Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NEW Package: freeRADIUS 2.x

    Scheduled Pinned Locked Moved pfSense Packages
    628 Posts 80 Posters 752.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nachtfalke
      last edited by

      @surucu24:

      Hi, i have some problem too :)
      i need to use sql feature, but when i enable SQL , my radius stop working,
      do you have any idea?

      Yes.

      FreeRADIUS just connects to a SQL server - it has no own sql server. What you have to do is to install a SQL server somewhere else and then connect freeradius to this sql server.
      http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL

      1 Reply Last reply Reply Quote 0
      • S
        surucu24
        last edited by

        already i have PHPMYSQL, it's working,   but when i try to connect to my sql server, radius stops running?
        http://imageshack.us/photo/my-images/571/524201391520am.jpg
        http://imageshack.us/photo/my-images/259/524201391628am.jpg
        http://imageshack.us/photo/my-images/254/524201391723am.jpg

        And here the debug

        $ radiusd -X
        FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jun 19 2012 at 09:11:11
        Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
        There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
        PARTICULAR PURPOSE. 
        You may redistribute copies of FreeRADIUS under the terms of the 
        GNU General Public License v2\. 
        Starting - reading configuration files ...
        including configuration file /usr/local/etc/raddb/radiusd.conf
        including configuration file /usr/local/etc/raddb/clients.conf
        including files in directory /usr/local/etc/raddb/modules/
        including configuration file /usr/local/etc/raddb/modules/wimax
        including configuration file /usr/local/etc/raddb/modules/always
        including configuration file /usr/local/etc/raddb/modules/attr_filter
        including configuration file /usr/local/etc/raddb/modules/attr_rewrite
        including configuration file /usr/local/etc/raddb/modules/chap
        including configuration file /usr/local/etc/raddb/modules/checkval
        including configuration file /usr/local/etc/raddb/modules/counter
        including configuration file /usr/local/etc/raddb/modules/cui
        including configuration file /usr/local/etc/raddb/modules/detail
        including configuration file /usr/local/etc/raddb/modules/detail.example.com
        including configuration file /usr/local/etc/raddb/modules/detail.log
        including configuration file /usr/local/etc/raddb/modules/digest
        including configuration file /usr/local/etc/raddb/modules/dynamic_clients
        including configuration file /usr/local/etc/raddb/modules/echo
        including configuration file /usr/local/etc/raddb/modules/etc_group
        including configuration file /usr/local/etc/raddb/modules/exec
        including configuration file /usr/local/etc/raddb/modules/expiration
        including configuration file /usr/local/etc/raddb/modules/expr
        including configuration file /usr/local/etc/raddb/modules/files
        including configuration file /usr/local/etc/raddb/modules/inner-eap
        including configuration file /usr/local/etc/raddb/modules/ippool
        including configuration file /usr/local/etc/raddb/modules/krb5
        including configuration file /usr/local/etc/raddb/modules/ldap
        including configuration file /usr/local/etc/raddb/modules/linelog
        including configuration file /usr/local/etc/raddb/modules/logintime
        including configuration file /usr/local/etc/raddb/modules/mac2ip
        including configuration file /usr/local/etc/raddb/modules/mschap
        including configuration file /usr/local/etc/raddb/modules/mac2vlan
        including configuration file /usr/local/etc/raddb/modules/ntlm_auth
        including configuration file /usr/local/etc/raddb/modules/opendirectory
        including configuration file /usr/local/etc/raddb/modules/otp
        including configuration file /usr/local/etc/raddb/modules/pam
        including configuration file /usr/local/etc/raddb/modules/pap
        including configuration file /usr/local/etc/raddb/modules/passwd
        including configuration file /usr/local/etc/raddb/modules/perl
        including configuration file /usr/local/etc/raddb/modules/policy
        including configuration file /usr/local/etc/raddb/modules/preprocess
        including configuration file /usr/local/etc/raddb/modules/radutmp
        including configuration file /usr/local/etc/raddb/modules/realm
        including configuration file /usr/local/etc/raddb/modules/redis
        including configuration file /usr/local/etc/raddb/modules/rediswho
        including configuration file /usr/local/etc/raddb/modules/replicate
        including configuration file /usr/local/etc/raddb/modules/smbpasswd
        including configuration file /usr/local/etc/raddb/modules/smsotp
        including configuration file /usr/local/etc/raddb/modules/soh
        including configuration file /usr/local/etc/raddb/modules/sql_log
        including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
        including configuration file /usr/local/etc/raddb/modules/sradutmp
        including configuration file /usr/local/etc/raddb/modules/unix
        including configuration file /usr/local/etc/raddb/modules/acct_unique
        including configuration file /usr/local/etc/raddb/modules/motp
        including configuration file /usr/local/etc/raddb/modules/datacounter_acct
        including configuration file /usr/local/etc/raddb/eap.conf
        including configuration file /usr/local/etc/raddb/sql.conf
        including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
        including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
        including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
        including configuration file /usr/local/etc/raddb/policy.conf
        including files in directory /usr/local/etc/raddb/sites-enabled/
        including configuration file /usr/local/etc/raddb/sites-enabled/default
        including configuration file /usr/local/etc/raddb/sql.conf
        including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
        including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
        main {
        	allow_core_dumps = yes
        }
        Core dumps are enabled.
        including dictionary file /usr/local/etc/raddb/dictionary
        main {
        	name = "radiusd"
        	prefix = "/usr/local"
        	localstatedir = "/var"
        	sbindir = "/usr/local/sbin"
        	logdir = "/var/log"
        	run_dir = "/var/run"
        	radacctdir = "/var/log/radacct"
        	hostname_lookups = no
        	max_request_time = 30
        	cleanup_delay = 5
        	max_requests = 1024
        	pidfile = "/var/run/radiusd.pid"
        	checkrad = "/usr/local/sbin/checkrad"
        	debug_level = 0
        	proxy_requests = yes
         log {
        	stripped_names = no
        	auth = yes
        	auth_badpass = yes
        	auth_goodpass = no
        	msg_badpass = ""
        	msg_goodpass = ""
         }
         security {
        	max_attributes = 200
        	reject_delay = 1
        	status_server = no
         }
        }
        radiusd: #### Loading Realms and Home Servers ####
        radiusd: #### Loading Clients ####
         client deneme {
        	ipaddr = 127.0.0.1
        	require_message_authenticator = no
        	secret = "testing123"
        	shortname = "deneme"
        	nastype = "other"
         }
        radiusd: #### Instantiating modules ####
         instantiate {
         Module: Linked to module rlm_exec
         Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
          exec {
        	wait = no
        	input_pairs = "request"
        	shell_escape = yes
          }
         Module: Linked to module rlm_expr
         Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
         Module: Linked to module rlm_counter
         Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter
          counter daily {
        	filename = "/var/log/radacct/timecounter/db.daily"
        	key = "User-Name"
        	reset = "daily"
        	count-attribute = "Acct-Session-Time"
        	counter-name = "Daily-Session-Time"
        	check-name = "Max-Daily-Session"
        	reply-name = "Session-Timeout"
        	cache-size = 5000
          }
        rlm_counter: Counter attribute Daily-Session-Time is number 11273
        rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369440000 [2013-05-25 00:00:00]
         Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter
          counter weekly {
        	filename = "/var/log/radacct/timecounter/db.weekly"
        	key = "User-Name"
        	reset = "weekly"
        	count-attribute = "Acct-Session-Time"
        	counter-name = "Weekly-Session-Time"
        	check-name = "Max-Weekly-Session"
        	reply-name = "Session-Timeout"
        	cache-size = 5000
          }
        rlm_counter: Counter attribute Weekly-Session-Time is number 11275
        rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369526400 [2013-05-26 00:00:00]
         Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter
          counter monthly {
        	filename = "/var/log/radacct/timecounter/db.monthly"
        	key = "User-Name"
        	reset = "monthly"
        	count-attribute = "Acct-Session-Time"
        	counter-name = "Monthly-Session-Time"
        	check-name = "Max-Monthly-Session"
        	reply-name = "Session-Timeout"
        	cache-size = 5000
          }
        rlm_counter: Counter attribute Monthly-Session-Time is number 11277
        rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1370044800 [2013-06-01 00:00:00]
         Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter
          counter forever {
        	filename = "/var/log/radacct/timecounter/db.forever"
        	key = "User-Name"
        	reset = "never"
        	count-attribute = "Acct-Session-Time"
        	counter-name = "Forever-Session-Time"
        	check-name = "Max-Forever-Session"
        	reply-name = "Session-Timeout"
        	cache-size = 5000
          }
        rlm_counter: Counter attribute Forever-Session-Time is number 11279
        rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 0 [2013-05-24 03:00:00]
         Module: Linked to module rlm_expiration
         Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
          expiration {
        	reply-message = "Password Has Expired  "
          }
         Module: Linked to module rlm_logintime
         Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
          logintime {
        	reply-message = "You are calling outside your allowed timespan  "
        	minimum-timeout = 60
          }
         }
        radiusd: #### Loading Virtual Servers ####
        server { # from file /usr/local/etc/raddb/radiusd.conf
         modules {
          Module: Creating Auth-Type = MOTP
          Module: Creating Auth-Type = digest
          Module: Creating Autz-Type = Status-Server
          Module: Creating Acct-Type = Status-Server
          Module: Creating Post-Auth-Type = REJECT
         Module: Checking authenticate {...} for more modules to load
         Module: Linked to module rlm_pap
         Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
          pap {
        	encryption_scheme = "auto"
        	auto_header = no
          }
         Module: Linked to module rlm_chap
         Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
         Module: Linked to module rlm_mschap
         Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
          mschap {
        	use_mppe = yes
        	require_encryption = no
        	require_strong = no
        	with_ntdomain_hack = yes
        	allow_retry = yes
          }
         Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp
          exec motp {
        	wait = yes
        	program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
        	input_pairs = "request"
        	shell_escape = yes
          }
         Module: Linked to module rlm_digest
         Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
         Module: Linked to module rlm_unix
         Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
          unix {
        	radwtmp = "/var/log/radwtmp"
          }
         Module: Linked to module rlm_eap
         Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
          eap {
        	default_eap_type = "md5"
        	timer_expire = 60
        	ignore_unknown_eap_types = no
        	cisco_accounting_username_bug = no
        	max_sessions = 4096
          }
         Module: Linked to sub-module rlm_eap_md5
         Module: Instantiating eap-md5
         Module: Linked to sub-module rlm_eap_leap
         Module: Instantiating eap-leap
         Module: Linked to sub-module rlm_eap_gtc
         Module: Instantiating eap-gtc
           gtc {
        	challenge = "Password: "
        	auth_type = "PAP"
           }
         Module: Linked to sub-module rlm_eap_tls
         Module: Instantiating eap-tls
           tls {
        	rsa_key_exchange = no
        	dh_key_exchange = yes
        	rsa_key_length = 512
        	dh_key_length = 512
        	verify_depth = 0
        	CA_path = "/usr/local/etc/raddb/certs"
        	pem_file_type = yes
        	private_key_file = "/usr/local/etc/raddb/certs/server.pem"
        	certificate_file = "/usr/local/etc/raddb/certs/server.pem"
        	CA_file = "/usr/local/etc/raddb/certs/ca.pem"
        	private_key_password = "whatever"
        	dh_file = "/usr/local/etc/raddb/certs/dh"
        	random_file = "/usr/local/etc/raddb/certs/random"
        	fragment_size = 1024
        	include_length = yes
        	check_crl = no
        	cipher_list = "DEFAULT"
        	ecdh_curve = "prime256v1"
            cache {
        	enable = no
        	lifetime = 24
        	max_entries = 255
            }
            verify {
            }
            ocsp {
        	enable = no
        	override_cert_url = no
        	url = "http://127.0.0.1/ocsp/"
            }
           }
         Module: Linked to sub-module rlm_eap_ttls
         Module: Instantiating eap-ttls
           ttls {
        	default_eap_type = "md5"
        	copy_request_to_tunnel = no
        	use_tunneled_reply = no
        	include_length = yes
           }
         Module: Linked to sub-module rlm_eap_peap
         Module: Instantiating eap-peap
           peap {
        	default_eap_type = "mschapv2"
        	copy_request_to_tunnel = no
        	use_tunneled_reply = no
        	proxy_tunneled_request_as_eap = yes
        	soh = no
           }
         Module: Linked to sub-module rlm_eap_mschapv2
         Module: Instantiating eap-mschapv2
           mschapv2 {
        	with_ntdomain_hack = no
        	send_error = no
           }
         Module: Checking authorize {...} for more modules to load
         Module: Linked to module rlm_preprocess
         Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
          preprocess {
        	huntgroups = "/usr/local/etc/raddb/huntgroups"
        	hints = "/usr/local/etc/raddb/hints"
        	with_ascend_hack = no
        	ascend_channels_per_line = 23
        	with_ntdomain_hack = no
        	with_specialix_jetstream_hack = no
        	with_cisco_vsa_hack = no
        	with_alvarion_vsa_hack = no
          }
         Module: Linked to module rlm_realm
         Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
          realm suffix {
        	format = "suffix"
        	delimiter = "@"
        	ignore_default = no
        	ignore_null = yes
          }
         Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm
          realm ntdomain {
        	format = "prefix"
        	delimiter = "\"
        	ignore_default = no
        	ignore_null = yes
          }
         Module: Linked to module rlm_files
         Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
          files {
        	usersfile = "/usr/local/etc/raddb/users"
        	acctusersfile = "/usr/local/etc/raddb/acct_users"
        	preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
        	compat = "no"
          }
         Module: Linked to module rlm_sql
         Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf
          sql {
        	driver = "rlm_sql_mysql"
        	server = "192.168.1.226"
        	port = "3306"
        	login = "radius"
        	password = "radpass"
        	radius_db = "radius"
        	read_groups = yes
        	sqltrace = yes
        	sqltracefile = "/var/log/sqltrace.sql"
        	readclients = yes
        	deletestalesessions = yes
        	num_sql_socks = 5
        	lifetime = 0
        	max_queries = 0
        	sql_user_name = "%{User-Name}"
        	default_user_profile = ""
        	nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
        	authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
        	authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
        	authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
        	authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
        	accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
        	accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
        	accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
        	accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
        	accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
        	accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
        	accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
        	group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
        	connect_failure_retry_delay = 60
        	simul_count_query = ""
        	simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
        	postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
        	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
          }
        rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
        rlm_sql (sql): Attempting to connect to radius@192.168.1.226:3306/radius
        rlm_sql (sql): starting 0
        rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
        rlm_sql_mysql: Starting connect to MySQL server for #0
        rlm_sql_mysql: Couldn't connect socket to MySQL server radius@192.168.1.226:radius
        rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)'
        rlm_sql (sql): Failed to connect DB handle #0
        rlm_sql (sql): starting 1
        rlm_sql (sql): starting 2
        rlm_sql (sql): starting 3
        rlm_sql (sql): starting 4
        rlm_sql (sql): Failed to connect to any SQL server.
        rlm_sql (sql): Processing generate_sql_clients
        rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
        rlm_sql (sql): Ignoring unconnected handle 4..
        rlm_sql (sql): Ignoring unconnected handle 3..
        rlm_sql (sql): Ignoring unconnected handle 2..
        rlm_sql (sql): Ignoring unconnected handle 1..
        rlm_sql (sql): Ignoring unconnected handle 0..
        rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
        Failed to load clients from SQL.
        rlm_sql (sql): Closing sqlsocket 4
        rlm_sql (sql): Closing sqlsocket 3
        rlm_sql (sql): Closing sqlsocket 2
        rlm_sql (sql): Closing sqlsocket 1
        rlm_sql (sql): Closing sqlsocket 0
        /usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
        /usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql".
        /usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
        /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. 
        
