Jose Divino de Lima, please tell me how to connect SER and freeradius!
zhu lizhong
zhulizhong at gmail.com
Wed Aug 10 05:50:28 CEST 2005
Hello, Lima and other guys:
I have tried few weeks for connecting ser and freeradius. i use
freeradius to generate call record, but when I compile SER, my ser.cfg
always stopping mysql.so, there is no getconnection in mysql. if run
-- radclient -f digest can not work properly. please help me fix it!
thanks lot!
zhu
On 8/10/05, freeradius-users-request at lists.freeradius.org
<freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Hi. Windows RADIUS server died. (Alan DeKok)
> 2. Re: Hi. Windows RADIUS server died. (Derrick MacPherson)
> 3. Re: Hi. Windows RADIUS server died. (Alan DeKok)
> 4. Re: Hi. Windows RADIUS server died. (Derrick MacPherson)
> 5. OK, further along. Can radtest test my ntlm_auth?
> (Derrick MacPherson)
> 6. Re: iptables rules from freeradius... (tbsky at annsky.us)
> 7. Re: iptables rules from freeradius... (Alan DeKok)
> 8. Re: FreeRadius EAP-TLS quesiton (Hamid Salim)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 09 Aug 2005 18:12:01 -0400
> From: "Alan DeKok" <aland at ox.org>
> Subject: Re: Hi. Windows RADIUS server died.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20050809221201.88F2716CCA at mail.nitros9.org>
>
> Derrick MacPherson <dmacpherson at mainframe.ca> wrote:
> > Is there a way to test if the authentication is passing or failing?
>
> Debug mode?
>
> There's no real ms-chap command-line utility that I know of.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 09 Aug 2005 15:29:35 -0700
> From: Derrick MacPherson <dmacpherson at mainframe.ca>
> Subject: Re: Hi. Windows RADIUS server died.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1123626575.10739.120.camel at Mandarin-04.mainframe.ca>
> Content-Type: text/plain
>
> > Debug mode?
> >
> > There's no real ms-chap command-line utility that I know of.
>
> not using ms-chap.
> I'm not sure what I can use other than turning our firewall at it. Is
> there any other way?
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 09 Aug 2005 18:47:05 -0400
> From: "Alan DeKok" <aland at ox.org>
> Subject: Re: Hi. Windows RADIUS server died.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20050809224705.7356616CCA at mail.nitros9.org>
>
> Derrick MacPherson <dmacpherson at mainframe.ca> wrote:
> > I'm not sure what I can use other than turning our firewall at it. Is
> > there any other way?
>
> The radius client that comes with FreeRADIUS?
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 09 Aug 2005 15:52:45 -0700
> From: Derrick MacPherson <dmacpherson at mainframe.ca>
> Subject: Re: Hi. Windows RADIUS server died.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1123627965.10739.126.camel at Mandarin-04.mainframe.ca>
> Content-Type: text/plain
>
> On Tue, 2005-08-09 at 18:47 -0400, Alan DeKok wrote:
> > The radius client that comes with FreeRADIUS?
>
> hehe. You mean it's that simple? Damn.
>
> Sorry didn't realise there was a client at all.
>
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 09 Aug 2005 16:23:56 -0700
> From: Derrick MacPherson <dmacpherson at mainframe.ca>
> Subject: OK, further along. Can radtest test my ntlm_auth?
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <1123629836.10739.135.camel at Mandarin-04.mainframe.ca>
> Content-Type: text/plain
>
> I'm wondering if I can use radtest to authenticate to my w2k server? If
> so whats the syntax? I've tested local and it works, I want to test the
> ntlm_auth. The syntax that I am using for the ntlm_auth = should work,
> it works from the cli.
>
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 10 Aug 2005 09:00:52 +0800 (CST)
> From: tbsky at annsky.us
> Subject: Re: iptables rules from freeradius...
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <46217.220.130.50.117.1123635652.squirrel at qmail.annsky.com>
> Content-Type: text/plain;charset=big5
>
> Hi:
> sorry i did not describe my environment properly.
> my radius server is also wireless gateway & firewall.
