Thanks for the input Alan, definitely I am sure FreeRADIUS is much better...what can be better than thousand of users, open source, free, and feature rich as itself... I apologize to all for the Subject of my inquiry, I wanted somebody to have tested Aradial and FreeRADIUS and tell me how professional can be this "Aradial".
I am like scared because I am about to deploy a RADIUS AAA server in my network, and I was looking into commercial options... such as: Huawei: $500,000 DLLS (yes... DAMN!) Juniper: $100,000 DLLS ( !!! )... and here is FreeRADIUS... but I have no idea how to configure it... it like scares me because there are no manual to tell me step by step how to configure it to fit my needs and to feet my equipment....
I am in a cellular network (CDMA2000), I need to create two domains in AAA, one for EVDO and other internet services, the other for MMSC services, In order to have the capability of adding different subscribers in AAA under different domains, that way we can bill MMS and EVDO as separate services.
I downloaded the FreeRADIUS mysql port in one FreeBSD box, I have no idea how to start configuring it there are many .conf files, and each config file is huge..., you told me in another reply that I have to configure FreeRADIUS to respond with the correct attributes that are needed by the PDSN, how can I know that? The Huawei PDSN documentation I have only tells how to configure the NAS with the "Huawei AAA" and dont say much about attributes.... can please tell what you mean with "attributes that are needed by PDSN?" what are those attributes and what they does?
Send Freeradius-Users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
5. Re: MAC Auth (new problem) (Nataniel Klug)
6. Re: FreeRADIUS vs Aradial RADIUS (Alan DeKok)
7. Re: Somewhat OT: Captive portal on acess points instead
complex?supplicant at level end user? (Alexander Clouter)
----------------------------------------------------------------------
Message: 1
Date: Mon, 15 Dec 2008 19:36:48 +0100
Subject: Re: Attributes Bandwidth in radgrouprepy table
To: "FreeRadius users mailing list"
Content-Type: text/plain; charset=ISO-8859-2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
Fix that.
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
And what happened to authorize_reply_query? It would be helpful to see
part of the server startup debug where sql module is instatiated.
Ivan Kalik
Kalik Informatika ISP
It's checking the query in radcheck but not in radgroupreply. And I've
tested the query in dialup.conf and seems correct
authorize_group_reply_query = "SELECT ${groupreply_table}.id,
${groupreply_table}.GroupName,${groupreply_table}.Attribute,
${groupreply_table}.Value,${groupreply_table}.op FROM
${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username
= '%{SQL-User-Name}' AND ${usergroup_table}.GroupName =
${groupreply_table}.GroupName ORDER BY ${groupreply_table}.id"
Thanks in advance
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------
Message: 2
Date: Mon, 15 Dec 2008 19:45:40 +0100
Subject: Re: MAC Auth (new problem)
To: "FreeRadius users mailing list"
Content-Type: text/plain; charset=ISO-8859-2
Ready to process requests.
rad_recv: Access-Request packet from host 172.30.0.165 port 6001, id=3,
length=69
User-Name = "00:19:79:0F:98:3D"
User-Password = "cnett1298"
NAS-IP-Address = 172.30.0.165
NAS-Port = 0
server proxim {
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql_ap2000] expand: %{User-Name} -> 00:19:79:0F:98:3D
[sql_ap2000] sql_set_user escaped user --> '00:19:79:0F:98:3D'
rlm_sql (sql_ap2000): Reserving sql socket id: 4
[sql_ap2000] expand: SELECT id, username, attribute, value,
op FROM radcheck WHERE value =
'%{SQL-User-Name}' ORDER BY id -> SELECT id, username,
attribute, value, op FROM radcheck WHERE value =
'00:19:79:0F:98:3D' ORDER BY id
[sql_ap2000] expand: SELECT groupname FROM
usergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority -> SELECT groupname FROM usergroup WHERE
username = '00:19:79:0F:98:3D' ORDER BY priority
rlm_sql (sql_ap2000): Released sql socket id: 4
[sql_ap2000] User 00:19:79:0F:98:3D not found
++[sql_ap2000] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Rejecting the user
Failed to authenticate the user.
Login incorrect: [00:19:79:0F:98:3D/cnett1298] (from client ap2000 port 0)
} # server proxim
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 3 to 172.30.0.165 port 6001
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +29
Ready to process requests.
mysql> SELECT * FROM radcheck WHERE Username="marmatec";
+------+----------+--------------------+----+-------------------+--------+------+
| id | UserName | Attribute | op | Value | numero
| obs |
+------+----------+--------------------+----+-------------------+--------+------+
| 796 | marmatec | Cleartext-Password | := | 654321 | 00923
| |
| 1886 | marmatec | Calling-Station-Id | == | 00:19:79:0F:98:3D | 00923
| NULL |
+------+----------+--------------------+----+-------------------+--------+------+
On mysql/sql/ap2000.conf (copy of dialup.conf file) I just changed
WHERE value = '%{SQL-User-Name}' \
I really don't know how to make this work. Can someone help me?
Lets try again: put the mac address in to the radcheck table as UserName
field. Without that mac authentication is not going to work. If your
"adminstartion system" has something against it, throw it away and
write another one youself. Or use dialup admin (comes with the server)
or something like daloRadius.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 3
Date: Mon, 15 Dec 2008 20:01:15 +0100
Subject: Re: calling-station-id filtering with checkval
To: "FreeRadius users mailing list"
Content-Type: text/plain; charset=ISO-8859-2
Look again. Hint: have a look at you radcheck entry and the one in the
document.
