Please Remove

Tyler Willson tweetywill at gmail.com
Wed Oct 1 00:36:15 CEST 2008


Thanks! 

-----Original Message-----
From: freeradius-users-bounces+tweetywill=gmail.com at lists.freeradius.org
[mailto:freeradius-users-bounces+tweetywill=gmail.com at lists.freeradius.org]
On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: Tuesday, September 30, 2008 2:31 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 41, Issue 141

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: freeradius compiled version (lastest) against active
      directory	authentication (Alan DeKok)
   2. Re: freeradius compiled version (lastest) against active
      directoryauthentication (tnt at kalik.net)
   3. Missing field in accounting (Arrigo Savio)
   4. R: R: Logging level (Arrigo Savio)
   5. Re: R: R: Logging level (Alan DeKok)
   6. Re: Missing field in accounting (Alan DeKok)
   7. Re: problem with ip_pools (Marco C. Coelho)
   8. Re: Where do I add the config stuff to route requests based
      on	attributes in a request? (Arran Cudbard-Bell)


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Sep 2008 17:31:51 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: freeradius compiled version (lastest) against active
	directory	authentication
To: luis.azunet at yahoo.es,	FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48E24667.7020006 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8

luis a wrote:
>     i all ready read it and he does not work

  Nonsense.

  If you follow the instructions, it works.

>     check  it out the output

  You've edited the configuration files, and broken them.  Don't do that.

  Start off with the default configuration files.  THEN follow the
instructions.

>     that warning apered after i added the line to the user config file
>     DEFAULT  Auth-Type = Local, Password == "stealme"

  The instructions on my web site DON'T say to do that.  So you're not
following the instructions.

>     and also when i remplace 
>     DEFAULT  Auth-Type = System

  Can you explain why you're making nearly random changes to the
configuration files rather than following the instructions on the web site?

  Alan DeKok.


------------------------------

Message: 2
Date: Tue, 30 Sep 2008 16:47:30 +0100
From: <tnt at kalik.net>
Subject: Re: freeradius compiled version (lastest) against active
	directoryauthentication
To: freeradius-users at lists.freeradius.org
Message-ID: <w7MzM4fw.1222789650.5079860.tnt at kalik.net>
Content-Type: text/plain; charset=ISO-8859-2

>  Have you tried my web site (deployingradius.com) ?   It has a
>"howto"
>for configuring authentication against Active Directory.
>
>i all ready read it and he does not work
>
>
>check  it out the output
>
>------------------------------------
>
>
>Listening on authentication address * port 1812 Listening on accounting 
>address * port 1813 Listening on proxy address * port 1814 Ready to 
>process requests.
>rad_recv: Access-Request packet from host 127.0.0.1 port 49964, id=37,
length=72
>        User-Name = "luis"
>        User-Password = "x"
>        NAS-IP-Address = xx.xx.xx.x
>        NAS-Port = 0

This is a pap request. ntlm_auth is configured in mschap. Send an mschap
request. Or configure ldap "bind as user" if you are going to have pap
requests.
>
>
>
>-------------------
>and also when i remplace
>DEFAULT  Auth-Type = System
>
>i get this message .
>
..
>Found Auth-Type = System
>+- entering group authenticate {...}
>[unix] invalid password "luis"
>++[unix] returns reject
>Failed to authenticate the user.

That is OK. user "luis" was found but password was wrong. But it looks like
(I still can't figure out what is it that you want to do) you don't actually
want to authenticate against local users but AD.

So what do you want to do:

- authenticate against AD?

- or against users of the local system?

- or both?

What type of requests are you going to recieve:

- pap?

- mschap (PEAP)?

- both?