        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Looks like your mysql password or username is wrong. Check with a simple password without complex characters to make sure it works.

          
          rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)'
          
          

          Further you need to create the correct tables on your database and you need to add the clients/nas in the database and the users, too.
          If you are using a database as backend then the freeradius2 GUI "Users" and "Client/NAS" is obsolete.

          I myself do not use mysql so I cannot help you much on that - that's why I posted you the links in my previous post.

          –-- edit ----
          When you go to freeradius --> view config --> sql.conf
          there you can see the sql.conf as textfile. You can check there if the settings you made on GUI are correct and doublecheck with documentations on the internet.

          1 Reply Last reply Reply Quote 0
          • A
            asterix
            last edited by

            dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?

            1 Reply Last reply Reply Quote 0
            • M
              markuhde
              last edited by

              @asterix:

              dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?

              You need to do that with port access control on your switch.

              1 Reply Last reply Reply Quote 0
              • S
                surucu24
                last edited by

                thank you for your replyy
                i think right now it's connecting to my phpmyadmin
                Can you check the debug?

                $ radiusd -X
                FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jun 19 2012 at 09:11:11
                Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
                There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
                PARTICULAR PURPOSE. 
                You may redistribute copies of FreeRADIUS under the terms of the 
                GNU General Public License v2\. 
                Starting - reading configuration files ...
                including configuration file /usr/local/etc/raddb/radiusd.conf
                including configuration file /usr/local/etc/raddb/clients.conf
                including files in directory /usr/local/etc/raddb/modules/
                including configuration file /usr/local/etc/raddb/modules/wimax
                including configuration file /usr/local/etc/raddb/modules/always
                including configuration file /usr/local/etc/raddb/modules/attr_filter
                including configuration file /usr/local/etc/raddb/modules/attr_rewrite
                including configuration file /usr/local/etc/raddb/modules/chap
                including configuration file /usr/local/etc/raddb/modules/checkval
                including configuration file /usr/local/etc/raddb/modules/counter
                including configuration file /usr/local/etc/raddb/modules/cui
                including configuration file /usr/local/etc/raddb/modules/detail
                including configuration file /usr/local/etc/raddb/modules/detail.example.com
                including configuration file /usr/local/etc/raddb/modules/detail.log
                including configuration file /usr/local/etc/raddb/modules/digest
                including configuration file /usr/local/etc/raddb/modules/dynamic_clients
                including configuration file /usr/local/etc/raddb/modules/echo
                including configuration file /usr/local/etc/raddb/modules/etc_group
                including configuration file /usr/local/etc/raddb/modules/exec
                including configuration file /usr/local/etc/raddb/modules/expiration
                including configuration file /usr/local/etc/raddb/modules/expr
                including configuration file /usr/local/etc/raddb/modules/files
                including configuration file /usr/local/etc/raddb/modules/inner-eap
                including configuration file /usr/local/etc/raddb/modules/ippool
                including configuration file /usr/local/etc/raddb/modules/krb5
                including configuration file /usr/local/etc/raddb/modules/ldap
                including configuration file /usr/local/etc/raddb/modules/linelog
                including configuration file /usr/local/etc/raddb/modules/logintime
                including configuration file /usr/local/etc/raddb/modules/mac2ip
                including configuration file /usr/local/etc/raddb/modules/mschap
                including configuration file /usr/local/etc/raddb/modules/mac2vlan
                including configuration file /usr/local/etc/raddb/modules/ntlm_auth
                including configuration file /usr/local/etc/raddb/modules/opendirectory
                including configuration file /usr/local/etc/raddb/modules/otp
                including configuration file /usr/local/etc/raddb/modules/pam
                including configuration file /usr/local/etc/raddb/modules/pap
                including configuration file /usr/local/etc/raddb/modules/passwd
                including configuration file /usr/local/etc/raddb/modules/perl
                including configuration file /usr/local/etc/raddb/modules/policy
                including configuration file /usr/local/etc/raddb/modules/preprocess
                including configuration file /usr/local/etc/raddb/modules/radutmp
                including configuration file /usr/local/etc/raddb/modules/realm
                including configuration file /usr/local/etc/raddb/modules/redis
                including configuration file /usr/local/etc/raddb/modules/rediswho
                including configuration file /usr/local/etc/raddb/modules/replicate
                including configuration file /usr/local/etc/raddb/modules/smbpasswd
                including configuration file /usr/local/etc/raddb/modules/smsotp
                including configuration file /usr/local/etc/raddb/modules/soh
                including configuration file /usr/local/etc/raddb/modules/sql_log
                including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
                including configuration file /usr/local/etc/raddb/modules/sradutmp
                including configuration file /usr/local/etc/raddb/modules/unix
                including configuration file /usr/local/etc/raddb/modules/acct_unique
                including configuration file /usr/local/etc/raddb/modules/motp
                including configuration file /usr/local/etc/raddb/modules/datacounter_acct
                including configuration file /usr/local/etc/raddb/eap.conf
                including configuration file /usr/local/etc/raddb/sql.conf
                including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
                including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
                including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
                including configuration file /usr/local/etc/raddb/policy.conf
                including files in directory /usr/local/etc/raddb/sites-enabled/
                including configuration file /usr/local/etc/raddb/sites-enabled/default
                main {
                	allow_core_dumps = yes
                }
                Core dumps are enabled.
                including dictionary file /usr/local/etc/raddb/dictionary
                main {
                	name = "radiusd"
                	prefix = "/usr/local"
                	localstatedir = "/var"
                	sbindir = "/usr/local/sbin"
                	logdir = "/var/log"
                	run_dir = "/var/run"
                	radacctdir = "/var/log/radacct"
                	hostname_lookups = no
