Hi,
Can someone throw me a bone here? This is really the last step in my process
in getting FreeRadius production ready.
i'd advise getting a basic grasp of LDAP and terminology before using
it as a tool - plenty of free resources out there. you have a group
RADIUS that you want to check
Hi,
I want to know if there is a module that I can add users in the database
before AAA... I can add users with daloRadius but is important that the
user and password in the captive portal be added in the database before
authentication...
yes. you keep on saying this - but you are
Hi,
I believe some work have been done on this topic lately with external
log modules to populate an IF-MAP database, correct?
I am wandering if there is a working
-as-PoC piece of code available somewhere? We are interested in
testing and add the support for IF-MAP in PacketFence (long
Hi,
Hello all, long-time reader, first time poster to this list. I've watched
many posters go down in flames on this list, so I'm going to try to learn
from their mistakes and be as precise as possible; I'm also going to make it
known at the outset that I have read all the documentation
Hi,
Is this the INTERMEDIATE CA that GeoTrust sent along with the server
cert?
the server needs to be configured so that the certificate file entry points
to a file that contains your server cert, any intermediaries and the root all
in one file, in the right order concatenated after each other.
Hi,
GeoTrust and installed, but now I have another certificate problem. I
believe this one is that the client doesn't recognize my ca.pem as being
signed by a trusted authority. Do I need to get another root cert signed
by GeoTrust? If so, how do I go about doing that?
FR v2.1.10
[peap]
Hi,
Doesn't it just use server.cnf to set the password for the key and the CSR?
server.cnf is for openSSL - applications such as FreeRADIUS
and Apache have their own configuration files for private certificate
keys etc - eap.conf in your case
alan
-
List info/subscribe/unsubscribe? See
This isn't a freeradius question, thus is a mysql question. There are many many
tools, webfront ends and scripts that you can use. One simple one actually
comes with freeradius, others are eg Daloradius or php_mysqladmin
alan
-
List info/subscribe/unsubscribe? See
Hi,
Has anyone seen this error? I am not sure what might be missing:
ECC support in OpenSSL - Redhat and their derivitives dont have it.
you will need to not have EAP-PWD present and it will then compile
not sure when/if Redhat will have ECC supportsome policy decision.
rm -rf
Hi,
I have the following in my sites-available/default:
just 'reject' on its own.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
i must be tiredi cant see how that is different to your first email! ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Selinux? What does radius.log say when it fails as a standard daemon?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
DEFAULT Group == FOO, Pool-Name :=FOO_pool
Group is probably empty. I can't remember what module, if any, fills
it out.
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means that
Hi,
I am a new person using freeRadius server. I have a wireless access point
with WPA authentication option. It does not have any support for 802.1x or
configuring Radius server.But i want to implement some central security
using Radius server.Is it possible to configure the FreeRadius
Hi,
How do I ensure the buffered-sql file gets included by the server? Do I need
an additional default Virtual Server configuration to enable the buffered-sql?
you ensure theres a link to it from sites-enabled into sites-available
Where are the SQL queries picked up from if there is no
Hi,
I can see by grepping the logs in the radacct folder that the user sent
the access-request. The results are in both the auth-detail and the
pre-proxy-detail logs. From there I can see in my internal radius servers
that the access was accepted, but I cannot find any reference
Hi,
Check the winbind log files,
Did that already. Nothing interesting there, only lines like
[2012/03/08 14:32:17.115991, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[25675]: request location of privileged pipe
[2012/03/08 14:32:17.117136, 6]
Set session timer to one hour. Or adjust reauth times on the Cisco
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I'm having trouble getting unlang to match a string inside a larger
string. I have a script that outputs a string of domain groups, like this:
the debug output (radiusd -X) should show you all the values
as things happen - and thus show you the comparison and how
ita failing
alan
-
List
Hi,
We are using Freeradius2 with MySQL at the backend.
I understand that the buffered sql takes care of buffering queries. What is
the best way to stop querying MySQL altogether and return a negative
response, after a certain threshold of processing is reached by the server?
buffered_sql
Hi,
the output is quite clear about what is wrong:
Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
incorrect shared secret
alan
PS there is no such word as 'Authentification'
-
List
Hi,
But where is the shared secret? I have written the same secret
everywhere...
on the FreeRADIUS server its in clients.conf (or, if you have configured
SQL to have NAS tables then in the nas table)
on your AP its in the configuration section. note that 'clients' as you know
them
Hi,
At my new working place I have inherited a FR 1.1.3 running on CentOS 5.6.
