Re: Using LDAP with EAP-TLS
Alexandros Gougousoudis wrote: Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the if then-things in the conf, all the keywords like ok=return and so on, All documented. See man unlang. what's the difference between Autz-Type and Auth-Type? See doc/Autz-Type The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. The detailed guides on my web site are a *lot* more than the config files that come with the server. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. The main issue with the current documentation is organization. The organization is currently pretty bad. But nearly everything is documented somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
Gary Gatten wrote: Good point about configuring multiple things at once - but that is a recipe - right? Several ingredients that make a tasty cake? Yes. It should be done as a recipe with multiple steps. See http://deployingradius.com for examples. I think it would be a pretty common deployment scenario: lots of people have Cisco and AD, and want to auth their Cisco admins / VTY access against AD. We used this exact scenario as a basic starting point with FR (and I've noticed others on here do the same) before moving on to more complicated setups. Sure. But the layout should be: (1) configuring Active Directory (2) group checking via AD (3) configuring FR to do VTY access *independent* of anything else! (4) Using steps 1-3 to create a combined configuration I've seen too many guides which put all of 1-4 into one guide. The result is that anyone doing something a *little* bit different is lost. For your suggested doc, it should be easy. (1) and (2) exist already. Just refer to them. Then, create a simple doc for (3), using the users file as an example, with local password and no group checking. Then, write (4) showing how you've changed the users file entry from (3) to use the features of (1) and (2). Each step should be no more than a page or so of text, with configuration file examples, instructions on what to type, and explanations as to what it all means. Again, the deployingradius.com docs should be used as an example of layout and style. In the last 6 years, the only complaints about those docs have been (1) typos, and (2) people who didn't follow the steps correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication + radius + foundryAP
hi, a quick look at your output shows that your server is configured to have a defauly type of EAP that doesnt match what your client is trying to use. there is then a reattempt after the NAK - and your client is using LEAP. it fails at the LEAP stage in the EAP module - check your eap.conf or, if you arent supposed to be using LEAP then check your client! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUAWEI MA5200G and Vendor Specific Attributes
Hello All I’m using freeradius 1.1.8 with a C external program for auth/acct. I’m sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I send attributes as follows: printf(Session-Timeout=%d,session_time); printf(,\nInput-Peak-Rate=%d,(int)rx_burst); printf (,\nInput-Average-Rate=%d,(int)rx_rate); printf(,\nOutput-Peak-Rate=%d,(int)tx_burst); printf(,\nOutput-Average-Rate=%d,(int)tx_burst); the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS Debug does not show any attributes inside of auth request. I remove the HUAWEI vendor specific attributes (the last 4 lines), RAS shows the standard attributes correctly. What is the problem? HUAWEI says it support only radius 1.1, So does freeradius support 1.1 when sending attributes by printf via external program or not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HUAWEI MA5200G and Vendor Specific Attributes
Ali Majdzadeh wrote: I’m using freeradius 1.1.8 Upgrade. with a C external program for auth/acct. I’m sending attributes to RAS by printf . RAS type is HUAWEI MA5200G And I send attributes as follows: ... printf(,\nInput-Peak-Rate=%d,(int)rx_burst); Read dictionary.huawei. These are not the correct attribute names. the last 4 lines are HUAWEI vendor specific attributes. MA5200G RAS Debug Run the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, web pages, and daily on this list. Really. Reading the RAS debug log is a waste of your time. Reading the *existing* FreeRADIUS documentation isn't. What is the problem? You're not following the existing documentation. HUAWEI says it support only radius 1.1, They have no idea what they're talking about. Ignore them. So does freeradius support 1.1 when sending attributes by printf via external program or not? The question makes no sense, and no answer is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang Question about evaluating unavailable attributes to FALSE
Hi,
if I'm using an expression like
if (control:VSA1=~/something/ || control:VSA2 =~/something_else/)
{...}
I do get the information(Attribute control:VSA1 was not found) in case
the VSA is not in the control context.
As the condition is '||', I would expect, that FR tries the next option, but
it does not. It sets the hole Expression to FALSE.
If I exchange the Options, it works for me, because VSA2 is always
available.
if (control:VSA2=~/something/ || control:VSA1 =~/something_else/)
{...}
If I preset VSA1, it works too, but will add slightly more load.
Is there a solution for the missing Attribute to be ignored in '||'
conditions i.e. setting it discrete to FALSE, so tht FR is able to evaluate
the rest of the || expression? Would this be advisable?
