Freeradius-Users Digest, Vol 52, Issue 48
Nadir M. Aliyev
nadir at ultel.net
Mon Aug 10 13:18:24 CEST 2009
echo
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799 disconnect 123
session removed successfully but I receive Disconnect-NAK (unsuccessfully)
Again this error :(((
Reply-Message = "Session Not Removed"
Error-Cause = Session-Context-Not-Removable
Cisco:
.
!
aaa server radius dynamic-author
server-key 7 00554155
port 3799
auth-type any
!
.
-----Original Message-----
From: freeradius-users-bounces+nadir=ultel.net at lists.freeradius.org
[mailto:freeradius-users-bounces+nadir=ultel.net at lists.freeradius.org] On
Behalf Of freeradius-users-request at lists.freeradius.org
Sent: Monday, August 10, 2009 2:51 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 52, Issue 48
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius-Users Digest, Vol 52, Issue 47 (Gilbert Lo)
2. Do not query LDAP if authenticated via proxy (Steven Carr)
3. Mac based authentication (Sanhenra Sinaga)
4. Re: radius server 2.1.6 not storing data in radacct
table..help (Alan Buxey)
5. (Nadir M. Aliyev)
6. Re: your mail (Alan Buxey)
----------------------------------------------------------------------
Message: 1
Date: Mon, 10 Aug 2009 01:36:58 -0700
From: "Gilbert Lo" <gilbertlo at stgeorges.bc.ca>
Subject: Re: Freeradius-Users Digest, Vol 52, Issue 47
To: freeradius-users at lists.freeradius.org
Message-ID:
<fc.00802d7e01bfda553b9aca0027e19de6.1bfda56 at stgeorges.bc.ca>
Content-Type: text/plain; charset=UTF-8
Thank you for your message. I am away until August 7th. I will respond
to your message on my return . For urgent matters, please contact
helpdesk at stgeorges.bc.ca .
Cheers,
Gilbert Lo
------------------------------
Message: 2
Date: Mon, 10 Aug 2009 09:39:22 +0100
From: Steven Carr <steven.carr at sunderland.ac.uk>
Subject: Do not query LDAP if authenticated via proxy
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A7FDCBA.907 at sunderland.ac.uk>
Content-Type: text/plain; charset="utf-8"
Hi list,
I have the following question, not entirely sure how to stop FreeRADIUS
(Debian recompile 2.0.4) from doing this so any ideas would be grateful.
We are joining Eduroam and we have our FreeRADIUS set to proxy on the
DEFAULT realm and have a separate realm for our local domain.
If we pass a request to the proxy to be authenticated both before and
after the request has been proxied it queries our LDAP server to check
if the user exists.
> rad_recv: Access-Request packet from host 127.0.0.1 port 43386, id=216,
length=82
> User-Name = "user at domain.com"
> User-Password = "******"
> NAS-IP-Address = 157.228.68.190
> NAS-Port = 1
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_realm: Looking up realm "domain.com" for User-Name =
"user at domain.com"
> rlm_realm: Found realm "DEFAULT"
> rlm_realm: Adding Realm = "DEFAULT"
> rlm_realm: Proxying request from user user to realm DEFAULT
> rlm_realm: Preparing to proxy authentication request to realm
"DEFAULT"
> ++[suffix] returns updated
> rlm_eap: No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user at domain.com
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
> expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na
me:-%{User-Name}})) ->
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> expand: dc=domain,dc=com -> dc=domain,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Sending Access-Request of id 112 to 194.83.56.233 port 1812
> User-Name = "user at domain.com"
> User-Password = "******"
> NAS-IP-Address = 157.228.68.190
> NAS-Port = 1
> Proxy-State = 0x323136
> Proxying request 1 to home server 194.83.56.233 port 1812
> Sending Access-Request of id 112 to 194.83.56.233 port 1812
> User-Name = "user at domain.com"
> User-Password = "******"
> NAS-IP-Address = 157.228.68.190
> NAS-Port = 1
> Proxy-State = 0x323136
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Accept packet from host 194.83.56.233 port 1812, id=112,
length=25
> Proxy-State = 0x323136
> +- entering group post-proxy
> rlm_eap: No pre-existing handler found
> ++[eap] returns noop
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_realm: Proxy reply, or no User-Name. Ignoring.
> ++[suffix] returns noop
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for user at domain.com
> WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
> expand:
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=%{Stripped-User-Na
me:-%{User-Name}})) ->
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> expand: dc=domain,dc=com -> dc=domain,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter
(&(objectclass=uosperson)(!(mailuserstatus=inactive))(uid=user at domain.com))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> rad_check_password: Found Auth-Type
> rad_check_password: Auth-Type = Accept, accepting the user
> Login OK: [user at domain.com/******] (from client localhost port 1)
> +- entering group post-auth
> ++[exec] returns noop
> Sending Access-Accept of id 216 to 127.0.0.1 port 43386
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 216 with timestamp +10
> Ready to process requests.