Ivan Kalik
Kalik Informatika ISP
Alan,
Honestly I have read this document but I do not see what i need to do.
On Mon, Dec 15, 2008 at 1:37 AM, Alan DeKok
I see that the mac address from the calling-station-id but then it will
not login with the user.
If i delete the row 26 with calling-station-id it will permit that user
to login.
Read doc/rlm_sql. This is explained.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Justin A Williams
------------------------------
Message: 4
Date: Mon, 15 Dec 2008 20:07:43 +0100
Subject: Re: calling-station-id filtering with checkval
To: "FreeRadius users mailing list"
Content-Type: text/plain; charset=ISO-8859-2
PS. You don't need checkval in inner-tunnel or you should copy request
attributes into the tunnel as well (see eap.conf, peap section).
Ivan Kalik
Kalik Informatika ISP
Alan,
Honestly I have read this document but I do not see what i need to do.
On Mon, Dec 15, 2008 at 1:37 AM, Alan DeKok
I see that the mac address from the calling-station-id but then it will
not login with the user.
If i delete the row 26 with calling-station-id it will permit that user
to login.
Read doc/rlm_sql. This is explained.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Justin A Williams
------------------------------
Message: 5
Date: Mon, 15 Dec 2008 17:30:06 -0200
Subject: Re: MAC Auth (new problem)
To: FreeRadius users mailing list
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Ivan,
I can just throw it away... and I still need this to work. There should
be someway to make this happens...
Lets try again: put the mac address in to the radcheck table as UserName
field. Without that mac authentication is not going to work. If your
"adminstartion system" has something against it, throw it away and
write another one youself. Or use dialup admin (comes with the server)
or something like daloRadius.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Att,
NATANIEL KLUG
LEIA O DIA-A-DIA DO NATA
http://nataklug.blogspot.com/
Cyber Nett - Internet Banda Larga
www.cnett.com.br
(42) 3635-2957
Rua Diogo Pinto, 1046, Centro
Laranjeiras do Sul - PR
Brasil - 85301-290
"... tamb?m os s?bios possuem cora??o tang?vel e podem, por vezes, usar da
ci?ncia como meio de demonstrar impress?es sentimentais de que muitos n?o os
julgam suscet?veis."
Visconde de Taunay
-------------- next part --------------
An HTML attachment was scrubbed...
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20081215/a73608a8/attachment.html>
------------------------------
Message: 6
Date: Mon, 15 Dec 2008 21:03:36 +0100
Subject: Re: FreeRADIUS vs Aradial RADIUS
To: FreeRadius users mailing list
Content-Type: text/plain; charset=ISO-8859-1
Hello guys, I am a little bit scared how hard can be to deploy the
FreeRADIUS, I found this in the internet: (aradial.com) this guys claim to
have a very convenient and professional AAA server with a convenient price,
does anybody here have experience with that "aradial radius server"? What
would be the Pros and Cons of purchase it instead of have the FreeRADIUS
one?
Don't ask us if we think Aradial is better than FreeRADIUS. We
*know*. FreeRADIUS is better.
However...
Perhaps you could describe your needs in a little more detail. What
are you trying to do with a RADIUS server? Why are you "scared" to
deploy FreeRADIUS?
FreeRADIUS is used in nearly 100,000 organizations, from 10 users to
over 10 million users. It's the most widely used RADIUS server in the
world. Everyone *else* thinks FreeRADIUS is fine.
And if Aradial has 1/10 the installations of FreeRADIUS, I'll be very
impressed.
Alan DeKok.
------------------------------
Message: 7
Date: Mon, 15 Dec 2008 20:01:08 +0000
Subject: Re: Somewhat OT: Captive portal on acess points instead
complex?supplicant at level end user?
Thanks for ideas,
*Automatized SecureW2 installer (ttls)
*Web Page with "secondary" password for peap
But even so, some users find somewhat hard to use.
We seem to have no real problems with SecureW2 and our userbase. Mac OS
X users 'import' the configuration (if they are 10.3 or 10.4) and WinXP
users get a light time of it would my SecureW2 preconfiguration script
with some NSIS wrapper action to spoonfeed them during problematic bits.
Of course SecureW2 + WinXP + SP3 + wired 802.1X is fruity at the moment
which is out current problem, however that's a grumble for another
thread.
The only problems we have is that we are 'awkward' and force WPA2 only
and do not give into those WPA (version 1) TKIP weenies.
I've tried with no success at this moment use more than one SSID on
OpenWRT on Linksys WRT54GL...
Do not ever go down this route[1]. It completely negates the point of
having a WPA Enterprise network when someone comes along with an evil
twin network and gets the user to install a 'springboard' application to
get onto the better network. It's as counterproductive as using
PEAP/TTLS without full certificate validation.... :-/
If you want my NSIS and/or SecureW2 INF file do drop me an email. The
springboard'ing issue we resolved by dumping everything onto a CD and
distributed them to the masses that way. Even if this is not an option
for you (like us in education with 'student welcome packs') if you make
the CD's readily available near hotspots and what not in public areas
people will find what they need.
Cheers
Alex
[1] I have convinced my self it's safe for a wired network, getting
non-802.1X clients 802.1X'ified, but just not worth the risk for
wireless clients
--
Alexander Clouter
.sigmonster says: Succumb to natural tendencies. Be hateful and boring.
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 44, Issue 82
************************************************