Cross realms
Hi everybody, I'm a student doing an internship at the Politecnico di Torino. We're developing a Wi-Fi platform which makes use of freeradius for the authentication. I need some information about how the multiple domains authentication is done by freeradius. Thank you all. P.S: for the moderator: sorry, but yesterday i used the wrong email address... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with Cisco hardware for VoIP
Jerome, please check the radius.conf file. There is an option to support the cisco pairs: with_cisco_vsa_hack Arne. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jérôme Warnier Sent: maandag 29 maart 2004 20:04 To: freeradius-users Subject: FreeRADIUS with Cisco hardware for VoIP I'm searching for FreeRADIUS with Cisco hardware for VoIP. Specifically, I'm having trouble with the cisco-av-pair stuff. I read somewhere that Peter Nixon had experience in this, but can't find him. Thanks to help. -- Jérôme Warnier Consultant BeezNest http://beeznest.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius,eap/tls,win xp sp-1 problem
II'm trying to set up a eap/tls system, I followed howtos and docs on freeradius website, but I get is that error from the eap module. My system: -freeradius 0.9.3 (tarball release) -cisco 350 series AP -pcmcia cisco aironet 350 on a windows xp sp1 supplicant I'm mostly sure that certificates setup is right both for client and server. Somebody can help me? Thanks a lot in advance. Rinaldo. --- Ready to process requests. rad_recv: Access-Request packet from host 160.78.27.14:1083, id=59, length=172 User-Name = "Rinaldo Bergamini" Cisco-AVPair = "ssid=qosnet" NAS-IP-Address = 160.78.27.14 Called-Station-Id = "004096586593" Calling-Station-Id = "000bbe371047" NAS-Identifier = "AP350-586593" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x025b00160152696e616c646f2042657267616d696e69 Message-Authenticator = 0x23484a6f7bb4cf319c010ba50e391723 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type notification id 91 length 22 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "Rinaldo Bergamini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched Rinaldo Bergamini at 75 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 91 length 22 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: Unsupported EAP_TYPE 1 modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 59 to 160.78.27.14:1083 EAP-Message = 0x045b0004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 59 with timestamp 4068333c Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 160.78.27.14:1084, id=60, length=172 User-Name = "Rinaldo Bergamini" Cisco-AVPair = "ssid=qosnet" NAS-IP-Address = 160.78.27.14 Called-Station-Id = "004096586593" Calling-Station-Id = "000bbe371047" NAS-Identifier = "AP350-586593" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x025c00160152696e616c646f2042657267616d696e69 Message-Authenticator = 0x99553803e17525967cf00919037a511b modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type notification id 92 length 22 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 1 -! ! ! ! ! ! !--- rlm_realm: No '@' in User-Name = "Rinaldo Bergamini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched Rinaldo Bergamini at 75 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1 rlm_eap: EAP packet type notification id 92 length 22 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: Unsupported EAP_TYPE 1 modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 60 to 160.78.27.14:1084 EAP-Message = 0x045c0004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list ---
Re: fast connect support in Free Radius {Scanned}
Sorry please disregard my last post. I replied to
the wrong email.
- Original Message -
From:
Htin Hlaing
To: [EMAIL PROTECTED]
Sent: Tuesday, March 30, 2004 11:11
AM
Subject: fast connect support in Free
Radius {Scanned}
Hi,
I am wondering if FreeRadius
EAP_TLS has support for session reuse or does it always have to restart from
scratch for reauthentications?
Thanks,
Htin
Re: fast connect support in Free Radius {Scanned}
Not sure. I just set it up and let it
run.
- Original Message -
From:
Htin Hlaing
To: [EMAIL PROTECTED]
Sent: Tuesday, March 30, 2004 11:11
AM
Subject: fast connect support in Free
Radius {Scanned}
Hi,
I am wondering if FreeRadius
EAP_TLS has support for session reuse or does it always have to restart from
scratch for reauthentications?
Thanks,
Htin
fast connect support in Free Radius
Hi, I am wondering if FreeRadius EAP_TLS has support for session reuse or does it always have to restart from scratch for reauthentications? Thanks, Htin �
OK what's the best way....
I have a user database in microsoft AD, I can currently use ldaps to validate users for VPN and ssh but I can't seem to get around the wireless thing. Right now we use LEAP with Cisco ACS for wireless authentication. I am not against moving to PEAP or EAP-TLS or Kerberos. Any one know which of these would work? TIA< STEVE
Is multi-factor authentication possible?