> so the iptables rules is setting up at radius server,
> not at the NAS . is this possible?
>
> Regards,
> sky_li
>
> > tbsky at annsky.us wrote:
> >> now i want to setup some iptables rules for authenticated users.
> >> i wonder if this can be done via freeradius.
> >
> > The proper question is: Can the NAS do it? If not, then no
> > configuration of FreeRADIUS will make the NAS do it.
> >
> >> can i find out the mac address or ip address information for
> >> authenticated users?
> >
> > Look in the packets.
> >
> >> can i run iptables scripts when a user authenticated successfully ?
> >
> > Ask the NAS.
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 09 Aug 2005 21:32:24 -0400
> From: "Alan DeKok" <aland at ox.org>
> Subject: Re: iptables rules from freeradius...
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20050810013224.D5E5316CCA at mail.nitros9.org>
>
> tbsky at annsky.us wrote:
> > my radius server is also wireless gateway & firewall.
> > so the iptables rules is setting up at radius server,
> > not at the NAS . is this possible?
>
> Yes. Run a shell script. See "Exec-Program"
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 9 Aug 2005 22:03:38 -0400 (EDT)
> From: Hamid Salim <salim.h at neu.edu>
> Subject: Re: FreeRadius EAP-TLS quesiton
> To: freeradius-users at lists.freeradius.org
> Message-ID: <7324206.1123639418438.JavaMail.salim.h at neu.edu>
> Content-Type: text/plain; charset=UTF-8
>
> Kris,
> Thanks for your help.
>
> Do you think that (1) and (2) in my previous message could be the
> reason that freeradius will not authenticate the client?
>
> thanks again.
>
>
> freeradius-users-request at lists.freeradius.org wrote:
>
>
> >Send Freeradius-Users mailing list submissions to
> > freeradius-users at lists.freeradius.org
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> >or, via email, send a message with subject or body 'help' to
> > freeradius-users-request at lists.freeradius.org
> >
> >You can reach the person managing the list at
> > freeradius-users-owner at lists.freeradius.org
> >
> >When replying, please edit your Subject line so it is more specific
> >than "Re: Contents of Freeradius-Users digest..."
> >
> >
> >Today's Topics:
> >
> > 1. FreeRadius EAP-TLS quesitons (Hamid Salim)
> > 2. Re: problem with using rlm_sql for accounting only (John Donagher)
> > 3. Re: problem with using rlm_sql for accounting only (John Donagher)
> > 4. Re: FreeRadius EAP-TLS quesitons (Kris Benson)
> > 5. sql.conf (update query) (Michel B?langer)
> > 6. Re: problem with using rlm_sql for accounting only (Alan DeKok)
> > 7. Hi. Windows RADIUS server died. (Derrick MacPherson)
> > 8. Re: Hi. Windows RADIUS server died. (Alan DeKok)
> > 9. Re: Hi. Windows RADIUS server died. (Derrick MacPherson)
> > 10. Re: how to return multiple attributes from ldap? (kevin)
> >
> >
> >----------------------------------------------------------------------
> >
> >Message: 1
> >Date: Tue, 9 Aug 2005 13:54:52 -0400 (EDT)
> >From: Hamid Salim <salim.h at neu.edu>
> >Subject: FreeRadius EAP-TLS quesitons
> >To: freeradius-users at lists.freeradius.org
> >Message-ID: <4476601.1123610092946.JavaMail.salim.h at neu.edu>
> >Content-Type: text/plain; charset=UTF-8
> >
> >Hello,
> >Two part question:
> >1. Is it critical to have certificates, dh and random files in
> >etc/raddb/certs directory for eap-tls to work.
> >2. Is it ok to generate random file as date > random
> >
> >thanks a lot.
> >Hamid.
> >
> >
> >------------------------------
> >
> >Message: 2
> >Date: Tue, 09 Aug 2005 13:55:45 -0400
> >From: John Donagher <john at webmeta.com>
> >Subject: Re: problem with using rlm_sql for accounting only
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <1123610145.31591.0.camel at localhost.localdomain>
> >Content-Type: text/plain
> >
> >On Tue, 2005-08-09 at 00:01 +0200, Nicolas Baradakis wrote:
> >> John Donagher wrote:
> >>
> >> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
> >> > rejects all radius requests. In my case, since the SQL database is
> being
> >> > used only for accounting, this is not desired behavior.