Thank you.
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang Question about evaluating unavailable attributes to FALSE
Stefan A. wrote:
if I'm using an expression like
if (control:VSA1=~/something/ || control:VSA2 =~/something_else/)
{...}
I do get the information(Attribute control:VSA1 was not found) in case
the VSA is not in the control context.
As the condition is '||', I would expect, that FR tries the next option, but
it does not. It sets the hole Expression to FALSE.
I think that's fixed in the v2.1.x branch in git. The fix will be in
2.1.11.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
On 16/05/11 20:19, Alan DeKok wrote: You can set the fourth octet to zero. *Nothing* else is possible. Gotcha, that makes sense. Actually, setting the fourth octet to zero would do just fine for what the home server wants it mangled for. What would be the syntax in V2 to do that? Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: documentation and project organization (Was: Using LDAP with EAP-TLS)
On 16/05/11 20:26, Alan DeKok wrote: My $0.02 is that we should use github. They now support git-backed Wikis, which use markdown. It's close enough, and has a lot of benefits. I quite like Markdown. We have some internal introduction to radius and introduction to FreeRADIUS documents. If there is consensus on documentation structure, I can try to start putting some stuff together. If someone wants to start off with the basic doc structures, I'll make some time to write some docs. Recipies I like the idea of, but it strikes me that a bit of work with the existing module/unlang/configurable-failover docs would go a long way to explaining how FreeRADIUS processes a request, and how to accomplish what you want (i.e. put the right modules in the right order!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using freeRadius to authentic a user to access different sources with different configuration
Dear all, There is a NAS and I want to authenticate users. I have two resources, the first one the is Internet and the second is an intranet. I've two access policies regarding to each source. for example a policy is users have different bandwidth for accessing each source. I've a proprietary radius server and have used its scripting abilities to set the second resource policy. It must be said that the second resource policy is identical for all users. It has been decided to migrate our system to freeRadius (due to the expenses) and also there is a change in policies so the second resource policy is not identical for all users any more. Due to my lack deep experience in freeRadius, I was wondering if there is any suggestion that would help me about this scenario. Regards, Abbas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeRadius to authentic a user to access different sources with different configuration
On Tue, May 17, 2011 at 6:41 PM, Abbas Yazdanpanah yazdanpanah.a+freerad...@gmail.com wrote: Dear all, There is a NAS and I want to authenticate users. I have two resources, the first one the is Internet and the second is an intranet. I've two access policies regarding to each source. for example a policy is users have different bandwidth for accessing each source. I've a proprietary radius server and have used its scripting abilities to set the second resource policy. It must be said that the second resource policy is identical for all users. It has been decided to migrate our system to freeRadius (due to the expenses) and also there is a change in policies so the second resource policy is not identical for all users any more. Due to my lack deep experience in freeRadius, I was wondering if there is any suggestion that would help me about this scenario. Read the documentation? Seriously. Whoever decided to migrate our system to freeRadius should've done their homework first, and at least know the general idea about: - whether freeradius is suitable for a particular purpose, and - how you're going to do it Depending on your needs, something as simple as users file might be suitable (run man 5 users once you have freeradius installed). You might be able to create policies based on something like NAS-IP-address attribute. For more complex configuration, sql or unlang might come in handy. The default configuration file is pretty well commented, start from there. Then continue to the included doc/ directory (or read latest version online from https://github.com/alandekok/freeradius-server/tree/v2.1.x/doc) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attrs.pre-proxy in V2
Steve Brown wrote: Gotcha, that makes sense. Actually, setting the fourth octet to zero would do just fine for what the home server wants it mangled for. What would be the syntax in V2 to do that? sigh My first response described how to do that. Or, you can read the documentation. See man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeRadius to authentic a user to access different sources with different configuration
Dear Fajr I've read all the documents(it toke about 2 month for me to read and learn them) and I also implemented freeRadius 2.1 and daloradius using mysql configuration for an ISP(the mentioned system). I'm just an IT guy so my boss who don't have good technical standpoint decided to migrate and I'm in the research phase of migration. That's it. The easiest solution to this scenario is using three separate freeRadius servers where first one is a proxy which duplicates the authentication request to the other servers and the other servers are responsible for AAA on each resource(in this situation the Internet and my provided intranet which has some value-added services like Video On Demand, Game server, etc). The users must be authenticated using mySQL or postgres. The ISP I'm working for is providing ADSL services so the chap, ms-chap and ... authentication method are desirable. But you must know that in every region(we provide service in must of the cities in our State) it is just one NAS per each resource. But it seems their might be another way which could be more efficient and interesting. So here I'm asking you about this scenario. And I've searched the mailing list regarding to this situation and there is nothing similar to my scenario(but I've learned much from them). I would appreciate if someone could help me about this. Regards, Abbas. On Tue, May 17, 2011 at 3:44 PM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, May 17, 2011 at 6:41 PM, Abbas Yazdanpanah yazdanpanah.a+freerad...