Hi guys. I was wondering if the information read from the nas table is in any way used by freeradius or maybe I misread/misconfigured something? The sql.conf file has set readclients = yes but freeradius is ignoring the information stored in sql using only the one from clients.conf. The clients.conf itself has to be included in the radiusd.conf as well and the clients.conf needs at least one valid client info stored in it. Example of my nas table: mysql> select * from nas; +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | 1 | localhost | Localhost | mikrotik | 1812 | xxxyyyzz | whatever | Localhost Radius Server | | 4 | demo.domain.com | demo | mikrotik | 1812 | xxxyyzz | whatever | Demo Radius Server | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ The hosts in nasname have their corresponding IP's stored in /etc/hosts or a local DNS server. Regards, Marcin Jessa.
in the slq conf file set readclients=yes and make sure that nas_table=nas. Regards, Edgars Marcin Jessa wrote:
Hi guys.
I was wondering if the information read from the nas table is in any way used by freeradius or maybe I misread/misconfigured something? The sql.conf file has set readclients = yes but freeradius is ignoring the information stored in sql using only the one from clients.conf. The clients.conf itself has to be included in the radiusd.conf as well and the clients.conf needs at least one valid client info stored in it.
Example of my nas table:
mysql> select * from nas; +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | 1 | localhost | Localhost | mikrotik | 1812 | xxxyyyzz | whatever | Localhost Radius Server | | 4 | demo.domain.com | demo | mikrotik | 1812 | xxxyyzz | whatever | Demo Radius Server | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+
The hosts in nasname have their corresponding IP's stored in /etc/hosts or a local DNS server.
Regards, Marcin Jessa. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Edgars. On Wed, 01 Jun 2005 16:41:15 +0300 Edgars <edzix19@inbox.lv> wrote:
in the slq conf file set readclients=yes and make sure that nas_table=nas.
In the first email I said I had that enabled. So you mean nas table is properly used by freeradius and reads the hosts stored in it with the secret for the NAS? What about the clients.conf file? What should I keep there? It needs at least one host definition or radius will not start.
Marcin Jessa wrote:
Hi guys.
I was wondering if the information read from the nas table is in any way used by freeradius or maybe I misread/misconfigured something? The sql.conf file has set readclients = yes but freeradius is ignoring the information stored in sql using only the one from clients.conf. The clients.conf itself has to be included in the radiusd.conf as well and the clients.conf needs at least one valid client info stored in it.
Example of my nas table:
mysql> select * from nas; +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | 1 | localhost | Localhost | mikrotik | 1812 | xxxyyyzz | whatever | Localhost Radius Server | | 4 | demo.domain.com | demo | mikrotik | 1812 | xxxyyzz | whatever | Demo Radius Server | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+
The hosts in nasname have their corresponding IP's stored in /etc/hosts or a local DNS server.
Regards, Marcin Jessa. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the slq conf file set readclients=yes and make sure that nas_table=nas.
In the first email I said I had that enabled. So you mean nas table is properly used by freeradius and reads the hosts stored in it with the secret for the NAS? What about the clients.conf file? What should I keep there? It needs at least one host definition or radius will not start.
It is a bad behaviour that the server refuses to start. As a workaround, just put one dummy client in the file (e.g. localhost) and have all the rest in the nas table. Other than for providing that one dummy client, the clients.conf file is obsolete if you use the nas table. Alternatively, you could use the patch http://bugs.freeradius.org/show_bug.cgi?id=203 which makes the server start when the nas table is used even when the clients.conf file is empty/nonexistent. Alan DeKok once said he considers the patch for inclusion into the mainline server, but I didn't hear any further news on this since some time. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu tél.: +352 424409-1 http://www.restena.lu fax: +352 422473
Stefan Winter <freeradius-users-ml@stefan-winter.de> wrote:
What should I keep there? It needs at least one host definition or radius will not start.
It is a bad behaviour that the server refuses to start. ... Alan DeKok once said he considers the patch for inclusion into the mainline server, but I didn't hear any further news on this since some time.
The patch probably won't be applied to 1.0.x. We'll look at it for 1.1.0, but it may require minor changes. Alan DeKok.
Hi again. I noticed when I add new NAS servers to SQL on a running radius server, they will not be used before the radius server is restarted. Is that a case or am I mistaken here? If that's the case, how will restarting radius affect user's accounting info? What will happen with the accounting info of an already loged in user, will it get synced when the radius server is started again? Is there a way to make radius automatically read new entries added to the nas table ? Regards, Marcin Jessa. On Thu, 02 Jun 2005 13:44:49 -0400 "Alan DeKok" <aland@ox.org> wrote:
Stefan Winter <freeradius-users-ml@stefan-winter.de> wrote:
What should I keep there? It needs at least one host definition or radius will not start.