Beyond being outdated and unsupported, this FR setup is causing a lot of
problems so I plan a migration to RHEL5 and FR 2.1.12.
I've been searching but I cannot find a procedure describing which steps to
follow
Hi,
Does anyone else get a problem with Windows 7 clients prompting for the
radius credentials 2 or 3 times before finally accepting them? No errors
are shown on the radius side, and I’ve read that this is a problem with
the operating system, but wondered whether anyone in this
Hi,
On 05/03/12 16:16, Morris, Andi wrote:
Hi all,
Apologies for being slightly off topic.
Does anyone else get a problem with Windows 7 clients prompting for the
radius credentials 2 or 3 times before finally accepting them? No errors
are shown on the radius side, and I’ve read
hi,
right. interesting. I've just been looking into Windows 8 and I found
that if I chose a non-EAP method with TTLS (eg PAP or MSCHAP) then it
didnt work. but if I chose an EAP method with TTLS - eg EAP-MSCHAPv2 then
it worked fine. so more needs to be looked at there.
based on the UI it seems
Hi,
2 things
Mon Mar 5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the
User-Name.
Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{mschap:NT-DOMAIN} -
Mon Mar 5 14:45:54 2012 : Info: [mschap] ... expanding second conditional
Mon Mar 5 14:45:54 2012 : Info:
Yep use some unlang to detect peapv1 and direct the request to eap2 module.
(never used eap2 myself...though its the only way to EAP-FAST nirvana ;) )
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
logins for Cisco wont do decent accounting for login sessions -
for authenticated sessions on edge ports they can sent accounting...eg
aaa accounting dot1x default start-stop group RADIUS
did you read what I typed? I dont see a line like this inyour provided
config -
Hi,
if(%{User-Name} =~ /?([^@]+)@?([-[:alnum:]._]*)?$/) {
please note i did say that was a example - please dont just use anything
like this in a production system - you will need other checks and validations
too - its just to give you an idea. the first one would be something
Hi,
When i do radiusd -X, i have this :
rad_recv: Access-Request packet from host 10.215.30.81 port 1645, id=165,
length=88
snip
[suffix] Proxying request from user gdanobrega to realm NULL
[suffix] Preparing to proxy authentication request to realm NULL
snip
Sending Access-Request of
Hi,
Thank you very much! The problem is solved!
I note you are usiong the DEFAULT realm for sending things upstream.
as a federation operator this concerns me - as it means all kinds of junk gets
sent upstream for the remote proxy to deal with. I would strongly advise that
you
rename that
Hi,
Hi,
Is there a way to use PEAP or EAP-TTLS without� Cleartext-Password since I
don't want to have this field in my openldap since it is clear password.
NTHASH
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
logins for Cisco wont do decent accounting for login sessions -
for authenticated sessions on edge ports they can sent accounting...eg
aaa accounting dot1x default start-stop group RADIUS
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
you have configured your server to listen for authentications on IP
10.0.8.9
..but then you try sending a request to 127.0.0.1 (localhost)
of course it isnt going to work.
either configure the server to listen on all interfaces (*) as a
default install would, or use 10.0.8.9 as the
Hi,
Hi,
At [1]http://wiki.freeradius.org/EAP-Clients� it states that SecureW2 is
an open-source product but as far as i see (correct me if i am wrong) they
havechanged policy and this software is not open source anymore.
depends on which version - the old version is. the new
Hi,
radtest bob hello 10.0.8.9 0 testing123
Now in the terminal windows where we ran radiusd -X we get the following error
Ignoring request to authentication address 10.0.8.9 port 1812 from unknown
client 10.0.8.9 port 56524
is 10.0.8.9 listed in clients.conf ?
you will see no response
Hi,
My RADIUS server hard drive recently crashed and i had to reinstall
everything from scratch. I got everything working but now every time a user
logs in i get 3 sessions registered in the accounting table. I remember this
being a networking issue of some sort but i can not remember or
Hi,
I know that this is not the best place to talk about database problems,
but I think that there is a lot of people here that use Freeradius with
MySQL Cluster that could help me.
used to - moved to postgres. anyway, there *are* other more useful
resources for using MySQL:
Hi,
I'm setting up for my company a new Freeradius server and i have to use it
as a proxy for a CISCO ACS server.
But i'm new at this and don't know how to do this.
