802.1x with Enterasys E1 Switches HOWTO (in German!)
Hello everybody A few weeks ago, I seeked advice in this mailinglist. You were a great help to me and my colleagues. Now, we finished our small work, to get a 802.1x UPN working with Enterasys E1 Switches. You can find the PDF file here: http://www.allotria.ch/uploads/media/ISEC_8021x.pdf Unfortunately it's in german, but we didn't have the time to translate it. Greetings Manuel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
Vidar Stokke wrote: Alan DeKok wrote: Vidar Stokke [EMAIL PROTECTED] wrote: I'm having some trouble with freeradius-1.0.0-pre3 and TTLS. ... rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied That's a problem. Does the server have permissions to read the certificates? Yeah it has. Maybe it's the way my certificates are generated? I did not get the certs.sh to work, but I'll try some more. Hi. FYI: I regenerated my certificates and then things workes fine now. Regards Vidar Stokke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
snoop2radius: a tool for testing RADIUS servers and a RADIUS sniffer
Hi! For all of you, this is a little tool I make some time ago to test RADIUS servers. It's in Python and it's easy to modify to your specific needs. It can read a snoop (solaris) or a tcpdump (linux) output directly through a pipe or from a dumped file and show the packets and/or resend them to another RADIUS server. It's useful, for example, if you have a core problem in the production servers. You can dump the auth/acct packets to a snoop file and then, try to repeat the core problem in your controlled test area. It's also useful when you want to see inside the packets, more than any normal sniffer does because it understands whatever vendor specific attributes dictionary. I hope you like it. Please, send me any bugs, adds, comments or whatever. Sorry, the help (snoop2radius -h) is in Spanish. Tell me if you are interested and I'll translate or make any mods to the script. Thanks, Miguel snoop2radius.tar.gz Description: application/compressed-tar
Basic RADIUS network protocol question
I'm reading the RFC2865 for RADIUS. In each radius packet seems to have a code, an identifier, a length field, an authenticator field and some attributes.The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256?Regards,Martin Olsson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How create a Special AccessRequest using LDAP
Hello, I'm searching for a solution to build a pretty way to give access-accept, using an LDAP server. In fact, I've found some way to do this, but, I would like to use the better one (may be working on other type of RADIUS server). What I exactly need is, check some information on the LDAP server and match it with some radius attributes(send in the access-request), and so on, accepting or not the request. Thanks for your help. bye, Jeff Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS module
Hello , 1. Problem with usage of eap-tls , certificate it is showing err - TLS 'bad certificate' . i followed all the steps necessary in last few days, tried all scripts available to create certificate. hm hm but it gives same bad certificate problem after getting the request. 2. when i use certificates from some HOWTO sites,( which r expired , but i change system date), radius server moves ahead and shows SSL Handshake successful and then it exits ..causing Failure to be send from A.P to supplicant. second problem i guess i am trying to solve as it is a step forward. so sending along LOG , when radius server exits. Anyone if possible let me know .what am i missing !. and any comment on first problem. Regards, Rajan Batra. Eagerly waiting. LOG Description: Binary data
Re: How create a Special AccessRequest using LDAP
On Wed, 7 Jul 2004, [iso-8859-1] jeff x wrote: Hello, I'm searching for a solution to build a pretty way to give access-accept, using an LDAP server. In fact, I've found some way to do this, but, I would like to use the better one (may be working on other type of RADIUS server). What I exactly need is, check some information on the LDAP server and match it with some radius attributes(send in the access-request), and so on, accepting or not the request. You can do that with the ldap module combined with the checkval module Thanks for your help. bye, Jeff Cr?ez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Cr?ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis gr?ce ? Yahoo! Messenger !T?l?chargez Yahoo! Messenger sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timeout Problem
Hello, I am working with an AP CN300, from Colubris Networks, FreeRadius (2004/03) and XSupplicant-1.0. I have the following problem: xsupplicant tries to authenticate, but it is a little slow. The AP sends the EAP-Request, 10secs after it sends it again, and other 10secs after it sends an EAP-Failure. When XSupplicant finally sends the EAP-Response, it seems to be ignored by the AP. Here is an extract of the AP logs: Jul 7 13:18:33 debug eapolserver Sending RADIUS Packet (Length:'121',Code:'Access-Request',ID:'245') to RADIUS Server (Ip:'192.168.49.222',Port:'1812') Jul 7 13:18:33 debug eapolserver Receiving RADIUS Packet (Length:'94',Code:'Access-Challenge',ID:'245') from RADIUS Server (Ip:'192.168.49.222',Port:'1812'). Jul 7 13:18:33 debug eapolserver Sending EAPOL (length='24') EAP Request (length='6',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:43 debug eapolserver Sending EAPOL (length='24') EAP Request (length='6',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:53 debug eapolserver Sending EAPOL (length='22') EAP Failure (length='4',id='134') to station (mac-address='00-40-05-54-16-EB'). Jul 7 13:18:55 debug eapolserver Sending EAPOL (length='22') EAP Failure (length='4',id='135') to station (mac-address='00-40-05-54-16-EB'). I have tried to make the timeout bigger, using the following attributes: Sending Access-Challenge of id 20 to 192.168.51.161:2048 Session-Timeout = 4294967295 Idle-Timeout = 4294967295 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x016600060d20 Message-Authenticator = 0x State = 0xf53847f06665db0d05b8740e7c9856e0 But they seem not to have any effect. Anybody knows how to make it? Thank you, Alejandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco confirming Dynamic WEP
OK. I'm having a little problem confirming DynamicWEP usage on my systems. I'm running FreeRadius1.0.0-pre2 on FedoraCore 2 Cisco AP352 Client card is the Cisco AIR352 on WinXP. Everything works and authenticates as expected. However on the client side the ACU (Aironet Client Utility) reports Encryption as NONE. Likewise the AP reports Encryption as NONE. My output from debugging shows (i think) that dynamic keys are being passed to the client computer. If I go into the ACU Profile Manager and in Network Security and set Network Auth to Host Based EAP and enable Dynamic WEP then everyone reports WEP as being used. Is there a setting in FreeRadius that forces the client to use WEP or is that an interplay between client and AP? If anyone can help and needs more info hit me off-list. Thanks. Mark C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic RADIUS network protocol question
Martin Olsson wrote: The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256? You can just convert your short int from host-byte-order to network-byte-order using the function htons and then store it in the lenght field. see man pages for details Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter question
Hello, I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? I would be happy to get some suggestions and help. Regards, Bartosz Jozwiak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 0.9.3 and syslog?
Enabling syslog use with the very last 1.0 version is easy, but there is a small mistake in the man page. Intead of : -l logging directory This defaults to /var/log. Radiusd writes a logfile here called radius.log. It contains informational and error messages, and optionally a record of every login attempt (for aiding an ISP's helpdesk). The special arguments stdout and stderr cause the information to get written to the standard output, or standard error instead. The special argument syslog sends the information with syslog(3). This command line option is deprecated. See the log_dir config- uration item in the radiusd.conf file. the correct entry in radius.cong must be : logdir. What i did was renaming the variable logdir in log_dir for detail log use and i defined logdir = syslog to be sure I also started radiusd with : -l syslog -g authpriv -Syz activating all the log options in radius.conf will then work properly. Thank's for the job ... I have but it is problematic. CK - Original Message - From: Robert Haskins [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 31, 2004 10:24 PM Subject: Freeradius 0.9.3 and syslog? / I am trying to enable Freeradius 0.9.3 to work with syslog. I see a/ / number of posts on the list regarding syslog, but no one seems to have/ / gotten it working. Has anyone been able to get it to work?/ / Thanks for the help!/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_eap_tls: conf N ctx stored
Hi all, I have compiled freeradius-0.9.2.tar.gz with EAP-TLS support. After configuartion of radius.conf file, when I start the server it shows an Error message in the log file . Error: rlm_eap_tls: conf N ctx stored I have looked on internet and found that this message came in other log files too posted on internet but not with word Error before it. So now I am confused wether my Installation is correct or there is a problem.. radius.log ** Wed Jul 7 16:09:40 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Info: Using deprecated clients file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Info: Using deprecated realms file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Error: rlm_eap_tls: conf N ctx stored Wed Jul 7 16:09:40 2004 : Info: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Wed Jul 7 16:09:40 2004 : Info: Ready to process requests. Regards, Riz. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
It's possible, you'll have to increasing the Max-All-Session time to recharge. Otherwise just setup non-rechargable accounts, when exhausted they get another account. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Hello, I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? I would be happy to get some suggestions and help. Regards, Bartosz Jozwiak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: rlm_eap_tls: conf N ctx stored