It is a bad behaviour that the server refuses to start. ... Alan DeKok once said he considers the patch for inclusion into the mainline server, but I didn't hear any further news on this since some time.
The patch probably won't be applied to 1.0.x. We'll look at it for 1.1.0, but it may require minor changes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi again.
I noticed when I add new NAS servers to SQL on a running radius server, they will not be used before the radius server is restarted. Is that a case or am I mistaken here?
it is like it currently is supposted to be. IMHO, the accounting packets which will be droped due this will be resend with the next accounting portion. You can send a HUP signal to make configuration files reloaded. Edgars
Hello, I am trying to install freeradius 1.0.3 in a machine running Linux ubuntu hoary OS. My questions are: 1. Will the following procedure work? tar xzf ~/freeradius-1.0.3.tar.gz cd freeradius-1.0.3 fakeroot dpkg-buildpackage -b sudo dpkg -i ../freeradius_1.0.3-0_i386.deb 2. Do I have to make any changes due to the fact that (i) I am using ubuntu (Debian) or that (ii) I will be using MySQL modules? Thanks, Max
Marcin Jessa <lists@yazzy.org> wrote:
I noticed when I add new NAS servers to SQL on a running radius server, they will not be used before the radius server is restarted. Is that a case or am I mistaken here?
You can send a HUP signal to th eserver.
If that's the case, how will restarting radius affect user's accounting info?
It won't.
What will happen with the accounting info of an already loged in user, will it get synced when the radius server is started again?
What do you mean "get synced"? If you put the accounting information in SQL, the server will have access to it.
Is there a way to make radius automatically read new entries added to the nas table ?
Source code modifications. Alan DeKok.
Hi. On Mon, 06 Jun 2005 14:48:22 -0400 "Alan DeKok" <aland@ox.org> wrote:
Marcin Jessa <lists@yazzy.org> wrote:
I noticed when I add new NAS servers to SQL on a running radius server, they will not be used before the radius server is restarted. Is that a case or am I mistaken here?
You can send a HUP signal to th eserver. That would require apache to have access to the radius deamon when using a web-based interface. Even worse, it'd be pretty much impossible to write an secure GUI application to remotely access freeradius and make it reread the data stored in SQL since activating the changes made in the nas table will require sending HUP signal to the server. Maybe a wrapper for that could fix it but IMHO it's not a very "elegant" solution.
If that's the case, how will restarting radius affect user's accounting info?
It won't.
What will happen with the accounting info of an already loged in user, will it get synced when the radius server is started again?
What do you mean "get synced"? If you put the accounting information in SQL, the server will have access to it.
I mean, if a user is loged in and the user's accouting information cannot be stored in the database becouse the radius daemon was not accessible by a NAS. Will the accounting information from the time when the radius wasn't running get appended to the old information (before radius got HUP'ed) ?
Is there a way to make radius automatically read new entries added to the nas table ?
Source code modifications. Can this be added to the todo list?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Marcin Jessa <lists@yazzy.org> wrote:
You can send a HUP signal to th eserver. That would require apache to have access to the radius deamon when using a web-based interface.
Uh, no.
Even worse, it'd be pretty much impossible to write an secure GUI application to remotely access freeradius and make it reread the data stored in SQL since activating the changes made in the nas table will require sending HUP signal to the server.
You're having a web page update RADIUS clients in SQL, and you're worried about a "secure" GUI? That makes no sense. If the application can update the SQL data, you've already lost most of the security of your system. It means that someone breaking in through that application can update SQL, and then use a malicious RADIUS client to further attack the server.
Maybe a wrapper for that could fix it but IMHO it's not a very "elegant" solution.
A web GUI updating the configuration for a security-critical application isn't a very "elegant" solution, either. Pick your battles. If you're going to drive around with your card windows rolled down, it doesn't make much sense to lock the doors for extra "security".
I mean, if a user is loged in and the user's accouting information cannot be stored in the database becouse the radius daemon was not accessible by a NAS. Will the accounting information from the time when the radius wasn't running get appended to the old information (before radius got HUP'ed) ?
The NAS will keep sending the accounting information until it gets a response. And to answer a question you didn't ask, you're making the assumption that a HUP will kill the server. It won't. It will cause the server to re-read it's configuration files. Nothing more.