Config: Windows XP Pro SP1 (Supplicant) Linksys WAP54G v2.06 WPA (Radius)/AES (Authenticator) Solaris 8 w/ OpenSSL 0.9.7d w/ Freeradius snapshot 20040328 (Authentication server) I have EAP-TLS working fine, and client CRL also works! Woo-hoo! I then tried EAP-PEAP, and that also works. Yes! It seems that EAP-PEAP doesn't require a client-side certificate. Does that mean I can't use multi-factor authentication? I would like to force all clients to have both a valid client certificate, and supply a password. I know you can click the check off when you import the client certificate that the user has to supply the password for the private key, but I can't assume end-users will check it off when they import the certificate. Any help would be greatly appreciated! -Dan __ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Funk Odessey 802.1x Supplicant
Has anyone had any luck making this client work? I couldn't get it to work using EAP-TTLS, although as soon as I instead tried SecureW2 (Alfa & Ariss), the client got in fine... Sadly, Alfa & Ariss only provides WPA for Windows XP, so I'm wondering if there's an EAP-TTLS/negotiated WPA key solution for other versions of windows. (If anyone wants the logs, I have "freeradius -Xxx 2>&1" logs here, of both the successful login with SecureW2 and the failed login with Odessey.) Certainly a brief trawl through the mailing list archves showed lots of people asking, but no-one reporting success. -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: MySQL accounting and Cisco-AVPair
Le ven 26/03/2004 à 11:24, Pugnaloni Federico a écrit :
> I've found an old patch to cisco_vsa_hack
> http://lists.cistron.nl/pipermail/freeradius-devel/2001-August/001181.html
This patch (well, a modified version) has already been applied to the
0.9.2 version in Debian Sarge/Sid. I rebuild FreeRADIUS with latest
PostgreSQL version anyway, and it seems at least to run.
I will let you know, guys.
> i don't know C language so i've applied the patch as it was...
>
> it works!!
> cisco_vsa_hack change
> Cisco-AVPair = "ip:source-ip=192.168.0.127"
> to
> ip:source-ip=192.168.0.127
>
> so i've modified sql.conf to store this info on db radacct
> and now it's ok
>
> i don't know if the cisco_vsa_hack now is ok but it seems to works fine
>
> > -Messaggio originale-
> > Da: Jérôme Warnier [mailto:[EMAIL PROTECTED]
> > Inviato: giovedì 25 marzo 2004 19:30
> > A: '[EMAIL PROTECTED]'
> > Oggetto: Re: MySQL accounting and Cisco-AVPair
> >
> >
> > Le lun 22/03/2004 à 11:47, Pugnaloni Federico a écrit :
> > > Hi,
> > > i'm using FreeRADIUS Version 0.9.3on FreeBSD 4.9
> > > i'm using with a Cisco PIX to AAA internet access
> > > it works fine, but i need to store the Cisco-AVPair info in
> > radacct SQL
> > > table.
> > >
> > > As i can see in the detail accounting freeradius store
> > Cisco-AVPair info
> > >
> > > -snip-
> > > Cisco-AVPair = "ip:source-ip=192.168.0.127"
> > > Cisco-AVPair = "ip:source-port=4051"
> > > Cisco-AVPair = "ip:destination-ip=10.10.10.1"
> > > Cisco-AVPair = "ip:destination-port=23"
> > > -snip
> > >
> > > but i cannot store this info on sql
> > > I've tried to modify sql.conf as is:
> > >
> > > accounting_stop_query_alt = "INSERT into ${acct_table2} (RadAcctId,
> > > AcctSessionId... AcctStopDelay) values('', '%{Acct-Session-Id}',
> > > '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
> > > '%{NAS-IP-Address}', '%{NAS-Port}'... '%{Cisco-AVPair}',
> > > '%{Cisco-AVPair}'..}')"
> > >
> > > but it returns only the first instance of Cisco-AVPair
> > > ("ip:source-ip=192.168.0.127")
> > >
> > > how can i store all the values?
> >
> > Does the following help you?