                	max_request_time = 30
                	cleanup_delay = 5
                	max_requests = 1024
                	pidfile = "/var/run/radiusd.pid"
                	checkrad = "/usr/local/sbin/checkrad"
                	debug_level = 0
                	proxy_requests = yes
                 log {
                	stripped_names = no
                	auth = yes
                	auth_badpass = yes
                	auth_goodpass = no
                	msg_badpass = ""
                	msg_goodpass = ""
                 }
                 security {
                	max_attributes = 200
                	reject_delay = 1
                	status_server = no
                 }
                }
                radiusd: #### Loading Realms and Home Servers ####
                radiusd: #### Loading Clients ####
                 client deneme {
                	ipaddr = 127.0.0.1
                	require_message_authenticator = no
                	secret = "testing123"
                	shortname = "deneme"
                	nastype = "other"
                 }
                radiusd: #### Instantiating modules ####
                 instantiate {
                 Module: Linked to module rlm_exec
                 Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
                  exec {
                	wait = no
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Linked to module rlm_expr
                 Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
                 Module: Linked to module rlm_counter
                 Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter
                  counter daily {
                	filename = "/var/log/radacct/timecounter/db.daily"
                	key = "User-Name"
                	reset = "daily"
                	count-attribute = "Acct-Session-Time"
                	counter-name = "Daily-Session-Time"
                	check-name = "Max-Daily-Session"
                	reply-name = "Session-Timeout"
                	cache-size = 5000
                  }
                rlm_counter: Counter attribute Daily-Session-Time is number 11273
                rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1369526400 [2013-05-26 00:00:00]
                 Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter
                  counter weekly {
                	filename = "/var/log/radacct/timecounter/db.weekly"
                	key = "User-Name"
                	reset = "weekly"
                	count-attribute = "Acct-Session-Time"
                	counter-name = "Weekly-Session-Time"
                	check-name = "Max-Weekly-Session"
                	reply-name = "Session-Timeout"
                	cache-size = 5000
                  }
                rlm_counter: Counter attribute Weekly-Session-Time is number 11275
                rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1369526400 [2013-05-26 00:00:00]
                 Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter
                  counter monthly {
                	filename = "/var/log/radacct/timecounter/db.monthly"
                	key = "User-Name"
                	reset = "monthly"
                	count-attribute = "Acct-Session-Time"
                	counter-name = "Monthly-Session-Time"
                	check-name = "Max-Monthly-Session"
                	reply-name = "Session-Timeout"
                	cache-size = 5000
                  }
                rlm_counter: Counter attribute Monthly-Session-Time is number 11277
                rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1370044800 [2013-06-01 00:00:00]
                 Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter
                  counter forever {
                	filename = "/var/log/radacct/timecounter/db.forever"
                	key = "User-Name"
                	reset = "never"
                	count-attribute = "Acct-Session-Time"
                	counter-name = "Forever-Session-Time"
                	check-name = "Max-Forever-Session"
                	reply-name = "Session-Timeout"
                	cache-size = 5000
                  }
                rlm_counter: Counter attribute Forever-Session-Time is number 11279
                rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 0 [2013-05-25 02:00:00]
                 Module: Linked to module rlm_expiration
                 Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
                  expiration {
                	reply-message = "Password Has Expired  "
                  }
                 Module: Linked to module rlm_logintime
                 Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
                  logintime {
                	reply-message = "You are calling outside your allowed timespan  "
                	minimum-timeout = 60
                  }
                 }
                radiusd: #### Loading Virtual Servers ####
                server { # from file /usr/local/etc/raddb/radiusd.conf
                 modules {
                  Module: Creating Auth-Type = MOTP
                  Module: Creating Auth-Type = digest
                  Module: Creating Autz-Type = Status-Server
                  Module: Creating Acct-Type = Status-Server
                  Module: Creating Post-Auth-Type = REJECT
                 Module: Checking authenticate {...} for more modules to load
                 Module: Linked to module rlm_pap
                 Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
                  pap {
                	encryption_scheme = "auto"
                	auto_header = no
                  }
                 Module: Linked to module rlm_chap
                 Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
                 Module: Linked to module rlm_mschap
                 Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
                  mschap {
                	use_mppe = yes
                	require_encryption = no
                	require_strong = no
                	with_ntdomain_hack = yes
                	allow_retry = yes
                  }
                 Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp
                  exec motp {
                	wait = yes
                	program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}"
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Linked to module rlm_digest
                 Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest
                 Module: Linked to module rlm_unix
                 Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
                  unix {
                	radwtmp = "/var/log/radwtmp"
                  }
                 Module: Linked to module rlm_eap
                 Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
                  eap {
                	default_eap_type = "md5"
                	timer_expire = 60
                	ignore_unknown_eap_types = no
                	cisco_accounting_username_bug = no
                	max_sessions = 4096
                  }
                 Module: Linked to sub-module rlm_eap_md5
                 Module: Instantiating eap-md5
                 Module: Linked to sub-module rlm_eap_leap
                 Module: Instantiating eap-leap
                 Module: Linked to sub-module rlm_eap_gtc
                 Module: Instantiating eap-gtc
                   gtc {
                	challenge = "Password: "
                	auth_type = "PAP"
                   }
                 Module: Linked to sub-module rlm_eap_tls
                 Module: Instantiating eap-tls
                   tls {
                	rsa_key_exchange = no
                	dh_key_exchange = yes
                	rsa_key_length = 512
                	dh_key_length = 512