@gmail.com wrote: Dear all, There is a NAS and I want to authenticate users. I have two resources, the first one the is Internet and the second is an intranet. I've two access policies regarding to each source. for example a policy is users have different bandwidth for accessing each source. I've a proprietary radius server and have used its scripting abilities to set the second resource policy. It must be said that the second resource policy is identical for all users. It has been decided to migrate our system to freeRadius (due to the expenses) and also there is a change in policies so the second resource policy is not identical for all users any more. Due to my lack deep experience in freeRadius, I was wondering if there is any suggestion that would help me about this scenario. Read the documentation? Seriously. Whoever decided to migrate our system to freeRadius should've done their homework first, and at least know the general idea about: - whether freeradius is suitable for a particular purpose, and - how you're going to do it Depending on your needs, something as simple as users file might be suitable (run man 5 users once you have freeradius installed). You might be able to create policies based on something like NAS-IP-address attribute. For more complex configuration, sql or unlang might come in handy. The default configuration file is pretty well commented, start from there. Then continue to the included doc/ directory (or read latest version online from https://github.com/alandekok/freeradius-server/tree/v2.1.x/doc) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeRadius to authentic a user to access different sources with different configuration
Abbas Yazdanpanah wrote: I've read all the documents(it toke about 2 month for me to read and learn them) and I also implemented freeRadius 2.1 and daloradius using mysql configuration for an ISP(the mentioned system). I'm just an IT guy so my boss who don't have good technical standpoint decided to migrate and I'm in the research phase of migration. That's it. The issue is that your post was content-free. Hi, I'm trying to do something. Can you help me? What do *you* expect us to be able to do with that question? Decide what you want to do. Use specific words, not vague ones like resources. Use words relevant to RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using freeRadius to authentic a user to access different sources with different configuration
On Tue, May 17, 2011 at 7:41 PM, Abbas Yazdanpanah yazdanpanah.a+freerad...@gmail.com wrote: Dear Fajr I've read all the documents(it toke about 2 month for me to read and learn them) It shouldn't take THAT long :P If you have a problem, you can check whethere it's a known problem in the FAQ. If it's not, follow instructions on http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 The easiest solution to this scenario is using three separate freeRadius servers where first one is a proxy which duplicates the authentication request to the other servers and the other servers are responsible for AAA on each resource Step back up a bit. If you said first one is a proxy which duplicates the authentication request to the other servers, then there should be something that you can use to determine which request go to which server, right? What is that? Is it NAS-IP-address? Is it some other attribute? Whatever it is, you need to know EXACTLY what the criteria is, and what the desired response should be. Like Alan said, use words relevant to radius (like the attribute NAS-IP-address, or Realm, or whatever your criteria is) instead of saying I have two resources, the first one the is Internet and the second is an intranet Next, you might want to look at unlang (http://freeradius.org/radiusd/man/unlang.html). Basically if you already know the criteria, you can use simple if-else block to return correct response. Last, if you already know how to implement a proxy and two separate freeradius servers to solve your problem, you can just use virtual servers. Start by reading proxy.conf (to understand how to pass a request to a virtual server) as well as sites-available/inner-tunnel and sites-available/virtual.example.com (to see examples of virtual server configurations). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Correct RegEX format for virtual server in proxy.conf
Sallee, Stephen (Jake) wrote:
I am trying to follow the excellent instructions in the proxy.conf file
for setting up a virtual server using realms, however I keep getting an
error when I try to start radisud –X telling me that the regex is
invalid… here is my realm decleration, what am I doing wrong?
...
realm ~*\.cru$ {
/etc/raddb/proxy.conf[676]: Invalid regex in realm ~*\.cru$
You're missing an initial ., the * operator matches *something*.
realm ~.*\\.cru$ {
i.e. ~ . *
not ~ *
Again, the example in proxy.conf is correct. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Correct RegEX format for virtual server in proxy.conf
Alan you are correct, the example in the proxy.conf file is correct, in the
latest version. Regrettably in the version I have installed there is a typo in
the proxy.conf file and the all-so-important . is omitted. This is what I
get for not staying current, thanks for the sharp eye!