> > http://www.freeradius.org/cgi-bin/cvsweb.cgi/~checkout~/radius
> d/src/billing/README?rev=1.5&content-type=text/plain
>
> >
> > --
> > Federico Pugnaloni
--
Jérôme Warnier
Consultant
BeezNest
http://beeznest.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: single RADIUS server <---> two NASes
> Hi! > > I'm already running RADIUS together with: mpd(pptp vpn server), > users are checked against smbpasswd, required fields are taken from > "users", accounting is stored in PostgreSQL database. > > what I want to do: > > I want to implement two VPN servers, different Framed-IP-Address > for each VPN server. Also I want to put accounting to two separate > databases. Why do you need the logging to go to 2 different databases. Can't you just pull records based on the NAS device, or is there another reason for doing this? > Can somebody give me working example of what I want ? > > Cheers, > Ilia Chipitsine Jeremy Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: single RADIUS server <---> two NASes
Why do you need the logging to go to 2 different databases. Can't you just pull records based on the NAS device, or is there another reason for doing this? Jeremy > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ilia E. > Chipitsine > Sent: Monday, March 29, 2004 8:14 AM > To: [EMAIL PROTECTED] > Subject: single RADIUS server <---> two NASes > > > Hi! > > I'm already running RADIUS together with: mpd(pptp vpn server), > users are checked against smbpasswd, required fields are taken from > "users", accounting is stored in PostgreSQL database. > > what I want to do: > > I want to implement two VPN servers, different Framed-IP-Address > for each VPN server. Also I want to put accounting to two separate > databases. > > Can somebody give me working example of what I want ? > > Cheers, > Ilia Chipitsine > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with Cisco hardware for VoIP
I'm searching for FreeRADIUS with Cisco hardware for VoIP. Specifically, I'm having trouble with the cisco-av-pair stuff. I read somewhere that Peter Nixon had experience in this, but can't find him. Thanks to help. -- Jérôme Warnier Consultant BeezNest http://beeznest.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linking to rlm_exec under Cygwin
I'm running Cygwin version 1.5.9-1 and freeradius-0.9.3 or freeradius-snapshot-20040326. The reason for the snapshot version is to have all of the eap flavors available. Freeradius configures and makes cleanly but when I run radiusd.exe -X I get the following error: Radiusd.conf[1241] Failed to link to module 'rlm_exec': dlopen: Win32 error 126 Can anyone tell me how to correct the problem? Thanks, Sandy _ Sandra McConathy Corporate Systems Engineer Chantry Networks Direct: 781.547.0070 Mobile: 978.994.6900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with LDAP authorization using groupOfNames and huntgroups
On Mon, 29 Mar 2004, Kostas Kalevras wrote: > > rad_recv: Access-Request packet from host 127.0.0.1:40092, id=100, > > length=59 > > User-Name = "cforbes" > > User-Password = > > NAS-IP-Address = 255.255.255.255 > > > Huntgroup matching with this value for NAS-IP-Address will never work. Ugh - I did a radtest and I didn't specify the NAS IP. Dustin's suggestion worked... This was the part that I didn't do right: On Fri, 26 Mar 2004, Dustin Doris wrote: > Try setting Fall-Through to no and putting a reject at the bottom of the > file. > > DEFAULT Huntgroup-Name == dialup, > Ldap-Group == "cn=Dialup,ou=Remote Access,dc=kensfoods,dc=com" > Fall-Through = no > > DEFAULT Huntgroup-Name == wireless, > Ldap-Group == "cn=Wireless,ou=Remote Access,dc=kensfoods,dc=com" > Fall-Through = no > > DEFAULT Auth-Type := Reject > Thanks guys, Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP LEAP and Freeradius
Well I am using MS Active Directory and am able to get LDAP authentication to work, but I don't think it stores clear text passwords in AD. Thanks, Steve Kostas Kalevras <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/29/2004 07:18 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: LDAP LEAP and Freeradius On Fri, 26 Mar 2004, Steve OBrien wrote: > Is it possible to use LDAP to authenticate LEAP clients? If so does anyone have the particulars? > TIA, > Steve > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > If you have clear text passwords in your ldap and set the ldap module to extract them it should work. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
writing a c++ module
Hi, I'm working on a new module which is written in C++. I found a old thread about writing module in c++ and freeradius : http://lists.cistron.nl/pipermail/freeradius-devel/2002-July/003181.html It seems that freeradius allows c++ modules now ? So, I tried to compile it using g++. It appears for example that the "LRAD_TOKEN operation" definition in the libradius.h (line 139) is incorrect. Andrey Kotrekhov proposed a patch about that. But I don't know its content. Many thanks in advance, Aurelien Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with LDAP authorization using groupOfNames and huntgroups
On Fri, 26 Mar 2004, Casey Forbes wrote:
> Hello,
>
> I'm having a lot of trouble getting my freeradius (CVS snap 20040323)
> to Allow/Deny access based on membership in LDAP groups (where the
> group names are associated with huntgroups). rlm_ldap docs and the mailing
> list archive didn't help me much..