                	verify_depth = 0
                	CA_path = "/usr/local/etc/raddb/certs"
                	pem_file_type = yes
                	private_key_file = "/usr/local/etc/raddb/certs/server.pem"
                	certificate_file = "/usr/local/etc/raddb/certs/server.pem"
                	CA_file = "/usr/local/etc/raddb/certs/ca.pem"
                	private_key_password = "whatever"
                	dh_file = "/usr/local/etc/raddb/certs/dh"
                	random_file = "/usr/local/etc/raddb/certs/random"
                	fragment_size = 1024
                	include_length = yes
                	check_crl = no
                	cipher_list = "DEFAULT"
                	ecdh_curve = "prime256v1"
                    cache {
                	enable = no
                	lifetime = 24
                	max_entries = 255
                    }
                    verify {
                    }
                    ocsp {
                	enable = no
                	override_cert_url = no
                	url = "http://127.0.0.1/ocsp/"
                    }
                   }
                 Module: Linked to sub-module rlm_eap_ttls
                 Module: Instantiating eap-ttls
                   ttls {
                	default_eap_type = "md5"
                	copy_request_to_tunnel = no
                	use_tunneled_reply = no
                	include_length = yes
                   }
                 Module: Linked to sub-module rlm_eap_peap
                 Module: Instantiating eap-peap
                   peap {
                	default_eap_type = "mschapv2"
                	copy_request_to_tunnel = no
                	use_tunneled_reply = no
                	proxy_tunneled_request_as_eap = yes
                	soh = no
                   }
                 Module: Linked to sub-module rlm_eap_mschapv2
                 Module: Instantiating eap-mschapv2
                   mschapv2 {
                	with_ntdomain_hack = no
                	send_error = no
                   }
                 Module: Checking authorize {...} for more modules to load
                 Module: Linked to module rlm_preprocess
                 Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
                  preprocess {
                	huntgroups = "/usr/local/etc/raddb/huntgroups"
                	hints = "/usr/local/etc/raddb/hints"
                	with_ascend_hack = no
                	ascend_channels_per_line = 23
                	with_ntdomain_hack = no
                	with_specialix_jetstream_hack = no
                	with_cisco_vsa_hack = no
                	with_alvarion_vsa_hack = no
                  }
                 Module: Linked to module rlm_realm
                 Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
                  realm suffix {
                	format = "suffix"
                	delimiter = "@"
                	ignore_default = no
                	ignore_null = yes
                  }
                 Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm
                  realm ntdomain {
                	format = "prefix"
                	delimiter = "\"
                	ignore_default = no
                	ignore_null = yes
                  }
                 Module: Linked to module rlm_files
                 Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
                  files {
                	usersfile = "/usr/local/etc/raddb/users"
                	acctusersfile = "/usr/local/etc/raddb/acct_users"
                	preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
                	compat = "no"
                  }
                 Module: Linked to module rlm_sql
                 Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf
                  sql {
                	driver = "rlm_sql_mysql"
                	server = "192.168.1.226"
                	port = "3306"
                	login = "radius"
                	password = "radpass"
                	radius_db = "radius"
                	read_groups = yes
                	sqltrace = yes
                	sqltracefile = "/var/log/sqltrace.sql"
                	readclients = yes
                	deletestalesessions = yes
                	num_sql_socks = 5
                	lifetime = 0
                	max_queries = 0
                	sql_user_name = "%{User-Name}"
                	default_user_profile = ""
                	nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
                	authorize_check_query = "SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
                	authorize_reply_query = "SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id"
                	authorize_group_check_query = "SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
                	authorize_group_reply_query = "SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id"
                	accounting_onoff_query = "          UPDATE radacct           SET              acctstoptime       =  '%S',              acctsessiontime    =  unix_timestamp('%S') -                                    unix_timestamp(acctstarttime),              acctterminatecause =  '%{Acct-Terminate-Cause}',              acctstopdelay      =  %{%{Acct-Delay-Time}:-0}           WHERE acctstoptime IS NULL           AND nasipaddress      =  '%{NAS-IP-Address}'           AND acctstarttime     <= '%S'"
                	accounting_update_query = "           UPDATE radacct           SET              framedipaddress = '%{Framed-IP-Address}',              acctsessiontime     = '%{Acct-Session-Time}',              acctinputoctets     = '%{%{Acct-Input-Gigawords}:-0}'  << 32 |                                    '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets    = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                    '%{%{Acct-Output-Octets}:-0}'           WHERE acctsessionid = '%{Acct-Session-Id}'           AND username        = '%{SQL-User-Name}'           AND nasipaddress    = '%{NAS-IP-Address}'"
                	accounting_update_query_alt = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,      username,              realm,            nasipaddress,      nasportid,              nasporttype,      acctstarttime,     acctsessiontime,              acctauthentic,    connectinfo_start, acctinputoctets,              acctoutputoctets, calledstationid,   callingstationid,              servicetype,      framedprotocol,    framedipaddress,              acctstartdelay,   xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                       INTERVAL (%{%{Acct-Session-Time}:-0} +                                 %{%{Acct-Delay-Time}:-0}) SECOND),                       '%{Acct-Session-Time}',              '%{Acct-Authentic}', '',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Service-Type}', '%{Framed-Protocol}',              '%{Framed-IP-Address}',              '0', '%{X-Ascend-Session-Svr-Key}')"
                	accounting_start_query = "           INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
                	accounting_start_query_alt = "           UPDATE radacct SET              acctstarttime     = '%S',              acctstartdelay    = '%{%{Acct-Delay-Time}:-0}',              connectinfo_start = '%{Connect-Info}'           WHERE acctsessionid  = '%{Acct-Session-Id}'           AND username         = '%{SQL-User-Name}'           AND nasipaddress     = '%{NAS-IP-Address}'"
                	accounting_stop_query = "           UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}'"