What type of auth i have to use for this configuration ?
Are there any HOWTO that can help me in my process ?
Thanks for
Hi,
home_server radiusACS {
ipaddr = 10.215.25.100
port = 1812
type = auth+acct
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
Hi,
ok I tried to configure freeRadius with perl sopport in the Rlm_perl
doc says:�
ignore. dont add anything to the users file - simply call the perl module
where you need it to be called - if using the default name, simply add the word
'perl' to eg your inner-tunnel authentication
Hi,
I have a perl script that obtains username and password from a pg
database. I'm new at freeradius, so I only can do a radtest with a
localhost user. Can I test my perl script with an user from the pg
database? how y do the radtest?
yes. you can either have the script as a
Hi,
I'm new in Freeradius and I get the same message, although I want to get the
data from a Mysql Data base, can someone help me? I don't even know if
radius makes the query, can I find out if the sql query has been performed?
have you added (uncommented) the calls to sql in the relevant
Hi,
Thanks for your answer. I want to test my perl script with freeradius. In
the command line it works but i want to test with radtest (or something)
at freeradius. Ia there any test for it?
if you want to use radtest, then that means you are testing the
FreeRADIUS server - so simply
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of
tying you into Cisco ACS 5 or ISE
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
you dont seem to have SQL enabled in the accounting section...
the WIKI entry should work
http://wiki.freeradius.org/Rlm_sqlcounter
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Is there a function within FR to schedule certain attributes to be
returned in the Access-Accept reply?
Essentially we return a QoS VSA along with VLAN information on a
successful auth, however between certain times of day there is more
available bandwidth so to be kind to our users
Hi,
port = 1812 (instead of the default 0)
doesnt matter - it'll use 1812 and not 0 - read from /etc/services
client ASG {
ipaddr = 192.168.***.***
secret = my secret
if the secret really does have spaces in it, then you need to ensure its
enclosed in quotes my secret
In
Hi,
We're piloting RadSec as a federation server uplink. They use Radiator.
When we first attempted to connect we'd get
a Received packet will be too large! carp from main/tls.c. They checked on
their end and say they have no fragment
size option for RadSec TLS connections, only for
Hi,
We're trying to get a GlobalSign issued wildcard CA to work on our radius
server that is authenticating users via PEAP/MSCHAPv2 to Active Directory.
We're good on Android devices and iOS devices. With Windows 7 (SP1) we're
fine as long as we leave validate server certificate
Hi,
However radwtmp has almost 700MB
are you using it - ie any of the features that require it? If not,
then turn off the calls to it in accounting etc -
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
unfortunately , radius wend down again.
The log is not very precise:
Feb 20 14:22:44 radius radiusd[12700]: WARNING: Child is hung for request 988
in component module .
Feb 20 14:22:44 radius radiusd[12700]: WARNING: Child is hung for request 990
in component module .
Feb 20
Hi,
[root@skynet /]# radzap -u office 127.0.0.1 pass
radclient: no response from server for ID 122 socket 3
[root@skynet /]#
Please help me
what does FreeRADIUS daemon say when you do this - ie what is output
of 'radiusd -X' when you run your radzap command?
alan
-
List
Hi,
your national operators should also be able to provide you with example
proxy.conf
my personal advise is to upgrade - 2.1.10 has several proxy bugs - 2.1.12 doesnt
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
There are two reasons for my approach:
1) The radius server is also serving other requests that DO have a
username password it is only certain logins I need to process
differently - those where the caller ID matches a pattern.
2) On those that do match I do want per session settings
What settings have you applied to the kit? Looks like some MAC-auth or captive
portal method on the SSID you are using. You need to uncover the bits that talk
about 802.1X and/or WPS/wpa2 enterprise
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I'm running Freeradius2 + OpenLDAP with my wireless network. I need to know
if it's possible to remove an authenticated user from a specific Access
Point via Freeradius. My wireless solution (3Com) doesn't provide me this
feature, and 3Com (HP) says that I need to check my Radius
This can be done for plain auth...one way would be to put a check in the auth
section, if the normal auth has failed then fail through to eg perl and have
some perl script that checks what you want to check and send back the accept
alan
-
List info/subscribe/unsubscribe? See
Hi,
This is the case whether my requests come from a remote client, or from
radtest on the local host or a remote host.