PS: Anybody know how to get current FR RPMs for CentOS?
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, May 17, 2011 9:48 AM
To: FreeRadius users mailing list
Subject: Re: Correct RegEX format for virtual server in proxy.conf
Sallee, Stephen (Jake) wrote:
I am trying to follow the excellent instructions in the proxy.conf
file for setting up a virtual server using realms, however I keep
getting an error when I try to start radisud –X telling me that the
regex is invalid… here is my realm decleration, what am I doing wrong?
...
realm ~*\.cru$ {
/etc/raddb/proxy.conf[676]: Invalid regex in realm ~*\.cru$
You're missing an initial ., the * operator matches *something*.
realm ~.*\\.cru$ {
i.e. ~ . *
not ~ *
Again, the example in proxy.conf is correct. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Access-Accept packet just access-request
Hello, I have encountered a very strange issue with my setup. I have mac address filtering setup and working perfect on one server, this server also does other things so I want to migrate it to a new server. All servers are on the same machine running in a vm environment. The server1 does the filering perfect, I can see in packet captures that the wireless client authenticates, the ap sends the access-request and if freeradius finds the users, it sends back the access-accept, i see this on both freeradius debug and also in my packet captures. On server2 that is the exact same config of freeradius etc, the user authenticates with the wifi ap, i can see the access-request in the packet capture, on server2 running tcpdump i see the capture showing it has sent the access-accept packet, but on the laptop i have mirrored as a the port for the ap, i never see the access-accept packet. This is quite confusing I think, but either way, the 2 servers are on the same machine, both configs for freeradius are setup the exact same, packetcaptures on both servers show the exact thing, but server2 does not show as sending the access-accept to the AP on the port that is mirrored from the AP but server1 does. I hope someone can make sense of this and maybe share some insight on to what this could be. There is no rules for the servers on any switches or AP's, changing SERVER1's ip yields the same accept packet etcI am stumped and don't know what to do here... Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD Authentication + radius + foundryAP
Post the debugging output into the form at:
http://networkradius.com/freeradius.html
And read the highlighted lines. It should be obvious what's going
on.
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/freeradius/attrs.access_reject
was highlighted in read. To you it might be obvious what this means. To
me, I don't really understand it, except that later one in the debug I
get :
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - ATL\pipkin_m
I don't know much about FreeRadius. I have never had to work with a
radius server of any type before. I do apologize, but while this stuff
might be obvious to someone that created it or works in radius servers
every day of the week, I am not that person. So to me, the only obvious
thing is that I get rejected at leap, while another radius server that
is running FreeRadius 1.x on Getoo is working just find with mschapv2.
Also read my Active Directory guide at:
http://deployingradius.com/documents/configuration/active_directory.htm
l
It contains detailed documentation and explanations for how to get
this to work.
I did follow this how-to the first time around and it got me to this
point. That is in my first statement in asking for help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication + radius + foundryAP
Mark Pipkin wrote:
was highlighted in read. To you it might be obvious what this means. To
me, I don't really understand it, except that later one in the debug I
get :
You're supposed to read the output. Only looking at *part* of it
means you can only solve *part* of the problem.
Here's the key pieces of your original post:
...
pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user
...
What does that look like to you?
Are the debug messages helpful?
Do they accurately describe the problem, and give you hints for the
solution?
I don't know much about FreeRadius. I have never had to work with a
radius server of any type before. I do apologize, but while this stuff
might be obvious to someone that created it or works in radius servers
every day of the week, I am not that person. So to me, the only obvious
thing is that I get rejected at leap, while another radius server that
is running FreeRadius 1.x on Getoo is working just find with mschapv2.
The PC is choosing LEAP, not FreeRADIUS.
Configure the PC to use LEAP, as was suggested in *another* response
to your post.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
I am hoping someone can help me. We compiled 2.1.x from source and
finally got it to accept our python Auth-Type as the default in the
users file.
DEFAULT Auth-Type := python
But, after sucessfully calling our python module the user is rejected
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Below is the complete log.
Any ideas of what we may be doing wrong?