> >>
> >> The link below explains how to control the flow of modules in
> FreeRADIUS.
> >> http://www.freeradius.org/radiusd/doc/configurable_failover
> >>
> >> There is an example which looks like what you want to do for
> accounting.
> >>
> >
> >Thanks, that was exactly what I was looking for!
> >
> >John
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 3
> >Date: Tue, 09 Aug 2005 14:01:11 -0400
> >From: John Donagher <john at webmeta.com>
> >Subject: Re: problem with using rlm_sql for accounting only
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <1123610471.31591.7.camel at localhost.localdomain>
> >Content-Type: text/plain
> >
> >On Mon, 2005-08-08 at 18:09 -0400, Alan DeKok wrote:
> >> John Donagher <john at webmeta.com> wrote:
> >> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
> >> > rejects all radius requests. In my case, since the SQL database is
> being
> >> > used only for accounting, this is not desired behavior.
> >>
> >> See the log messages.
> >>
> >> What's probably happening is that all of the threads are blocked,
> >> waiting for SQl to respond. Therefore, there are no threads ready to
> >> service authentication requests, and they get discarded.
> >>
> >> The solution is to fix the SQL server so it doesn't go down. If
> >> it's a critical part of your infrastructure, I'm a little unsure as to
> >> why it would go down, or lock FreeRADIUS out for many seconds at a
> >> time.
> >
> >Indeed.. under normal circumstances it wouldn't go down. My issue is
> >that the SQL server is not a critical part of our infrastructure and I
> >don't want it to be (at this point anyway). I'm using it for accounting
> >trend reporting only.. in any event, Nicolas' suggestion was right on
> >and works like a charm.
> >
> >Thanks
> >John
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 4
> >Date: Tue, 09 Aug 2005 11:18:10 -0700
> >From: "Kris Benson" <kbenson at sd57.bc.ca>
> >Subject: Re: FreeRadius EAP-TLS quesitons
> >To: "FreeRadius users mailing list"
> > <freeradius-users at lists.freeradius.org>
> >Cc: freeradius-users at lists.freeradius.org
> >Message-ID:
> > <fc.000f89ac0157986a3b9aca00c03bc7e0.1579876 at mail.sd57.bc.ca>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >FreeRadius users mailing list <freeradius-users at lists.freeradius.org> on
> >August 9, 2005 at 10:54 -0800 wrote:
> >>Hello,
> >>Two part question:
> >>1. Is it critical to have certificates, dh and random files in
> >>etc/raddb/certs directory for eap-tls to work.
> >>2. Is it ok to generate random file as date > random
> >
> >1. Yes, sort of. You can put it in a different directory if you change
> >the eap.conf entries.
> >
> >2. No. This is the correct way:
> >
> >To generate the dh file you can use a function that comes with openssl
> >
> >openssl dhparam -check -text -5 512 -out dh
> >
> >This will generate a 512 Diffie-Hellman key named dh.
> >Move this file to /etc/mycerts/
> >
> >mv dh /etc/mycerts/.
> >
> >To generate a random file you will need a short C program using openssl
> >libraries. Paste this text into a file named 'random.c':
> >----8< cut---
> >#include <stdio.h>
> >#include <openssl/rand.h>
> >
> >main (void) {
> >unsigned char buf[100];
> >if (!RAND_bytes(buf, 100)) {
> >// the usual md5(time+pid)
> >}
> >printf("Random : %s\n", buf);
> >}
> >----8< cut---
> >
> >Compile it like this: gcc random.c -o random -lcrypto
> >
> >I will generate 32-bit LSB executable named random, try it with
> ./random.
> >
> >Move this file to /etc/mycerts/:
> >mv random /etc/mycerts/.
> >
> >-kb
> >--
> >Kris Benson, CCP, I.S.P.