I am running Freeradius 2.1.10 on OpenBSD 5.0 against a mysql server
upgrade. 2.1.10 and 2.1.11 had issues with proxied requests - whenever you hit
some bug the approach
Hi,
I am reluctant to upgrade since I prefer OpenBSD packages, but if it
comes right down to it, then I will.
if distro packages is what you like then sure - however you are stuck with
what they can be bothered doing - I would ask kindly why they arent keeping
track with releaases (point out
Hi,
Hi,
I have set in sql.conf multiple sql instance. I will also include
further different dialup.conf for sql query.
How can I configure default file in site-avalible as for one softswitch
I do not need this variables to be replied:
stick a
if (%{NAS-IP-Address} != 192.168.0.1){
}
Hi,
if (%{NAS-IP-Address} != xxx.xxx.xxx.xxx){
no, please add quotes around %{NAS-IP-Address} as was already mentioned
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have successfully installed and tested freeRADIUS on centOS with MySQL
database. But I wanted to test if the freeRADIUS is accessible from
remote machines as well so I tried to test it using NTRadPing on my
windows PC, but it always say no response from the server. I have added
my PC
Hi,
I've been looking at [1]free radius wiki, and read all about interpreter
pools. the prerequisites are that perl is complied with USE_ITHREADS and a
bit lower also with MULTIPLICITY. I have both. what I can't seem to get
working is the thread management as:
what version of FR
Hi,
Your server is configured with md5 as the default EAP type. The client NAKs
that and then goes on to do PEAP. Can your clients do EAP-GTC?
another confusion occurs in inner tunnel due to having 2 auth-type entries.
Perhaps define a new file/users instance for the inner-tunnel with
DEFAULT
Hmmm.
Don't update user-name. Set or update stripped-user-name instead and use that
in the mschap auth
actually I'm sure by default the system understands these user names so as long
as you use %{mschap:user-name} you'll be using the correct value in that
place we do machine auth to
Hi,
I need a few information. We have to softswtichs, both are working with
freeradius perfectly.
There is no problem to use to different clinets (softswitchs) to use one
freeradious server. Problem is that softswitchs would need a different
dialup.conf (for sql entry) and different
Hi,
user admin with password toto could connect to NAS1/2/3/4 of Factory2
user admin with password coco could connect to NAS1/2/3 of Factory1
if you want to keep it this simple, simply use hunt-groups. define
each NAS in seperate hunt-groups and add a hunt-group check item (eg
to users file or
Hi,
I'm having problems configuring authentication attributes which were send to
the NAS. I don't know why FreeRADIUS doesn't check attributes that NAS sends
- only check called-stattion-id (maybe I should to complete the
configuration... I don't know how).
FreeRADIUS will check whatever you
Hi,
Personally we (plan to) use PEAP/MS-CHAP, and check the machine account
against AD using ntlm_auth.
this is what we do for machine authentication (wired/wireless)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
NAS' attibute. In my case, I have configured in Mikrotik a location name
that in radgroupcheck is WISPr-Location-Name, why these values were not
compared? And another problem that I'm having is that when user login seems
that NAS (Mikrotik in my case) does nor receive session time left
Your unlang is wrong. If both checks are true then you will reject...anything
else, ie not a member of that group or from that NAS will continue
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
just to revisit this recent thread. Was at a site who were implementing
802.1X authentication and they noted the Blackberry issue - some devices
okay, others not... the FreeRADIUS server was configured to have the WHOLE
CA chain of certs (root, intermediate,server signer and server cert) in
kill -9 doesn't want to play either?
Read the docs/debugging file. Compile FR with debugging/developer stuff and run
it under gdbm control and do your killing of firebird again.
It's likely to be the PERL integration as thats what will get done in when
firebird is restarted. Are you perl with
And your system time is too far from that of the AD. Ensure you are sync'd
eg with ntpdate or ntpd
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Sorry to pick into this with a short question.
Just wondering, do you see performance increase using postgres instead of
mysql?
yes. I am a postgreSQL convert. though, that said - out of the box you get
slightly better and safer performance - but you'll still have to configure
What??
You dont need that kind of hardware for job, sure. Throwing that kind of
horsepower might fix the speed but this is a DBA question.