How can I stop it from doing this? it is a waste of time and an
unnecessary connection/query to our LDAP server as it is never going to
be authenticated by our LDAP server.
Thanks
Steve
--
Steven Carr
Systems Development Officer
SLS/ITS/Systems - (0191) 515 3953
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url :
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2009081
0/c3747637/attachment.bin>
------------------------------
Message: 3
Date: Mon, 10 Aug 2009 05:03:07 -0400 (EDT)
From: Sanhenra Sinaga <if06071 at students.del.ac.id>
Subject: Mac based authentication
To: freeradius-users at lists.freeradius.org
Message-ID: <1766013.28391249894987160.JavaMail.root at students>
Content-Type: text/plain; charset=utf-8
Dear all,
I'm a new network administrator in one school. I've just installed hotspot
using mikrotik and freeradius as radius server. I want to make mac address
(client) as username and password for authentication. In this case, i want
filtering mac address (calling-station-id) as username and password, so that
client can authenticate directly.
Please help me to configure freeradius so that i can implement that i
explain before.
Thanks's all
Sanhenra
------------------------------
Message: 4
Date: Mon, 10 Aug 2009 10:34:35 +0100
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Subject: Re: radius server 2.1.6 not storing data in radacct
table..help
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20090810093435.GA13680 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
hi,
fromt he debug looks like its not doing any SQL thing at all -
ie you either havent configured the SQL stuff (uncomment
an 'include' statement in the cofngi to pull in sql.conf
or, because you arent using SQL for authentication/authorization
and only for logging you have to add 'sql' to the instantiate
section so the module gets fired up
alan
------------------------------
Message: 5
Date: Mon, 10 Aug 2009 15:40:12 +0500
From: "Nadir M. Aliyev" <nadir at ultel.net>
To: <freeradius-users at lists.freeradius.org>
Message-ID:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAANJZwrxjEZEaUwy61645wl8KAAAAQ
AAAA623CuuOKtESprsBks9KekQEAAAAA at ultel.net>
Content-Type: text/plain; charset="koi8-r"
Dear All!
Have small problem with radclient.
I use radclient for disconnect users:
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
Key={SESSIONKEY}\nNAS-IP-Address=10.0.5.1" | radclient -x 10.0.5.1:3799
disconnect 123";
Users disconnects well.
But instead of successfull i receive this message:
ad_recv: Disconnect-NAK packet from host 10.0.5.1:3799, id=236, length=47
Reply-Message = "No Matching Session"
Error-Cause = Session-Context-Not-Found
Logs from cisco:
Aug 10 14:29:34 10.0.5.1 360982: 421932: Aug 10 14:26:00.414 AZST: POD:
Received Acct-Session-Id of 0002A89C
Aug 10 14:29:34 10.0.5.1 360983: 421933: Aug 10 14:26:00.414 AZST: POD:
Converted to internal Session-Id of 0002A89C
Aug 10 14:29:34 10.0.5.1 360984: 421934: Aug 10 14:26:00.414 AZST: POD:
10.0.5.2 user nadiritus 0.0.0.0 sessid 0x2A89C key 0x9F282A8D
Aug 10 14:29:34 10.0.5.1 360985: 421935: Aug 10 14:26:00.414 AZST: POD:
Line User IDB Session Id Key
Aug 10 14:29:34 10.0.5.1 360986: 421936: Aug 10 14:26:00.414 AZST: POD: KILL
Virtual- nadiritus 10.0.5.25 0x2A89C 0x9F282A8D
Aug 10 14:29:34 10.0.5.1 360987: 421937: Aug 10 14:26:00.418 AZST: POD:
Added Reply Message: Session Not Removed
Aug 10 14:29:34 10.0.5.1 360988: 421938: Aug 10 14:26:00.418 AZST: POD:
Added NACK Error Cause: Session Context Not Removable
Aug 10 14:29:34 10.0.5.1 360989: 421939: Aug 10 14:26:00.418 AZST: POD:
Sending NAK from port 3799 to 10.0.5.2/54033
Anybody can help me? Why I reveice that session not removed? (but session
removed)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2009081
0/025a9e8e/attachment.html>
------------------------------
Message: 6
Date: Mon, 10 Aug 2009 10:51:07 +0100
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Subject: Re: your mail
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20090810095107.GA13695 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
Hi,
> I use radclient for disconnect users:
>
>
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
> Key={SESSIONKEY}\nNAS-IP-Address=10.0.5.1" | radclient -x 10.0.5.1:3799
> disconnect 123";
you're telling the NAS about itself (NAS-IP-Address) - perhaps it doesnt
like
that bit and the message you are getting is just its way of saying
that something wasnt quite right. ie try
"Acct-Session-Id={ACTSESSION}\nUser-Name={MYUSERNAME}\nX-Ascend-Session-Svr-
Key={SESSIONKEY}" | radclient -x 10.0.5.1:3799
disconnect 123";
?
alan
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 52, Issue 48
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090810/4eb3da32/attachment.html>
More information about the Freeradius-Users
mailing list