                	accounting_stop_query_alt = "           INSERT INTO radacct             (acctsessionid, acctuniqueid, username,              realm, nasipaddress, nasportid,              nasporttype, acctstarttime, acctstoptime,              acctsessiontime, acctauthentic, connectinfo_start,              connectinfo_stop, acctinputoctets, acctoutputoctets,              calledstationid, callingstationid, acctterminatecause,              servicetype, framedprotocol, framedipaddress,              acctstartdelay, acctstopdelay)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}',              DATE_SUB('%S',                  INTERVAL (%{%{Acct-Session-Time}:-0} +                  %{%{Acct-Delay-Time}:-0}) SECOND),              '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '',              '%{Connect-Info}',              '%{%{Acct-Input-Gigawords}:-0}' << 32 |              '%{%{Acct-Input-Octets}:-0}',              '%{%{Acct-Output-Gigawords}:-0}' << 32 |              '%{%{Acct-Output-Octets}:-0}',              '%{Called-Station-Id}', '%{Calling-Station-Id}',              '%{Acct-Terminate-Cause}',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',              '0', '%{%{Acct-Delay-Time}:-0}')"
                	group_membership_query = "SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority"
                	connect_failure_retry_delay = 60
                	simul_count_query = ""
                	simul_verify_query = "SELECT radacctid, acctsessionid, username,                                nasipaddress, nasportid, framedipaddress,                                callingstationid, framedprotocol                                FROM radacct                                WHERE username = '%{SQL-User-Name}'                                AND acctstoptime IS NULL"
                	postauth_query = "INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S')"
                	safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
                  }
                rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
                rlm_sql (sql): Attempting to connect to radius@192.168.1.226:3306/radius
                rlm_sql (sql): starting 0
                rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
                rlm_sql_mysql: Starting connect to MySQL server for #0
                rlm_sql (sql): Connected new DB handle, #0
                rlm_sql (sql): starting 1
                rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
                rlm_sql_mysql: Starting connect to MySQL server for #1
                rlm_sql (sql): Connected new DB handle, #1
                rlm_sql (sql): starting 2
                rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
                rlm_sql_mysql: Starting connect to MySQL server for #2
                rlm_sql (sql): Connected new DB handle, #2
                rlm_sql (sql): starting 3
                rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
                rlm_sql_mysql: Starting connect to MySQL server for #3
                rlm_sql (sql): Connected new DB handle, #3
                rlm_sql (sql): starting 4
                rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
                rlm_sql_mysql: Starting connect to MySQL server for #4
                rlm_sql (sql): Connected new DB handle, #4
                rlm_sql (sql): Processing generate_sql_clients
                rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
                rlm_sql (sql): Reserving sql socket id: 4
                rlm_sql_mysql: query:  SELECT id, nasname, shortname, type, secret, server FROM nas
                rlm_sql (sql): Released sql socket id: 4
                 Module: Linked to module rlm_checkval
                 Module: Instantiating module "checkval" from file /usr/local/etc/raddb/modules/checkval
                  checkval {
                	item-name = "Calling-Station-Id"
                	check-name = "Calling-Station-Id"
                	data-type = "string"
                	notfound-reject = no
                  }
                rlm_checkval: Registered name Calling-Station-Id for attribute 31
                 Module: Checking preacct {...} for more modules to load
                 Module: Linked to module rlm_acct_unique
                 Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
                  acct_unique {
                	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
                  }
                 Module: Checking accounting {...} for more modules to load
                 Module: Linked to module rlm_detail
                 Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
                  detail {
                	detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
                	header = "%t"
                	detailperm = 384
                	dirperm = 493
                	locking = no
                	log_packet_header = no
                  }
                 Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct
                  exec datacounterdaily {
                	wait = yes
                	program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct
                  exec datacounterweekly {
                	wait = yes
                	program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct
                  exec datacountermonthly {
                	wait = yes
                	program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct
                  exec datacounterforever {
                	wait = yes
                	program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}"
                	input_pairs = "request"
                	shell_escape = yes
                  }
                 Module: Linked to module rlm_radutmp
                 Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
                  radutmp {
                	filename = "/var/log/radutmp"
                	username = "%{User-Name}"
                	case_sensitive = yes
                	check_with_nas = yes
                	perm = 384
                	callerid = yes
                  }
                 Module: Linked to module rlm_attr_filter
                 Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
                  attr_filter attr_filter.accounting_response {
                	attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
                	key = "%{User-Name}"
                	relaxed = no
                  }
                 Module: Checking session {...} for more modules to load
                 Module: Checking pre-proxy {...} for more modules to load
                 Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter
                  attr_filter attr_filter.pre-proxy {
                	attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy"
                	key = "%{Realm}"
                	relaxed = no
                  }
                 Module: Checking post-proxy {...} for more modules to load
                 Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter
                  attr_filter attr_filter.post-proxy {
                	attrsfile = "/usr/local/etc/raddb/attrs"
                	key = "%{Realm}"
                	relaxed = no
                  }
                 Module: Checking post-auth {...} for more modules to load
                 Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
                  attr_filter attr_filter.access_reject {
                	attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
                	key = "%{User-Name}"
                	relaxed = no
                  }
                 } # modules
                } # server
                radiusd: #### Opening IP addresses and Ports ####
                listen {
                	type = "auth"
                	ipaddr = 127.0.0.1
                	port = 1812
                Failed binding to authentication address 127.0.0.1 port 1812: Address already in use 
                /usr/local/etc/raddb/radiusd.conf[36]: Error binding to port for 127.0.0.1 port 1812
                