>
> I'd like to do something like this:
>
> huntgroups:
> .
> dialup NAS-IP-Address == 172.16.0.12
> wirelessNAS-IP-Address == 172.16.0.13
>
>
> users:
> .
> DEFAULT Huntgroup-Name == dialup,
> Ldap-Group == "cn=Dialup,ou=Remote Access,dc=kensfoods,dc=com"
> Fall-Through = yes
> DEFAULT Huntgroup-Name == wireless,
> Ldap-Group == "cn=Wireless,ou=Remote Access,dc=kensfoods,dc=com"
> Fall-Through = yes
>
>
> ldif:
> .
> dn: cn=Dialup,ou=Remote Access, dc=kensfoods,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: cn=John Smith,ou=Users,dc=kensfoods,dc=com
> cn: Dialup
>
> dn: cn=Wireless,ou=Remote Access, dc=kensfoods,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> uniqueMember: cn=Robert Kelley,ou=Users,dc=kensfoods,dc=com
> cn: Wireless
>
>
> radiusd.conf
> .
> modules {
>...
>
>ldap {
>server = "ldap.kensfoods.com"
>identity = "cn=FreeRADIUS,ou=Daemon,dc=kensfoods,dc=com"
>password = **
>basedn = "ou=Users,dc=kensfoods,dc=com"
>filter = "(uid=%u)"
>
>start_tls = no
>ldap_connections_number = 5
>dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>password_header = "{SHA}"
>password_attribute = userPassword
>
>groupname_attribute = cn
>groupmembership_filter =
> "(&(objectClass=groupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>
>timeout = 4
>timelimit = 3
>net_timeout = 1
>compare_check_items = no
>}
> }
> authorize {
>preprocess
>chap
>mschap
>suffix
>eap
>files
>ldap
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
>
>
>
>
>
> With the above configuration, no group checks are happening
>
> radiusd -X
> .
> rad_recv: Access-Request packet from host 127.0.0.1:40092, id=100,
> length=59
> User-Name = "cforbes"
> User-Password =
> NAS-IP-Address = 255.255.255.255
Huntgroup matching with this value for NAS-IP-Address will never work.
> NAS-Port = 1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "cforbes", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> modcall[authorize]: module "files" returns notfound for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for cforbes
> radius_xlat: '(uid=cforbes)'
> radius_xlat: 'ou=Users,dc=kensfoods,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.kensfoods.com:389, authentication 0
> rlm_ldap: bind as cn=FreeRADIUS,ou=Daemon,dc=kensfoods,dc=com
> to ldap.kensfoods.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=kensfoods,dc=com, with filter
> (uid=cforbes)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT
> rlm_ldap: Adding ntPassword as NT-Password
> rlm_ldap: Adding lmPassword as LM-Password
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user cforbes authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "cforbes" with password
> rlm_ldap: user DN: cn=Casey Forbes,ou=Users,dc=kensfoods,dc=com
> rlm_ldap: (re)connect to ldap.kensfoods.com:389, authentication 1
> rlm_ldap: bind as cn=Casey Forbes,ou=Users,dc=kensfoods,dc=com to
> ldap.kensfoods.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user cforbes authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Login OK: [cforbes] (from client localhost port 1)
>
Re: LDAP LEAP and Freeradius
On Fri, 26 Mar 2004, Steve OBrien wrote: > Is it possible to use LDAP to authenticate LEAP clients? If so does anyone have the > particulars? > TIA, > Steve > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > If you have clear text passwords in your ldap and set the ldap module to extract them it should work. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [solved] FreeRADIUS + Extreme Networks: no administrative login :(
hi, just for the archive, i found the problem after hours of trying/debugging and then with the help of this site: http://www.extremenetworks.com/services/documentation/ExtremeWareUser622-Chapter03.asp#pgfId-27130 everything was setup fine and correctly, but the users-file had an incorrect syntax, although check-radiusd-config didn't report any errors... must have overlooked that in the docu, found it on the extreme networks homepage in the cistron radius server paragraph. it was missing a tabulator before Service-Type, here's the correct file, just in case someone else will search for this: user1 Crypt-Password == "$1$Q8ddOA63$qwR8llXXIpTgmZ9Y8VwVr/" Service-Type == "Administrative-User", Filter-Id == "unlim" JG pgp0.pgp Description: PGP signature