Thanks,
Jim
Tue May 17 14:15:37 2011 : Debug: Listening on proxy address * port 1814
Tue May 17 14:15:37 2011 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
User-Name = owk
User-Password = test123
NAS-IP-Address = 135.207.164.41
NAS-Port = 1812
Tue May 17 14:15:50 2011 : Info: # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
Tue May 17 14:15:50 2011 : Info: +- entering group authorize {...}
Tue May 17 14:15:50 2011 : Info: ++[preprocess] returns ok
*** authorize ***
Tue May 17 14:15:50 2011 : Info: *** radlog call in authorize ***
(('User-Name', 'owk'), ('User-Password', 'test123'),
('NAS-IP-Address', '135.207.164.41'), ('NAS-Port', '1812'))
User-Name: owk
User-Password: test123
NAS-IP-Address: 135.207.164.41
NAS-Port: 1812
Authenticate User: owk
Tue May 17 14:16:16 2011 : Info: ++[python] returns ok
Tue May 17 14:16:16 2011 : Info: ERROR: No authenticate method
(Auth-Type) found for the request: Rejecting the user
Tue May 17 14:16:16 2011 : Info: Failed to authenticate the user.
Tue May 17 14:16:16 2011 : Info: Using Post-Auth-Type Reject
Tue May 17 14:16:16 2011 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Tue May 17 14:16:16 2011 : Info: +- entering group REJECT {...}
Tue May 17 14:16:16 2011 : Info: [attr_filter.access_reject]
expand: %{User-Name} - owk
Tue May 17 14:16:16 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11
Tue May 17 14:16:16 2011 : Info: ++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Info: Finished request 0.
Tue May 17 14:16:16 2011 : Debug: Going to the next request
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
Tue May 17 14:16:16 2011 : Info: Sending duplicate reply to client
five-10 port 49346 - ID: 131
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 135.207.164.41 port 49346,
id=131, length=55
Tue May 17 14:16:16 2011 : Info: Sending duplicate reply to client
five-10 port 49346 - ID: 131
Sending Access-Reject of id 131 to 135.207.164.41 port 49346
Tue May 17 14:16:16 2011 : Debug: Waking up in 4.9 seconds.
Tue May 17 14:16:21 2011 : Info: Cleaning up request 0 ID 131 with timestamp +13
Tue May 17 14:16:21 2011 : Info: Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Jim Whitescarver wrote: But, after sucessfully calling our python module the user is rejected ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Don't edit the default configuration and break it. Below is the complete log. Any ideas of what we may be doing wrong? (1) Run the server in debugging mode. -Xx gives *too* much information (2) If you 3ant to use the users file, *DON'T* delete files from the authorize section. All of the work you put into simplifying the configuration files was wasted. If you don't understand how the server works, change as little as possible. Read man radiusd, and see the DEBUGGING section. It gives *EXPLICIT* instructions for how to change the configuration of the server. Follow them. This is documented. Following the documentation helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD Authentication + radius + foundryAP
What does that look like to you? Looks like it is trying to use PAP to authenticate with. Though PAP is local only, at least from what I can tell, and there is no local user/pass for this account. Then it looks like it rolls to a EAP/leap authentication method. At this point it fails. Are the debug messages helpful? If I truly understood more, then I'm sure that they would be. That are not as helpful for me; I have a lack of understanding at this point in time. Do they accurately describe the problem, and give you hints for the solution? I just see the problem as not working. I don't understand why it didn't even attempt mschapv2 when eap default was set to peap and peap default was set to mschapv2. I don't know much about FreeRadius. I have never had to work with a radius server of any type before. I do apologize, but while this stuff might be obvious to someone that created it or works in radius servers every day of the week, I am not that person. So to me, the only obvious thing is that I get rejected at leap, while another radius server that is running FreeRadius 1.x on Getoo is working just find with mschapv2. The PC is choosing LEAP, not FreeRADIUS. I'm using Win7. Are you telling me that the PC is the one that is picking the security for the radius and not the Foundry Wireless AP controller? Configure the PC to use LEAP, as was suggested in *another* response to your post. I read that post. I thought the he was referring to the Foundry AP controller. You just told me that it was the fault of the PC though. Mark Pipkin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
On Tue, May 17, 2011 at 3:08 PM, Alan DeKok al...@deployingradius.com wrote: Jim Whitescarver wrote: But, after sucessfully calling our python module the user is rejected ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Don't edit the default configuration and break it. The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. It seems that every configuration file needs python in every section for it to be recognized. Any ideas of what we may be doing wrong? (1) Run the server in debugging mode. -Xx gives *too* much information (2) If you 3ant to use the users file, *DON'T* delete files from the authorize section. I don't think we want to use the users file. We only want to call the python module for any request. All of the work you put into simplifying the configuration files was wasted. If you don't understand how the server works, change as little as possible. We will try again. It's not clear why we would leave other stuff in if we are not using anything but the python module. Thanks for the tips. Jim. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication + radius + foundryAP