> >Technical Analyst, District Projects
> >School District #57 (Prince George)
> >
> >
> >
> >------------------------------
> >
> >Message: 5
> >Date: Tue, 09 Aug 2005 15:34:28 -0400
> >From: Michel B?langer <michel.belanger at mediom.qc.ca>
> >Subject: sql.conf (update query)
> >To: freeradius-users at lists.freeradius.org
> >Message-ID: <42F90544.8020804 at mediom.qc.ca>
> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> >Hi,
> >I try to add an additional query in the query update in sql.conf. This
> >is possible to make it ?
> >
> >Here what I have test:
> >
> >accounting_update_query = "UPDATE ${acct_table1} \
> > SET FramedIPAddress = '%{Framed-IP-Address}', \
> > AcctSessionTime = '%{Acct-Session-Time}', \
> > AcctInputOctets = '%{Acct-Input-Octets}', \
> > AcctOutputOctets = '%{Acct-Output-Octets}' \
> > WHERE AcctSessionId = '%{Acct-Session-Id}' \
> > AND UserName = '%{SQL-User-Name}' \
> > AND NASIPAddress= '%{NAS-IP-Address}'; INSERT into radtempo
> >(AcctInputOctets, AcctOutputOctets, AcctSessionId) values('%{Ac
> >ct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Id}')"
> >
> >rlm_sql_mysql: MYSQL check_error: 1064 received
> >rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have
> an
> >error in your SQL syntax; check the manual that corresponds to your
> >MySQL server version for the right syntax to use near '; INSERT into
> >radtempo (AcctInputOctets, AcctOutputOctets, AcctSessionId) values' at
> >line 1
> >--
> >------------------------------------------------------------
> >
> >Michel Bélanger
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 6
> >Date: Tue, 09 Aug 2005 16:00:34 -0400
> >From: "Alan DeKok" <aland at ox.org>
> >Subject: Re: problem with using rlm_sql for accounting only
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <20050809200034.64BA316CCA at mail.nitros9.org>
> >
> >John Donagher <john at webmeta.com> wrote:
> >> Indeed.. under normal circumstances it wouldn't go down. My issue is
> >> that the SQL server is not a critical part of our infrastructure and I
> >> don't want it to be (at this point anyway). I'm using it for accounting
> >> trend reporting only.. in any event, Nicolas' suggestion was right on
> >> and works like a charm.
> >
> > In the CVS head you can use the rlm_sql_log module, which dumps the
> >queries to a file. The file can then be post-processed. This removes
> >all run-time dependency on SQL, which is a better solution.
> >
> > Alan DeKok.
> >
> >
> >------------------------------
> >
> >Message: 7
> >Date: Tue, 09 Aug 2005 13:47:29 -0700
> >From: Derrick MacPherson <dmacpherson at mainframe.ca>
> >Subject: Hi. Windows RADIUS server died.
> >To: freeradius-users at lists.freeradius.org
> >Message-ID: <1123620449.10739.94.camel at Mandarin-04.mainframe.ca>
> >Content-Type: text/plain
> >
> >I just got asked to try and get a freeradius server running ASAP. I got
> >it installed on a freebsd 5.4 box that I had just finished getting squid
> >running on, not implemented yet still testing.
> >
> >I see freeradius can use ntlm_auth as well, though I'm not clear on it's
> >syntax. I have squid using the same authentication criteria as the
> >radius server was using, that was based upon being in certain group. Can
> >freeradius support this as well? My syntax in squid:
> >
> >ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership
> >-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)
> >
> >Can someone save me with a quick example or am I off to read and google?
> >
> >
> >
> >------------------------------
> >
> >Message: 8
> >Date: Tue, 09 Aug 2005 17:22:17 -0400
> >From: "Alan DeKok" <aland at ox.org>
> >Subject: Re: Hi. Windows RADIUS server died.
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <20050809212218.06DD216CCA at mail.nitros9.org>
> >
> >Derrick MacPherson <dmacpherson at mainframe.ca> wrote:
> >> I see freeradius can use ntlm_auth as well, though I'm not clear on
> it's
> >> syntax.
> >
> > See radiusd.conf for an example, and the ntlm_auth docs for it's
> >command-line arguments.