Re: how to specify MSCHAP users passwrod is stored in LDAP
On Mon, 29 Mar 2004, Sayantan Bhowmick wrote: > hi > please someone tell me how someone can specify that MSCHAP password are > stored in a LDAP directory. > thanks > sayantan bhowmick > you just need to extract the user clear text password from the corresponding ldap entry in the authrize section. More or less the section on CHAP and LDAP of the FAQ applies to MSCHAP as well. In general just leave the ldap module in the authorize section, configure it to extract the *clear text* user password and you 'll be fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Alan DeKok wrote: Frank Seesink <[EMAIL PROTECTED]> wrote: Good news: FreeRADIUS BUILDS UNDER CYGWIN!!! With NO modifications! That's nice to hear. Bad news: 'make install' fails. That shouldn't be much of a problem. I've copy/pasted the end of the output at the end of this message. It's weird. But if you're not using rlm_dbm, just delete the module directory, and type "make install" again. ... Alan, Ok, deleted the rlm_dbm module directory and redid 'make install'. Got further, but not done yet. This time got as far as the following, and if I see it right, I will want this, as it's for EAP. Thoughts? Ideally, I'd really like to get FreeRADIUS to install as it does elsewhere without these gyrations. What exactly do the error messages indicate here? Bug in make on Cygwin? And for what it's worth, the rlm_dbm built just fine, with the appropriate .a .la files as you'd expect. So not really sure what the issue was. Anyway, any help would be appreciated. ... -- Libraries have been installed in: /usr/local/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,--rpath -Wl,LIBDIR' linker flag See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. -- make[11]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap/types/rlm_ea p_ttls' make[10]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap/types' make[9]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap/types' make[8]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap' /usr/local/radiusd/install-sh -c -m 755 radeapclient/usr/local/bin cp: `radeapclient' and `/usr/local/bin/#inst.3092#' are the same file make[7]: *** [install-types] Error 1 make[7]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap' make[6]: *** [install] Error 2 make[6]: Leaving directory `/usr/local/radiusd/src/modules/rlm_eap' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/radiusd/src/modules' make[4]: *** [install] Error 2 make[4]: Leaving directory `/usr/local/radiusd/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/radiusd/src' make[2]: *** [install] Error 2 make[2]: Leaving directory `/usr/local/radiusd/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/radiusd' make: *** [install] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
single RADIUS server <---> two NASes
Hi! I'm already running RADIUS together with: mpd(pptp vpn server), users are checked against smbpasswd, required fields are taken from "users", accounting is stored in PostgreSQL database. what I want to do: I want to implement two VPN servers, different Framed-IP-Address for each VPN server. Also I want to put accounting to two separate databases. Can somebody give me working example of what I want ? Cheers, Ilia Chipitsine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: start freeradius on boot
which linux-distribution do you use? Marc Am Montag, 29. März 2004 13:51 schrieb Sander Groenhaut: > Hello, > > I would like FreeRadius to boot automatically when the system starts, > but I don't get it. Does anybody know > how to make it? > > Sander > > Encuentra lo que buscas en la Guía de Empresas y Profesionales LYCOS-QDQ > http://qdq.lycos.es/buscador.cfm?pCliente=lycos -- Marc Werner [EMAIL PROTECTED] ICQ#190044536 http://tuxxy.in.itzehoe.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
start freeradius on boot
Hello, I would like FreeRadius to boot automatically when the system starts, but I don't get it. Does anybody know how to make it? Sander Encuentra lo que buscas en la Guía de Empresas y Profesionales LYCOS-QDQ http://qdq.lycos.es/buscador.cfm?pCliente=lycos
Answer Time: "Waking up in 16 seconds..."