Look at your mysql configuration and see how it can be adjusted (my.cnf) look
at the engine in use and see if you can use better..(eg innodb instead of
No packets seen coming in on the server when in debug mode? Check your server
for a host based firewall, check with your network guys for eg inter VLAN ACLs,
or other protection on the network
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It's do-able. Though I would be worried about failover and resiliancy.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I wouldn't normally support them but in fact Microsoft have some very good
documentation for EAP-TLS on the Windows platform. Granted, not very user
friendly for finding it on their MSDN (which my phone spell-checker wants to
change to madness ;) ) or knowledgebase pages...but that's what
hi,
self-signed CA. the authentication is a closed-loop system. the only people
that need to trust your RADIUS server for authentication are your own
users (unlike eg a public web server). you have full control of your
own CA..and know its policies. With an external CA you are a slave to their
Hi,
Is it possible to sort accounting attributes and values in a certain order
under the detail files ?
you really might want to look at using SQL to store accounting
rather than using flat detail files if there is some sort/select
stuff you need to do with the records..
alan
-
List
Hi,
I guess we have a winner:
setsebool -P radiusd_disable_trans=1
yes but as already said, RHEL SElinux policy should already be fine for this
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
yes but as already said, RHEL SElinux policy should already be fine for this
It's been a while since I looked, but when I did the RHEL5 SELinux
policy was good for nothing except very, very basic FreeRADIUS usage.
Has that changed now? Using sesearch I don't for example see any
Hi,
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if (%{client: shortname} =~ /^localhost/) {*
Hi,
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
...well, i'd say read up on SELinux and use the tools to make the correct
policy for FreeRADIUS to work on your system WITH SELinux running
alan
-
List info/subscribe/unsubscribe? See
Hi,
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate user.n...@unibo.it or
user.name@PERSONALE . It returns no such
Hi,
Il 25/01/2012 15:58, Alan Buxey ha scritto:
use Stripped-User-Name in the ntlm_auth lineand NT-Domain for
domain (enable ntdomain in authorize) - see the example ntlm_auth
provided with server...
Already tried and discarded.
I think the definitive solution is the one
Hi,
- each user performing 7 authentications during EAP negotiation
ummm, why? with correctly configured server and 'protection' of the
authentication
type, you should only hit your authentication server just once inside the
EAP tunnel when the identity is set/known.
alan
-
List
Hi,
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
built within OpenSSL support - install the DEVELOPMENT libraries/headers
(eg ssl-dev, openssl-devel
Hi,
I have configured a freeradius + mysql server and i would like to use
the PEAP authentication. I have tried the EAP-TTLS and it worked fine, but
when i have tested the PEAP authentication all my requests were rejected
how are you testing this? what client are you using? your
Hi,
when i changed the authentication to use peap, i got the problem. I
launched the server in debug mode ( freeradius -X ) and all that i can see
is that all my requests are rejected.
i'm sorry, I've lost my ability to read minds. It would actually
be quite handy if you, for
Hi,
I installed all the these libraries. Again build the code. and install but
its coming same. i am putting all debugging message over here.
outut of the ./configure stage? once again, no OpenSSL support - so you built
without the OpenSSL headers/includes for the server and/or you didnt
Hi,
When I try to add a “Unisphere-Ingress-Policy-Name = 512k” for example in
the users file I get “invalid integer” error.
512k isnt a valid integer - 'k' means nothing - change that to the real value
in bytes
- whether thats just 512 or 524288 would be down to the kit.
regarding the
Hi,
“Error: Discarding duplicate request from client [IP REDACTED]:49603 - ID:
204 due to unfinished request 298385”
Far more often than I believe I should. What does it mean for a request
to be unfinished, and how does freeRadius determine that a request is a
duplicate?
Hi,
Version is freeradius-git downloaded about 4 days before 2.1.12 was released.
I'd say go to 2.1.12 - why run a version from GIT that is older than the
released version (there were quite a few fixes in the last couple of days
before 2.1.12 was released)
alan
-
List
Hi,
Hello all,
I just wanted to ask how could I make FR to use either users file or sql
to send attributes based on the NAS ip address.
I suspect that I would need to use ulang for that. Something like:
if(NAS-IP-Address == NAS A IP) {
use sql
}
else
Hi,
If you're using a private CA for signing the radius server certs, which
is generally cited as best practice because it provides belt braces;
in the event a client does not learn subsequently re-check the cert
CN, a public CA would allow an attacker to impersonate your SSID. A
Hi,
freeradius -X
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14
2010 at 20:41:03
a couple of thingsupgrade - 2.1.10 *will* die at some point when proxying
to a remote server
that doesnt respond
[f_ticks] expand: %{reply:Packet-Type} - Access-Accept
401 - 500 of 1488 matches
Mail list logo