Source code modifications. Can this be added to the todo list?
Whose? Alan DeKok.
On Mon, 06 Jun 2005 17:11:46 -0400 "Alan DeKok" <aland@ox.org> wrote:
Marcin Jessa <lists@yazzy.org> wrote:
You can send a HUP signal to th eserver. That would require apache to have access to the radius deamon when using a web-based interface.
Uh, no.
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done?
Even worse, it'd be pretty much impossible to write an secure GUI application to remotely access freeradius and make it reread the data stored in SQL since activating the changes made in the nas table will require sending HUP signal to the server.
You're having a web page update RADIUS clients in SQL, and you're worried about a "secure" GUI? That makes no sense.
That actually makes sense. In both cases a user can be granted only certain privilegues by the tool he/she uses not being able to do any harm to the radius server. Anyway, a well coded web or GUI application shouldn't be less secure as a *NIX server granting access to remotely accessible services like sshd or smtpd.
If the application can update the SQL data, you've already lost most of the security of your system. It means that someone breaking in through that application can update SQL, and then use a malicious RADIUS client to further attack the server.
The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ? There is allways a chance someone can do something nasty with some tool.
Maybe a wrapper for that could fix it but IMHO it's not a very "elegant" solution.
A web GUI updating the configuration for a security-critical application isn't a very "elegant" solution, either.
What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ?
Source code modifications. Can this be added to the todo list?
Whose?
I was convinced you were a part of the developers team and every project I know of has certain goals and milestones. Thanks, Marcin.
Marcin Jessa <lists@yazzy.org> wrote:
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done?
Huh? why would you permit user www to run radiusd? You need to send a HUP signal to radiusd. You don't need to run it.
The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ?
The more pieces you have involved, the less secure something is. FreeRADIUS is more secure than FreeRADIUS + SQL, is more secure than FreeRADIUS + SQL + web admin too, is more secure than FreeRADIUS + SQL +....
What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ?
*I* wasn't the one asking for an elegant solution. You were. I was just pointing out that a solution you called "not very elegant" is pretty much identical to what a solution you're implementing.
[ re: todo ]
I was convinced you were a part of the developers team and every project I know of has certain goals and milestones.
There's no official "todo" list for FreeRADIUS. If you want a feature, submit a request on bugs.freeradius.org. Even better, submit a patch, so it's easy to add the feature. Alan DeKok.
Hi, I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server. I am not a professional programmer, but would it be hard to implement something like that in freeRadius? Lets say to change the NAS info, or the IP pools etc... Regards, Edvin Seferovic -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Dienstag, 07. Juni 2005 00:14 To: FreeRadius users mailing list Subject: Re: NAS info + MySQL Marcin Jessa <lists@yazzy.org> wrote:
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done?
Huh? why would you permit user www to run radiusd? You need to send a HUP signal to radiusd. You don't need to run it.
The FreeRadius daemon can be remotely accessed and it updates data stored in SQL database. Does it make it unsecure ?
The more pieces you have involved, the less secure something is. FreeRADIUS is more secure than FreeRADIUS + SQL, is more secure than FreeRADIUS + SQL + web admin too, is more secure than FreeRADIUS + SQL +....
What in your opinion would make an elegant solution to create a user-friendly tool to configure FreeRadius ?
*I* wasn't the one asking for an elegant solution. You were. I was just pointing out that a solution you called "not very elegant" is pretty much identical to what a solution you're implementing.
[ re: todo ]
I was convinced you were a part of the developers team and every project I know of has certain goals and milestones.
There's no official "todo" list for FreeRADIUS. If you want a feature, submit a request on bugs.freeradius.org. Even better, submit a patch, so it's easy to add the feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 7 Jun 2005 00:38:03 +0200 "Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
Hi,
I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server.
I am not a professional programmer, but would it be hard to implement something like that in freeRadius? Lets say to change the NAS info, or the IP pools etc...
AFAIR PowerDNS uses a similar solution. It alows the DNS server to immediately answer the queries reading freshly inserted info in the SQL tables. Cheers, Marcin
Marcin Jessa <lists@yazzy.org> wrote:
AFAIR PowerDNS uses a similar solution. It alows the DNS server to immediately answer the queries reading freshly inserted info in the SQL tables.
FreeRADIUS does this too, for *users*. It does NOT do this for RADIUS clients, and it will NEVER do this for RADIUS clients, because RADIUS servers have to deal with security issues that DNS servers don't. I'm sorry you don't understand this, and I understand why you're feeling frustrated. But that's life. You can't always get what you want. Alan DEKok.
"Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server.
As I said in an earlier post, FreeRADIUS allows this, too. Just not for everything. Similarly, DHCPd doesn't export all of it's configuration through OMAPI. Alan DeKok.
Hi, I must have missed that part. Where can I find some doc about OMAPI support in freeradius? Thank you in advance. Regards, Edvin Seferovic -----Original Message----- From: aland@nitros9.org [mailto:aland@nitros9.org] On Behalf Of Alan DeKok Sent: Dienstag, 07. Juni 2005 20:54 To: edvin.seferovic@kolp.at; FreeRadius users mailing list Subject: Re: NAS info + MySQL "Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
I have been watching this from the beginning ;) It got really interesting now. Does anyone know about OMAPI support in DHCPd? It allows you to change the config ( for example - update a lease ) at the real time without a need to restart a server.
As I said in an earlier post, FreeRADIUS allows this, too. Just not for everything. Similarly, DHCPd doesn't export all of it's configuration through OMAPI. Alan DeKok.
"Seferovic Edvin" <edvin.seferovic@kolp.at> wrote:
I must have missed that part. Where can I find some doc about OMAPI support in freeradius?
<sigh> FreeRADIUS does not have OMAPI support. Like DHCPd, FreeRADIUS supports live updates of SOME configuration. FreeRADIUS does this by using *databases* to store *data*, and by querying those databases dynamically. Alan DeKok.
On Mon, 06 Jun 2005 18:13:32 -0400 "Alan DeKok" <aland@ox.org> wrote:
Marcin Jessa <lists@yazzy.org> wrote:
The way I understand it, say a PHP script used to HUP radiusd would get executed as the httpd user. In that case the httpd deamon would need to be added to the sudoers group like this: www your.server = NOPASSWD: /usr/local/sbin/radiusd How else can this be done?
Huh? why would you permit user www to run radiusd?
You need to send a HUP signal to radiusd. You don't need to run it.
I never said I want to run radiusd as www user. Web scripts get executed as the www user. That way I need to grand apache access to HUP radiusd and that can be done with sudo adding www user to the sudoers file and allowing it to exec /usr/local/sbin/radiusd. That is the only solution I can think of to be able to HUP radiusd running a script from web interface. That's the whole point, I wished there was a better way to do that. The perfect solution would be to have radiusd reread the nas table when it gets changed. Cheers, Marcin
Marcin Jessa <lists@yazzy.org> wrote:
Web scripts get executed as the www user. That way I need to grand apache access to HUP radiusd and that can be done with sudo adding www user to the sudoers file and allowing it to exec /usr/local/sbin/radiusd.
The only thing that needs non-WWW permissions is a script which does: #!/bin/sh [ -f /var/log/radius/radiusd.pid] && kill -HUP `cat /var/log/radius/radiusd.pid` It doesn't need to exec radiusd.
The perfect solution would be to have radiusd reread the nas table when it gets changed.
You've said that a number of times. We're all very clear on your opinions. You can now: 1) Pay someone to write that code 2) write it yourself 3) wait for someone to write it for free Repeatedly posting the same comment on the list isn't going to give anyone incentive to write the code. Alan DeKok.
On Mon, 06 Jun 2005 21:41:22 -0400 "Alan DeKok" <aland@ox.org> wrote:
Marcin Jessa <lists@yazzy.org> wrote:
Web scripts get executed as the www user. That way I need to grand apache access to HUP radiusd and that can be done with sudo adding www user to the sudoers file and allowing it to exec /usr/local/sbin/radiusd.
The only thing that needs non-WWW permissions is a script which does:
#!/bin/sh [ -f /var/log/radius/radiusd.pid] && kill -HUP `cat /var/log/radius/radiusd.pid`
It doesn't need to exec radiusd.
I was hoping I would not need to explain it one more time. It does not metter what kind of signal httpd sends to radiusd, it would still need to be able to execute the command as a privileged user.
The perfect solution would be to have radiusd reread the nas table when it gets changed.
You've said that a number of times. We're all very clear on your opinions.
Yes, I mentioned it since this was the whole point of my email. That should seem reasonible to anyone.
You can now: 1) Pay someone to write that code
I am considering that option. Do you know of anyone familiar with the freeradius code who could take the job?
Marcin Jessa <lists@yazzy.org> wrote:
I was hoping I would not need to explain it one more time.
I am very clear on what you want, and why. What you're not clear on is my answers.
It does not metter what kind of signal httpd sends to radiusd, it would still need to be able to execute the command as a privileged user.
