I tried to configured freeradius with openldap ........... when i try with radtest, it show error in radius log

rlm_ldap: - authorize
rlm_ldap: performing user authorization for hendra
        expand: (uid=%u) -> (uid=hendra)
        expand: dc=homelinux,dc=net -> dc=homelinux,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert Directory to /etc/ssl/
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: setting TLS Cert File to /etc/ssl/ldap.pem
rlm_ldap: setting TLS Key File to /etc/openldap/ssl/ldap.pem
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Operations error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail

My LDAP support TLS ..........

[Please Help] and [Thank You]

2

(1 replies, posted in Chillispot Configuration)

When i upgrade my iptables, there is warning -The "nat" table is not intended for filtering, hence the use of DROP is deprecated and will permanently be disabled in the next iptables release. Please adjust your scripts.-

I configured my iptables scripts like in http://www.chillispot.info/chilliforum/ … php?id=189

How to fix this error with new iptables scripts ??? but can keep block port 3128 (proxy) in NAT table ??? Thx.

What is the best frontend for freeradius-2.0.5 ? I try with EzRadius but not support Freeradius 2. Thx.

4

(2 replies, posted in Radius Configuration)

Have anyone try install and configure Freeradius 2.0 ? When i try login with command "radtest user password localhost 1812 secret" it's failed with log :

++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "641572"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> hendra
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 63 to 127.0.0.1 port 44471
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 63 with timestamp +19
Ready to process requests.

When my client using Intel Pro Wireless 3945 A/B/G on laptop (onboard), it cannot connect with chillispot and don't get ip number from chillispot. And when i look at Intel Pro Wireless Utility on taskbar (using windows xp sp2), that say "CTA plugin is not installed or supported".

I try to uninstall the Intel Pro Wireless Utility and only install drivers for it. It still not work. And i try this too and not work too sad.

Any Idea ? big_smile

Thank You. It Work now, with iptables rules above. smile

************* wrote:
9dra wrote:
************* wrote:

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.

What your squid port? i will consider it.

Thanks for your respond.
This my squid.conf

# ============================================== #
# NETWORK OPTIONS
# ============================================== #
http_port 8080 transparent
icp_port 0
# ============================================== #
# OPTIONS WHICH AFFECT THE NEIGHBOUR SELECTION ALGORITHM
# ============================================== #
dead_peer_timeout 30 seconds
mcast_icp_query_timeout 10
log_icp_queries on
connect_timeout 2 minutes
peer_connect_timeout 30 seconds
request_timeout 30 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# ============================================== #
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ============================================== #
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# =============================================== #
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# =============================================== #
cache_dir diskd /cache1 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache2 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache3 12600 29 256 Q1=64 Q2=72
cache_dir diskd /cache4 12600 29 256 Q1=64 Q2=72
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /dev/null
mime_table /usr/local/etc/squid/mime.conf
# =============================================== #
# HTTPD-ACCELERATOR OPTIONS
# =============================================== #
log_ip_on_direct on
dns_nameservers 202.134.0.155 202.134.1.10 203.130.209.242 202.134.2.5
# =============================================== #
# MISCELLANEOUS
# =============================================== #
logfile_rotate 7
digest_generation on
digest_bits_per_entry 10
digest_rebuild_period 30 minute
digest_rewrite_period 30 minute
digest_swapout_chunk_size 6000 bytes
client_persistent_connections on
server_persistent_connections on
pipeline_prefetch on
store_dir_select_algorithm round-robin
nonhierarchical_direct off
prefer_direct off
# =============================================== #
# ADMINISTRATIVE PARAMETERS
# =============================================== #
cache_mgr nindra.dw@gmail.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.omega.net
# ============================================== #
# ACCESS CONTROLS
# ============================================== #
acl all src 0/0
acl omeganet src 172.16.0.0/24
acl localhost src 127.0.0.0/8
# ============================================== #
# ACL Different access
# ============================================== #
acl SSL_ports port 443 563
acl Safe_ports port 21 80 280 448 591 777 443 563 808 70 210 4190-65535
acl CONNECT method CONNECT
acl manager proto cache_object
# ============================================== #
# Access Denied
# ============================================== #
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ============================================== #
# Internet Access
# ============================================== #
http_access allow manager !localhost
http_access allow localhost
http_access allow omeganet
http_access deny all
# =============================================== #

I am using Gentoo Linux, Squid-2.6.19-r1, freeradius-1.1.7 dan chillispot-1.1.0. I have used port 3128 and 8080 for squid.

************* wrote:

you can add this line to your Chillispot Iptables firewall

##Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

##Allow transparent proxy (wiboon 2/2)

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

3128 is your squid port

It's still not working. If i setup in browser on computer client with "Manual Proxy configuration: HTTP Proxy: 192.168.1.1 Port: 80". It still bypass the chillispot login on computer client and get internet. 192.168.1.1 is my server ip number. Sorry for my bad english smile.