Mark Pipkin wrote: What does that look like to you? Looks like it is trying to use PAP to authenticate with. i.e. you haven't *read* the warning message. You just saw pap and WARNING, and stopped there. To be excruciatingly simple: RADIUS servers authenticate users by KNOWING what the correct password is. If the server doesn't have a KNOWN GOOD password, it can't authenticate the user. The message says that there is no *KNOWN GOOD* password, and therefore it likely will not be able to authenticate anyone. Though PAP is local only, at least from what I can tell, and there is no local user/pass for this account. Then it looks like it rolls to a EAP/leap authentication method. At this point it fails. No. The LEAP message has the same meaning as the PAP message. And you're again ignoring the *content* of the message. Why? Are the debug messages helpful? If I truly understood more, then I'm sure that they would be. That are not as helpful for me; I have a lack of understanding at this point in time. Read them. It helps. Really. Do they accurately describe the problem, and give you hints for the solution? I just see the problem as not working. I don't understand why it didn't even attempt mschapv2 when eap default was set to peap and peap default was set to mschapv2. My messages explained why. The PC is choosing LEAP, not FreeRADIUS. I'm using Win7. Are you telling me that the PC is the one that is picking the security for the radius and not the Foundry Wireless AP controller? Did my message contain the phrase Foundry Wireless AP? Or did my message contain the acronym PC? Configure the PC to use LEAP, as was suggested in *another* response to your post. I read that post. I thought the he was referring to the Foundry AP controller. You just told me that it was the fault of the PC though. Exactly. If you READ my messages, you get answers to questions. Like the question you asked above about when you say PC, do you really mean PC? Honestly, I fail to understand why there is *any* confusion here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap and xlat
Dear FreeRADIUS users,
i try to migrate my radius setup to LDAP.
I use mainly the informations from Frank Ranner
(http://lists.cistron.nl/pipermail/freeradius-users/2007-September/msg00205.html).
Today i have a problem to understand the xlat statement in the hint file:
DEFAULT
Hint =
`%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}`
Can anybody explain that, step by step? (yes i read the rlm_ldap doku
file and tryed the mailinglistsearch)
Especially the second ldap?!
Is there a way to get the result? I cannot find any information in the
debug log (radiusd -X).
Thanks
Con
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and xlat
On 17/05/2011 22:28, Frank Dornheim wrote:
Dear FreeRADIUS users,
i try to migrate my radius setup to LDAP.
I use mainly the informations from Frank Ranner
(http://lists.cistron.nl/pipermail/freeradius-users/2007-September/msg00205.html).
Today i have a problem to understand the xlat statement in the hint file:
DEFAULT
Hint =
`%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}`
Can anybody explain that, step by step? (yes i read the rlm_ldap doku
file and tryed the mailinglistsearch)
Hint = : Set Hint to the value of the right hand side of the =
%{...} : Variable to be expanded
ldap: : process the next bit with the LDAP module.
%{NAS-IP-Address} : The value of the NAS-IP-Address attribute in the
request. ...e.g. 192.0.2.99
ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=192.0.2.99
: LDAP URL as per http://www.ietf.org/rfc/rfc2255.txt
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Jim Whitescarver wrote: The only thing we want is python authentication. I just commented out everything else. I will start again and try to minimize edits. I am rather clueless about the nature the minimum edits should have. Add what you need. The default configuration *works*. It seems that every configuration file needs python in every section for it to be recognized. No. You need to list python everywhere you want it to be *used*. I don't think we want to use the users file. We only want to call the python module for any request. That's just rude. The first message you posted showed a users file entry, and wondered why it didn't work. Now you say you don't want to use it. Figure out what you want to do. The majority of the issues you're having are due to inconsistency. It's not clear why we would leave other stuff in if we are not using anything but the python module. Because you don't understand what it does. If you don't understand it, deleting it is wrong. Hey, I don't understand what this widget is on my car engine. I'll just rip it off. Hmm, my car no longer works. I know... I'll blame the mechanic! You wouldn't do that to a car mechanic. Don't do it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