So... list the command under "sudo". You know how to do that, you posted an example earlier. What you did wrong with the previous "sudo" example was allow "www" to run "radiusd", which is useless.
Do you know of anyone familiar with the freeradius code who could take the job?
http://www.freeradius.org/business/ It's a public web site. Alan DeKok.
On Mon, 06 Jun 2005 21:41:22 -0400 "Alan DeKok" <aland@ox.org> wrote:
#!/bin/sh [ -f /var/log/radius/radiusd.pid] && kill -HUP `cat /var/log/radius/radiusd.pid`
It doesn't need to exec radiusd.
One more thing about this solution is you would need to either run radiusd as root or chown radiususer:radiusgroup the radius configs in order to be able to HUP radiusd. Radius daemon is started as root and then switched to the unprivileged user defined in radiusd.conf Radius will die if it gets signal HUP and the config files are not owned by the unprivileged user. Having radius configs owned by unprivileged user increases security risk, since this will grant an attacker who manages to abuse the server access to change the configs... Either way, sending -HUP signal to a running radius daemon seems like a bad idea. Cheers, Marcin
Marcin Jessa <lists@yazzy.org> wrote:
One more thing about this solution is you would need to either run radiusd as root or chown radiususer:radiusgroup the radius configs in order to be able to HUP radiusd. Radius daemon is started as root and then switched to the unprivileged user defined in radiusd.conf Radius will die if it gets signal HUP and the config files are not owned by the unprivileged user.
No. It will die if it can't read the files. That's different.
Having radius configs owned by unprivileged user increases security risk, since this will grant an attacker who manages to abuse the server access to change the configs... Either way, sending -HUP signal to a running radius daemon seems like a bad idea.
Only if the file permissions prevent it. $ chown -R root.radiusd /etc/raddb $ chmod o+rw /etc/raddb/* $ chmod g-w /etc/raddb/* $ chmod g+r /etc/raddb/* And have the server run as user "radiusd", group "radiusd". It has read permissions to radiusd.conf, so a HUP will work. It doesn't have write permissions, so it's secure. This is what different groups & file permissions are for. Alan DeKok.
Marcin, you should configure your radiusd.conf file so that clients.conf would not be used at all, otherwise - yes, there should be at least one symbol in that file to run the radius. You should use the proper schema for the NAS table in order to get everything to work. Refer to /src/modules/rlm_sql/drivers/rlm_sql_xxx for that. Regards, Edgars Marcin Jessa wrote:
Hi Edgars.
On Wed, 01 Jun 2005 16:41:15 +0300 Edgars <edzix19@inbox.lv> wrote:
in the slq conf file set readclients=yes and make sure that nas_table=nas.
In the first email I said I had that enabled. So you mean nas table is properly used by freeradius and reads the hosts stored in it with the secret for the NAS? What about the clients.conf file? What should I keep there? It needs at least one host definition or radius will not start.
Marcin Jessa wrote:
Hi guys.
I was wondering if the information read from the nas table is in any way used by freeradius or maybe I misread/misconfigured something? The sql.conf file has set readclients = yes but freeradius is ignoring the information stored in sql using only the one from clients.conf. The clients.conf itself has to be included in the radiusd.conf as well and the clients.conf needs at least one valid client info stored in it.
Example of my nas table:
mysql> select * from nas; +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | id | nasname | shortname | type | ports | secret | community | description | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+ | 1 | localhost | Localhost | mikrotik | 1812 | xxxyyyzz | whatever | Localhost Radius Server | | 4 | demo.domain.com | demo | mikrotik | 1812 | xxxyyzz | whatever | Demo Radius Server | +----+-------------------+-----------+----------+-------+----------+-----------+----------------------------------+
The hosts in nasname have their corresponding IP's stored in /etc/hosts or a local DNS server.
Regards, Marcin Jessa. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
you should configure your radiusd.conf file so that clients.conf would not be used at all, otherwise - yes, there should be at least one symbol in that file to run the radius.
you should add that even though it is possible to exclude the _file_ clients.conf, he would still need to define client {} stanza somewhere else, for example in radiusd.conf itself. This just moves the problem, because you still have a client defined plaintext. And it's even worse because then you have the stanza in a different place where it isn't used to be. Using the patch I mentioned completely relieves you of that cruft. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu tél.: +352 424409-1 http://www.restena.lu fax: +352 422473
participants (6)
-
Alan DeKok -
Edgars -
Marcin Jessa -
Seferovic Edvin -
Software Development Group -
Stefan Winter