into the file /etc/raddb/clients.conf
Allow me to tell you where my confusion is: 1-The "clients" becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP?
Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius "speak" called users.
2-The "host" here meant to be the server? Why is it called host?
It's a device on which freeradius is running ie it's hosting this program.
3-The "radius secret password" is defined again as "secret password" and "shared secret", all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous.
4-I looked up the "secret password" in the clients.conf, it was defined as "shared secret". All this confusion could have been eliminated by just using PSK (PreShared Key).
Term "preshared key" is mostly associated with wireless. "Shared secret" is preferred term.
5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #}
1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used.
See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure. You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation Ivan Kalik
As simple as this: "shared secret", "clients", "user" and so on are all part of the link defined on the RFC2865 (where RADIUS is defined). So, for anyone who already read the RADIUS RFC, understanding how it's implemented on freeradius should be easy. If this is confusing for somebody, he should propose changes to the RFC. http://www.ietf.org/rfc/rfc2865.txt Greetings. On Fri, Dec 11, 2009 at 12:20 PM, <tnt@kalik.net> wrote:
Document problems: Here is an example excerpt from a page on the web:
CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a "radius secret password". For every client, also enter this "secret password" into the file /etc/raddb/clients.conf
Allow me to tell you where my confusion is: 1-The "clients" becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP?
Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius "speak" called users.
2-The "host" here meant to be the server? Why is it called host?
It's a device on which freeradius is running ie it's hosting this program.
3-The "radius secret password" is defined again as "secret password" and "shared secret", all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous.
4-I looked up the "secret password" in the clients.conf, it was defined as "shared secret". All this confusion could have been eliminated by just using PSK (PreShared Key).
Term "preshared key" is mostly associated with wireless. "Shared secret" is preferred term.
5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #}
1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used.
See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure.
You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
s/link/lingo/ On Fri, Dec 11, 2009 at 12:58 PM, gera <gera@gera.me> wrote:
As simple as this:
"shared secret", "clients", "user" and so on are all part of the link defined on the RFC2865 (where RADIUS is defined).
So, for anyone who already read the RADIUS RFC, understanding how it's implemented on freeradius should be easy. If this is confusing for somebody, he should propose changes to the RFC.
http://www.ietf.org/rfc/rfc2865.txt
Greetings.
On Fri, Dec 11, 2009 at 12:20 PM, <tnt@kalik.net> wrote:
Document problems: Here is an example excerpt from a page on the web:
CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a "radius secret password". For every client, also enter this "secret password" into the file /etc/raddb/clients.conf
Allow me to tell you where my confusion is: 1-The "clients" becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP?
Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius "speak" called users.
2-The "host" here meant to be the server? Why is it called host?
It's a device on which freeradius is running ie it's hosting this program.
3-The "radius secret password" is defined again as "secret password" and "shared secret", all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous.
4-I looked up the "secret password" in the clients.conf, it was defined as "shared secret". All this confusion could have been eliminated by just using PSK (PreShared Key).
Term "preshared key" is mostly associated with wireless. "Shared secret" is preferred term.
5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #}
1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used.
See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure.
You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Radius -X is always on, and I went through the clients.conf file. -X gives a lot information, since you asked here is my understanding. I'm not a programmer so some of them are cryptic to me. I put in comments to what I think they are, but they are only guesses. I would be very thankful if you can shed lights on them.
Also, there is file experimental.conf stated in eap.conf, but did not exist. It may have some useful information.
i think you need to start with the basics before you start playing with experimental features! ;-)
root@Crest raddb]# radtest cisco cisco 127.0.0.1 200 testing123
okay - very simple. we now look to see what happens....i've cut out the basic bits to answer your questions
++[preprocess] returns ok ;what is preprocess and what does it do?
Contains the functions for the "huntgroups" and "hints" - if you use those files then they'll seed the request so you can deal with it
++[chap] returns noop ;I can tell that chap was not selected as a protocol, right?
correct
++[mschap] returns noop ;as above
yep
[suffix] No '@' in User-Name = "cisco", looking up realm NULL ;why @ is expected in a name or password?
@ is not 'expected' - but if its present then the suffix module will do stuff.
[suffix] No such realm "NULL" ;what this mean?
exactly what it says - there wasnt a suffix, so the value is NULL but the suffix module found no NULL realm in your config
[eap] No EAP-Message, not doing EAP ;eap is not auth protocol.
correct - this isnt an EAP message
++[unix] returns notfound ;what is this?
unix passwd support. if you dont want to use /etc/passwd etc then comment 'unix' module out
++[files] returns noop ?
this is the big one - this is saying that files module found no information - this suggests that eg you dont have cisco Cleartext-Password := "cisco" in your users file. if you do then you are looking at the wrong users file - /etc/raddb/users or /usr/local/etc/raddb ?
++[expiration] returns noop ? ++[logintime] returns noop ?
2 modules that deal with exactly what they say - expiration and logintime - these are authorisation methods
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ;I do have a password (cisco).
PAP could not find your configured user - it relies on at least one of the previous methods to get such a user!
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ;this look like authentication protocol is a must before the process can work, however, eap.conf file is there and eap is uncommented out with it’s arguments. ?
radtest doesnt do EAP you need to use one of the tests that does do EAP. anyway....I can safely state that if you install a fresh FreeRADIUS you should be able to add an example user to the users file (as I state above!) and do a radtest and test the whole thing within minutes. alan
hi, sounds like your server has firewall on it - so whilst the daemon is listening locally, the firewall is rejecting the packets (that'd be the cause of the ICMP unreachable)..... add UDP 1812,1813 and 1814 to the firewall config... on redhat - /etc/sysconfig/iptables or use a GUI tool alternatively, the AP cannot actually reach the server because of other reasons - network topology, router/switch ACLs etc - i dont know your network alan
participants (9)
-
Alan Buxey -
Alan DeKok -
Alex Bahoor -
Fajar A. Nugraha -
freeradius@corwyn.net -
gera -
Patric -
Tim Sylvester -
tnt@kalik.net