Ivan Kalik
Kalik Informatika ISP

Ivan Kalik
Kalik Informatika ISP



------------------------------

Message: 3
Date: Tue, 30 Sep 2008 18:04:42 +0200
From: "Arrigo Savio" <a.savio at bascom.it>
Subject: Missing field in accounting
To: "'FreeRadius users mailing list'"
	<freeradius-users at lists.freeradius.org>
Message-ID: <F978D341FFB841D7837CAA87CFA6F62B at bascom.local>
Content-Type: text/plain;	charset="us-ascii"

Hi everybody. I'm trying to complete the setup of freeradius 2.1.1.
I have the following problem:
When the data flow passes from authentication to accounting, I miss the
stripping of the username/realm. I mean: in first authentication step, I
have correctly splitted the username (test) from the realm (realm.com) and
infact the "INSERT INTO radpostauth" is correctly populated.
The next query, that should write into accounting table, doesn't find
%{Stripped-User-Name} and %{Realm} values, so that it put empty fields in
the table. All other fields are correct. BTW, if I put in dialer.conf
accounting query the field %{SQL-User-Name}, I find the field populated with
the whole username (test at realm.com, in the example below).

Can you help me, please?

Arrigo


[sql]   expand: %{Stripped-User-Name} -> test
 [sql] sql_set_user escaped user --> 'test'
.
++[sql] returns ok
Login OK: [prova at realm.com/realm] (from client C831 Test port 92)
+- entering group post-auth {...}
[reply_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/10.0.1.224/reply-detail-20080930
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/10.0.1.224/reply-detail-20080930
[reply_log]     expand: %t -> Tue Sep 30 17:53:01 2008
++[reply_log] returns ok
[sql]   expand: %{Stripped-User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
[sql]   expand: %{User-Password} -> realm
[sql]   expand: INSERT INTO radpostauth                           (username,
realm, pass, reply, authdate)                           VALUES (
'%{Stripped-User-Name}', '%{Realm}',                          '%{%{User-
...
++[sql] returns ok
+- entering group preacct {...}
[acct_unique] Hashing 'NAS-Port = 92,Client-IP-Address =
10.0.1.224,NAS-IP-Address = 10.0.1.224,Acct-Session-Id =
"000000D8",User-Name = "prova at realm.com"'
[acct_unique] Acct-Unique-Session-ID = "1bdfdc3b2335277d".
++[acct_unique] returns ok
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.0.1.224/detail-20080930
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/10.0.1.224/detail-20080930
[detail]        expand: %t -> Tue Sep 30 17:53:01 2008
++[detail] returns ok
[sql]   expand: %{Stripped-User-Name} ->
[sql] sql_set_user escaped user --> ''
[sql]   expand: %{Acct-Delay-Time} -> 0
[sql]   expand:            INSERT INTO radacct             (acctsessionid,
acctuniqueid,     username,              realm,            nasipaddress,
nasportid,              nasporttype,      acctstarttime,    acctstoptime,
acctsessiontime,  acctauthentic,    connectinfo_start,
connectinfo_stop, acctinputoctets,  acctoutputoctets, calledstationid,
callingstationid, acctterminatecause,
servicetype,      framedprotocol,   framedipaddress,
acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{Stripped-User-Name}',              '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',

rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket
id: 1
++[sql] returns ok

Arrigo




------------------------------

Message: 4
Date: Tue, 30 Sep 2008 18:07:32 +0200
From: "Arrigo Savio" <a.savio at bascom.it>
Subject: R: R: Logging level
To: "'FreeRadius users mailing list'"
	<freeradius-users at lists.freeradius.org>
Message-ID: <72251FE17275403EAF292FA4A42F8AAC at bascom.local>
Content-Type: text/plain;	charset="iso-8859-1"

I read all comments, and tried to give some permission on the files, but I
still receive the error pasted...
I read in docs that:
        #  If not set, then ANYONE can connect to the control socket,
        #  and have complete control over the server.  This is likely
        #  not what you want.
I tried to comment out the parameters, but it doesn't work anyway.

Arrigo.