We've freeradius as proxy server, and I see 2 problems: 1) When we receive an Access-Request from a client with incorrect password/invalid user, freeradius proxy sends it to the final radius and the final answer an Access-Reject very quick, but the freeradius proxy delays the answer to the client 16 seconds. 2) When we receive an Access-Request and we send it to the final radius, if the shared secret (shared by proxy and final) is incorrect, the final sends a reject to the proxy and the proxy delays the same (16 seconds) to answer the client a reject. 3) When we receive an Access-Request and we send it to the final radius, if the proxy radius is not an allowed client in the final radius, the final radius silently discard the packet, and with no answer the proxy delays 31 (#!?) seconds and send a reject to the client . Questions: + Is there any way to short this request time? Where can I configure that? Is it something about this message: "Waking up in 16 seconds..."? + Should the final radius answer when the shared secret is incorrect or discard silently the packet? Should the final radius answer when the proxy is not an allowed client or discard silently the packet? In the RFC2865 we can read (page5): "Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded. If the client is valid, the RADIUS server consults a database of users to find" Mmmm, ok, I think the final radius should also discard the packet with an INCORRECT shared secret. Is that correct? Thanks. Miguel Diez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to specify MSCHAP users passwrod is stored in LDAP
hiplease someone tell me how someone can specify that MSCHAP password are stored in a LDAP directory.thankssayantan bhowmick
eap-sim config?
hi guys~ I have installed the snapshot-20040322. I don't know how to config the eap_sim in eap.conf. is there anyone kindly give me any suggestion or an example about that? thanks in advance alex
Re[2]: rlm_perl detaches when radius runs out of memory
Hello Boian, thank you very much for information. I think attachment did not go through. Can you please repost it or mail to [EMAIL PROTECTED] thank you. Monday, March 29, 2004, 11:28:40 AM, you wrote: BJ> On Sun, Mar 28, 2004 at 08:09:56PM +0300, Aivis Olsteins wrote: >> Hello, >> >> I would like to ask if anybody could explain how detaching works with >> perl module. We had following entry in log file, after which radius >> was running but not responding to any requests. >> >> Sat Mar 27 16:04:00 2004 : Error: out of memory >> Sat Mar 27 16:04:00 2004 : Error: out of memory >> Sat Mar 27 16:04:01 2004 : rlm_perl: rlm_perl::Detaching. Reloading. Done. >> >> How could we prevent perl module from detaching? If the radius runs >> out of memory and restarts, why to detach perl module? It leaves >> server without module which is needed for operation and since radiusd >> process is still running, it does not give external monitoring >> programs any idea that it actually has crashed. >> BJ> When radius restarts rlm_perl reloads too. If your radius after BJ> restarting is not responding please apply an attached patch. BJ> it will fix problems with detaching (sometimes if you do a kill -HUP on BJ> running radius process) it stop respond. Note you will need a detach BJ> function wich have at least one line 'return RLM_MODULE_OK;' BJ> Note patch is against 0.9.3 >> version 0.9.3 compiled with rlm_perl included. >> >> Any feedback will be highly appreciated. >> >> -- >> Best regards, >> Aivis mailto:[EMAIL PROTECTED] >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> -- Best regards, Aivismailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl detaches when radius runs out of memory
On Sun, Mar 28, 2004 at 08:09:56PM +0300, Aivis Olsteins wrote: > Hello, > > I would like to ask if anybody could explain how detaching works with > perl module. We had following entry in log file, after which radius > was running but not responding to any requests. > > Sat Mar 27 16:04:00 2004 : Error: out of memory > Sat Mar 27 16:04:00 2004 : Error: out of memory > Sat Mar 27 16:04:01 2004 : rlm_perl: rlm_perl::Detaching. Reloading. Done. > > How could we prevent perl module from detaching? If the radius runs > out of memory and restarts, why to detach perl module? It leaves > server without module which is needed for operation and since radiusd > process is still running, it does not give external monitoring > programs any idea that it actually has crashed. > When radius restarts rlm_perl reloads too. If your radius after restarting is not responding please apply an attached patch. it will fix problems with detaching (sometimes if you do a kill -HUP on running radius process) it stop respond. Note you will need a detach function wich have at least one line 'return RLM_MODULE_OK;' Note patch is against 0.9.3 > version 0.9.3 compiled with rlm_perl included. > > Any feedback will be highly appreciated. > > -- > Best regards, > Aivis mailto:[EMAIL PROTECTED] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Best Regards, Boian Jordanov SNE Orbitel - the Internet Company tel. +359 2 937 07 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