> >
> >> I have squid using the same authentication criteria as the radius
> >> server was using, that was based upon being in certain group. Can
> >> freeradius support this as well?
> >
> > Sure, because FreeRADIUS doesn't care about command-line arguments
> >to ntlm_auth. Add ass many arguments to ntlm_auth as you want.
> >
> >> ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> >
> > This *isn't* supported. You have to pass the username & password on
> >the command line, as in the examples. And if you're doing MSCHAP, you
> >MUST also pass the "request nt key" option, too.
> >
> >> --require-membership
> -of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)
> >
> > This is just noise to FreeRADIUS, which doesn't look at it, and
> >doesn't care. If ntlm_auth returns success, so does FreeRADIUS. If
> >it returns fail, so does FreeRADIUS.
> >
> > Alan DeKok.
> >
> >
> >
> >------------------------------
> >
> >Message: 9
> >Date: Tue, 09 Aug 2005 14:38:38 -0700
> >From: Derrick MacPherson <dmacpherson at mainframe.ca>
> >Subject: Re: Hi. Windows RADIUS server died.
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <1123623518.10739.111.camel at Mandarin-04.mainframe.ca>
> >Content-Type: text/plain
> >
> >On Tue, 2005-08-09 at 17:22 -0400, Alan DeKok wrote:
> >> See radiusd.conf for an example, and the ntlm_auth docs for it's
> >> command-line arguments.
> >
> >thank you, reading them now.
> >
> >Is there a way to test if the authentication is passing or failing?
> >
> >
> >
> >------------------------------
> >
> >Message: 10
> >Date: Tue, 09 Aug 2005 15:10:17 -0700
> >From: kevin <kevinsmbox at earthlink.net>
> >Subject: Re: how to return multiple attributes from ldap?
> >To: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> >Message-ID: <42F929C9.7070102 at earthlink.net>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >But, I am still interested in the way returning multiple attributes
> >without changing ldap data.
> >I thought there must be a way.
> >
> >kevin
> >
> >Dusty Doris wrote:
> >
> >>On Tue, 9 Aug 2005, kevin wrote:
> >>
> >>
> >>
> >>>What? So, should I change the ldap attribute values with "+=" ???
> >>>Any other way?
> >>>
> >>>
> >>>
> >>
> >>Yep, it works.
> >>
> >>I did a test, with this DN only one filter-id was returned.
> >>
> >>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
> >>objectClass: radiusprofile
> >>userPassword:: ZHVzdHl0ZXN0
> >>radiusGroupName: dial
> >>radiusGroupName: adsl
> >>uid: dustytest
> >>radiusFilterId: filter1
> >>radiusFilterId: filter2
> >>
> >>Received response ID 210, code 2, length = 59
> >> Framed-Routing = None
> >> Framed-IP-Netmask = 255.255.255.0
> >> Framed-Protocol = PPP
> >> Service-Type = Framed-User
> >> Filter-Id = "filter1"
> >>
> >>
> >>With this dn, both were returned (note there were no quotes in it - that
> >>didn't work)
> >>
> >>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
> >>objectClass: radiusprofile
> >>userPassword:: ZHVzdHl0ZXN0
> >>radiusGroupName: dial
> >>radiusGroupName: adsl
> >>uid: dustytest
> >>radiusFilterId: += filter1
> >>radiusFilterId: += filter2
> >>
> >>Received response ID 214, code 2, length = 68
> >> Framed-Routing = None
> >> Framed-IP-Netmask = 255.255.255.0
> >> Framed-Protocol = PPP
> >> Service-Type = Framed-User
> >> Filter-Id = "filter1"
> >> Filter-Id = "filter2"
> >>
> >>-
> >>List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >>
> >>
> >>
> >
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> https://list.xs4all.nl/pipermail/freeradius-users/attachments/20050809/95391bfa/attachment.html
> >
> >------------------------------
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> >End of Freeradius-Users Digest, Vol 4, Issue 39
> >***********************************************
> >
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 4, Issue 40
> ***********************************************
>
More information about the Freeradius-Users
mailing list