-----Messaggio originale-----
Da: freeradius-users-bounces+a.savio=bascom.it at lists.freeradius.org
[mailto:freeradius-users-bounces+a.savio=bascom.it at lists.freeradius.org] Per
conto di Alan DeKok
Inviato: marted? 30 settembre 2008 8.43
A: FreeRadius users mailing list
Oggetto: Re: R: Logging level

Arrigo Savio wrote:
> radmin> set
> ERROR: You do not have write permission.
> 
> Where can I specify this permission?

  Read the example configuration file in
raddb/sites-available/control-socket.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




------------------------------

Message: 5
Date: Tue, 30 Sep 2008 18:15:39 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: R: R: Logging level
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48E250AB.607 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Arrigo Savio wrote:
> I read all comments, and tried to give some permission on the files, 
> but I still receive the error pasted...
> I read in docs that:
>         #  If not set, then ANYONE can connect to the control socket,
>         #  and have complete control over the server.  This is likely
>         #  not what you want.
> I tried to comment out the parameters, but it doesn't work anyway.

  Did you see the "access_mode" parameter?  Are you sure you're using 2.1.1?
Are you sure you're looking at the configuration files that are included in
2.1.1?

  Alan DeKok.


------------------------------

Message: 6
Date: Tue, 30 Sep 2008 18:18:12 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Missing field in accounting
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48E25144.2000209 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Arrigo Savio wrote:
> Hi everybody. I'm trying to complete the setup of freeradius 2.1.1.
> I have the following problem:
> When the data flow passes from authentication to accounting, I miss 
> the stripping of the username/realm.

  You need to copy the *same* User-Name re-writing rules from the
"authorize" section into the "preacct" section.

 I mean: in first authentication step, I
> have correctly splitted the username (test) from the realm (realm.com) 
> and infact the "INSERT INTO radpostauth" is correctly populated.
> The next query,

  There is no "next query".  There is another packet, which is an
*accounting* packet, and not an *authentication* packet.

  Alan DeKok.


------------------------------

Message: 7
Date: Tue, 30 Sep 2008 12:35:11 -0500
From: "Marco C. Coelho" <maillist1 at argontech.net>
Subject: Re: problem with ip_pools
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48E2634F.7010602 at argontech.net>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Please See Below:

Alan DeKok wrote:
> Marco C. Coelho wrote:
>   
>> I ran out of IP space in my original IP_Pool, and since the next 
>> available addresses were non contiguous, I added a second pool.  
>> Here's the snippet of my radiusd.conf:
>>     
>
>   Did you add "main_pool2" to the "post-auth" && accounting sections 
> where "main_pool" was referenced?
>   
No.  After I added it and corrected the operand to := it now issues the new
addresses.  Thanks!

>   Did you put "main_pool" and "main_pool" into a fail-over section, as 
> documented in "man unlang" ?
>   

No,  and I must be blind, because I have read the section and cannot find
mention of it.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2008093
0/b452579b/attachment.html>

------------------------------

Message: 8
Date: Tue, 30 Sep 2008 19:30:26 +0100
From: Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
Subject: Re: Where do I add the config stuff to route requests based
	on	attributes in a request?
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <48E27042.8070505 at sussex.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alan DeKok wrote:
> Peter Eriksson wrote:
>> Now the question is - what do I write and in which config files to 
>> use this?
> 
> $ man unlang
> 
>> The attribute typically looks like this:
>>
>> Called-Station-Id = "00-17-9A-D3-9A-BA:IFM"
> 
> 	if (Called-Station-Id =~ /regex/) {
> 		update control {
> 			Proxy-To-Realm := "foo"
> 		}
> 	}
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-st
udy.pdf

JRS is the JANET implementation of Eduroam.

Thanks,
Arran
- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk), Authentication,
Authorisation and Accounting Officer, Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjicEIACgkQcaklux5oVKJVggCeIR2DQF7hZhCY3Fv+NEFebe+0
UOYAniJIG0wb66DzNlik1IDWIayeJro7
=98US
-----END PGP SIGNATURE-----


------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 41, Issue 141
*************************************************




More information about the Freeradius-Users mailing list