                1 Reply Last reply Reply Quote 0
                • cmcdonaldC
                  cmcdonald Netgate Developer
                  last edited by

                  I followed this tutorial to the letter:

                  http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

                  However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"

                  I also see this:

                  May 25 05:17:03 radiusd[4072]: Ready to process requests.
                  May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?

                  Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>

                  Need help fast? https://www.netgate.com/support

                  1 Reply Last reply Reply Quote 0
                  • A
                    Alan87i
                    last edited by

                    @asterix:

                    dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?

                    I have this running on PF2.0.3
                    Mac auth http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#FreeRADIUS_Plain-MAC-Auth_with_Captive_Portal
                    each device's mac address is entered as a user name.  They all get the same PW.
                    It's a bit of work setting it up.
                    IE if you have 1 or 2 wireless AP's I found the best way was to add there IP in the pass through page of CP and make a user with the mac address for all the connected devices.
                    You can watch the portal auth log for errors and it will show you the mac that's trying to connect. Copy and paste in a new user field.

                    Setup  time limits for users (devices) Bandwidth control counter seems to work fine in 2.0.3 with start stop in cp.

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      @surucu24
                      Connection to mysql seems to be ok but it looks like your listening interface is already used.
                      Easiest way to configure the listening interface is to create an interface for authentication (1812) and one for accounting (1813) if needed.

                      as IP address just use  *  which means all interfaces. This is the best way to make sure that the basic configuration is working.

                      @vbman213:

                      I followed this tutorial to the letter:

                      http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

                      However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"

                      I also see this:

                      May 25 05:17:03 radiusd[4072]: Ready to process requests.
                      May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?

                      Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>

                      The both syslog messages say that the configuration for the server "default" is working and the radius server is running and waiting for requests.

                      If radtest is working with IP addresses then radius is working. If it does not wir FQDN then something with your DNS needs to be fixed.

                      1 Reply Last reply Reply Quote 0
                      • cmcdonaldC
                        cmcdonald Netgate Developer
                        last edited by

                        I am running a virgin installation of 2.0.3 and having this issue, even with using * as the listening interface.

                        I installed the package, created a user, created an interface using * as the interface, port 1812 authentication.

                        Then I created an client.

                        Running radtest testuser testpassword 127.0.0.1:1812 0 testing123 results in the "Failed to find IP address"

                        Need help fast? https://www.netgate.com/support

                        1 Reply Last reply Reply Quote 0
                        • cmcdonaldC
                          cmcdonald Netgate Developer
                          last edited by

                          @Nachtfalke:

                          @surucu24
                          Connection to mysql seems to be ok but it looks like your listening interface is already used.
                          Easiest way to configure the listening interface is to create an interface for authentication (1812) and one for accounting (1813) if needed.

                          as IP address just use   *   which means all interfaces. This is the best way to make sure that the basic configuration is working.

                          @vbman213:

                          I followed this tutorial to the letter:

                          http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

                          However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"

                          I also see this:

                          May 25 05:17:03 radiusd[4072]: Ready to process requests.
                          May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?

                          Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>

                          The both syslog messages say that the configuration for the server "default" is working and the radius server is running and waiting for requests.

                          If radtest is working with IP addresses then radius is working. If it does not wir FQDN then something with your DNS needs to be fixed.

                          Okay, I just confirmed that I found a "bug" in either the package or the documentation for the package. If you only have a WAN interface defined, the tutorial in the documentation does not work.

                          Need help fast? https://www.netgate.com/support

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            Hi vbman213,

                            when I wrote the documentation I tested with two interfaces. I don't see actually a reason why it should be different when using just one interface so could you explain what you did different?

                            1 Reply Last reply Reply Quote 0
                            • cmcdonaldC
                              cmcdonald Netgate Developer
                              last edited by

                              I was lab testing a freeradius deployment on a virtualbox pfsense installation. I only had one interface (WAN) configured from from the post-installation console prompts. The VM actually had two interfaces "installed" but I didn't bother to configure the LAN interface. The WAN interface was configured as a bridge to my physical lan and I just ran pfctl -d to disable the packet filter to create a wildcard rule to allow all traffic into the wan interface. At that point, I followed the tutorial provided in the wiki and received the messages that i posted earlier. After experimenting, I found that the problem involved DNS and upon adding a LAN interface, everything starting working as per the tutorial. Does this help?

                              Need help fast? https://www.netgate.com/support

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                Hmm, not sure.

                                Could it be a problem with NAT/PortForwarding on the WAN interface or "block bogons" or "block local IPs" on the WAN interface which could be there bei default!?

                                When you go to freeradius –> view config --> radiusd.conf

                                There you can find some "listening" sections which specify the IP and port freeradius listens to. That means that the switch or wireless-AP must be able to communicate with this IP and port.
                                This shouldn't make any difference if the pfsense is running with one or two interfaces nor as bridge or router.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  harshkukreja
                                  last edited by

                                  Hi!

                                  Please help me in resolving the below errors whenever running radiusd -X

                                  rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
                                  rlm_sql (sql): Attempting to connect to radius@172.16.10.19:3306/radius
                                  rlm_sql (sql): starting 0
                                  rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
                                  rlm_sql_mysql: Starting connect to MySQL server for #0
                                  rlm_sql_mysql: Couldn't connect socket to MySQL server radius@172.16.10.19:radius
                                  rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on '172.16.10.19' (60)'
                                  rlm_sql (sql): Failed to connect DB handle #0
                                  rlm_sql (sql): starting 1
                                  rlm_sql (sql): starting 2
                                  rlm_sql (sql): starting 3
                                  rlm_sql (sql): starting 4
                                  rlm_sql (sql): Failed to connect to any SQL server.
                                  rlm_sql (sql): Processing generate_sql_clients
                                  rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
                                  rlm_sql (sql): Ignoring unconnected handle 4..
                                  rlm_sql (sql): Ignoring unconnected handle 3..
                                  rlm_sql (sql): Ignoring unconnected handle 2..
                                  rlm_sql (sql): Ignoring unconnected handle 1..
                                  rlm_sql (sql): Ignoring unconnected handle 0..
                                  rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
                                  Failed to load clients from SQL.
                                  rlm_sql (sql): Closing sqlsocket 4
                                  rlm_sql (sql): Closing sqlsocket 3
                                  rlm_sql (sql): Closing sqlsocket 2
                                  rlm_sql (sql): Closing sqlsocket 1
                                  rlm_sql (sql): Closing sqlsocket 0
                                  /usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
                                  /usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql".
                                  /usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
                                  /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section

                                  Thanks & Regards

                                  Harsh Kukreja

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    msi
                                    last edited by

                                    (warning ahead I'm not used to configuring FreeRADIUS on pfSense/GUI but rather in plain configs)

                                    Anyway: It means that your FreeRADIUS server is trying to connect to a (likely to be) remote MySQL server (172.16.10.19) which it can't connect to.
                                    Since you must have configured it for SQL user authentication, it can't start correctly as it can't read a valid list of users from your MySQL server.

                                    Try to fix the connection to the MySQL server or disable MySQL authentication/authorization (for test) and try to use local authentication.
                                    Are you positive about using SQL for authentication? I only use it for RADIUS accounting and thereafter limiting concurrent access - so
                                    that's my real-world use with (Postgre)SQL.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      MaxHeadroom
                                      last edited by

                                      Hi ,

                                      i tried the package with otp and it work's but if client is behind server time (my mobile provider is 30 sec in the past !) i am not able to login (tested with radtest) .
                                      worked like a charme with online mtop calculator but never with DroidOTP and "TIME OFFSET 30 or  -30 "
                                      Maybe i am doing something wrong but i do not know what.
                                      The OTP Passcode from the mobile phone is 30 sec. later the same as the online calc did.

                                      Maybe someone can give a hint or maybe minus offset is not possible ….

                                      regards

                                      max

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        Nachtfalke
                                        last edited by

                                        @MaxHeadroom:

                                        Hi ,

                                        i tried the package with otp and it work's but if client is behind server time (my mobile provider is 30 sec in the past !) i am not able to login (tested with radtest) .
                                        worked like a charme with online mtop calculator but never with DroidOTP and "TIME OFFSET 30 or  -30 "
                                        Maybe i am doing something wrong but i do not know what.
                                        The OTP Passcode from the mobile phone is 30 sec. later the same as the online calc did.

                                        Maybe someone can give a hint or maybe minus offset is not possible ….

                                        regards

                                        max

                                        Hi,

                                        Did you calculate the Epoch-Time?
                                        1. Write down the first 9 digits of the Epoch-Time on the client.
                                        2. Check with date +%s the Epoch-Time on your FreeRADIUS server and write down the first 9 digits.
                                        3. Subtract both values, multiply the result with 10 and enter the value in this field. (Default: 0)

                                        But in general it should not neccessary to change this if your mobile device changes its timezone automatically.

                                        Further you can try increasing the "OTP Lifetime" in freeradius –> settings.
                                        You can set it to 6 which means 60s. Even if the mobile clients always generate new keys every 30s it should be possible to use a generated key 60s instead of just 30s.

                                        The more you increase this time the more "insecure" OTP will become. Probably noone will get access with a key (without PIN) which has a lifetime of a few minutes.

                                        ---- edit ----
                                        You are right. The script does not accept negative values. You could modify the script here:
                                        freeradius.inc
                                        line 4027
                                        replace:

                                        EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET`
                                        

                                        with

                                        EPOCHTIME=`expr \$EPOCHTIME - \$OFFSET`
                                        

                                        Could be something what should be added to the GUI.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          MaxHeadroom
                                          last edited by

                                          Hi,

                                          yes i calc the epoch time like descript on the web interface:
                                          (9digits (from left client time)  - 9digit (from left server time)) *10 = -30

                                          date +%s = 10digits, so why the hell not taking  (10digits (from left client time) - 10digits (from left server time)) = 30 ?? (or if 39 nearer 40 than 30 !!)

                                          It's not a problem of the timezone it's a mobile provider problem; the android is 30 sec in the past.
                                          (Is the offset 1 equal 1 hour, i hope not.)

                                          If i set the lifetime on server side  higher than on the client (DroidOTP is fixed to 10 sec lifetime) than i had guess/try 6 keys maybe on is working not a good idea.

                                          I know to solve the problem with manual set the client time but i want to find out how it work with time offset and maybe there is a bug or a wrong hint on the webinterface

                                          regards max

                                          –----edit----
                                          The Gui save the Offset in the right way:

                                          /usr/pbi/freeradius-i386/etc/users

                                          "otpuser" Auth-Type = motp
                                          MOTP-Init-Secret = 912ae1361854139e,
                                          MOTP-PIN = 1234,
                                          MOTP-Offset = -30

                                          Use Freeradius teh otpverify.sh script ? If yes then there is the faulty part

                                          OFFSET=echo -n "$5" | sed 's/[^0-9]/0/g'
                                          [[/sub]
                                          -10 is then 010….
                                          should be

                                          OFFSET=echo -n "$5" | sed 's/[^0-9-]/0/g'

                                          but is a little be dirty could also be 1-0 …..

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Nachtfalke
                                            last edited by

                                            @MaxHeadroom:

                                            Hi,

                                            yes i calc the epoch time like descript on the web interface:
                                            (9digits (from left client time)  - 9digit (from left server time)) *10 = -30

                                            date +%s = 10digits, so why the hell not taking  (10digits (from left client time) - 10digits (from left server time)) = 30 ?? (or if 39 nearer 40 than 30 !!)

                                            It's not a problem of the timezone it's a mobile provider problem; the android is 30 sec in the past.
                                            (Is the offset 1 equal 1 hour, i hope not.)

                                            If i set the lifetime on server side  higher than on the client (DroidOTP is fixed to 10 sec lifetime) than i had guess/try 6 keys maybe on is working not a good idea.

                                            I know to solve the problem with manual set the client time but i want to find out how it work with time offset and maybe there is a bug or a wrong hint on the webinterface

                                            regards max

                                            –----edit----
                                            The Gui save the Offset in the right way:

                                            /usr/pbi/freeradius-i386/etc/users

                                            "otpuser" Auth-Type = motp
                                            MOTP-Init-Secret = 912ae1361854139e,
                                            MOTP-PIN = 1234,
                                            MOTP-Offset = -30

                                            Use Freeradius teh otpverify.sh script ? If yes then there is the faulty part

                                            OFFSET=echo -n "$5" | sed 's/[^0-9]/0/g'
                                            [[/sub]
                                            -10 is then 010….
                                            should be

                                            OFFSET=echo -n "$5" | sed 's/[^0-9-]/0/g'

                                            but is a little be dirty could also be 1-0 …..

                                            Did you read what I wrote about the part on the freeradius.inc ?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.