It's not an error messsage, just a debugging message that I believe has been removed from the 1.0.0-pre series releases. --Mike On Wed, 2004-07-07 at 09:28, Cool Man wrote: Hi all, I have compiled freeradius-0.9.2.tar.gz with EAP-TLS support. After configuartion of radius.conf file, when I start the server it shows an Error message in the log file . Error: rlm_eap_tls: conf N ctx stored I have looked on internet and found that this message came in other log files too posted on internet but not with word Error before it. So now I am confused wether my Installation is correct or there is a problem.. radius.log ** Wed Jul 7 16:09:40 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Info: Using deprecated clients file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Info: Using deprecated realms file. Support for this will go away soon. Wed Jul 7 16:09:40 2004 : Error: rlm_eap_tls: conf N ctx stored Wed Jul 7 16:09:40 2004 : Info: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Wed Jul 7 16:09:40 2004 : Info: Ready to process requests. Regards, Riz. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin - Can't see any mysql record
Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin - Can't see any mysql record
On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Timeout Problem
=?iso-8859-1?Q?Alejandro_Mart=EDnez_Marcos?= [EMAIL PROTECTED] wrote: I have the following problem: xsupplicant tries to authenticate, but it is a little slow. The AP sends the EAP-Request, 10secs after it sends it again, and other 10secs after it sends an EAP-Failure. When XSupplicant finally sends the EAP-Response, it seems to be ignored by the AP. Because the AP thinks that the supplicant is dead. I suggest looking at the debug logs of xsupplicant to see why it's so slow. It may be trying to do DNS lookups, which won't work if it doesn't have a network connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous Use
Hello, This is my first post to the list. I have looked in the help files, but either I don't understand my own question properly or it is not listed. I have installed freeradius-0.8.1 on a Mandrake Linux box. It runs well. My question is regarding preventing simultaneous use. How do you prevent simultaneous logins using freeradius? Any help would be greatly appreciated. Thank you!! Kindest regards, Sevak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
Did you set 'Session-Timeout := ???' for the account? And did you follow the instructions in doc/rlm_sqlcounter? --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
I have this setup using the flat files and sql and they both work. I used 1.0.0pre3 on ReHat 9.0. What version of freeradius do you have? --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
Sorry, you don't set the Sessiun-Timeout, you set the Mas-All-Session, the server calculates the session-timeout. Do this: INSERT into radcheck VALUES ('','test0001','Max-All-Session','54000',':='); Where 'test0001' is the username and '54000' is the number of seconds of total online time. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin - Can't see any mysql record
@Kostas Kalevras: sql_debug is enabled. I see dialup admin can connect to mysql radius db. Sometimes (Show Groups Button) it says. Returning 6 rows. But i don't see any row returning. While using the new CVS snippet, the only thing i did not upgrade is to use the changed mysql scheme's. I saw some fields changed. For example: in userinfo.sql Name changed to Admin. But i don't think this is the problem. Can you help ? best rgds Karel -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 07.07.04 17:12 Subject: Re: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
Yes I have set Max-All-Session to 60 seconds in mysql radcheck. I use 1.0.0pre3 on Debian (Woody) Please could you provide me your configuration files so I can compare it. It will be very heplful. Becuase I cannot find anything eals... :( Bartosz Sorry, you don't set the Sessiun-Timeout, you set the Mas-All-Session, the server calculates the session-timeout. Do this: INSERT into radcheck VALUES ('','test0001','Max-All-Session','54000',':='); Where 'test0001' is the username and '54000' is the number of seconds of total online time. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter question
raddb/sqlcounter.conf: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } SNIP radiusd.conf SNIP modules { # some other stuff here # $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf # some other stuff here } authorize { # # some other stuff here # # Enforce daily limits on time spent logged in. # daily noresetcounter # # some other stuff here # } --- SNIP I think that's all I changed to get it working. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Yes I have set Max-All-Session to 60 seconds in mysql radcheck. I use 1.0.0pre3 on Debian (Woody) Please could you provide me your configuration files so I can compare it. It will be very heplful. Becuase I cannot find anything eals... :( Bartosz Sorry, you don't set the Sessiun-Timeout, you set the Mas-All-Session, the server calculates the session-timeout. Do this: INSERT into radcheck VALUES ('','test0001','Max-All-Session','54000',':='); Where 'test0001' is the username and '54000' is the number of seconds of total online time. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap + Windows XP
Hello Rinaldo- I tried what you told me, and it did not help. I'm looking at the log here, and see that it is building the TLS connection, but it is not going to the next step, whatever that may be. The XP machine just sits at Attempting to authenticate If I do a packet dump, then I am able to see the traffic go back and forth, with no NAKs. I even tried setting a static IP for the machine. Is there something that I am missing? -Mark /root/start-rad -sAX + LD_LIBRARY_PATH=/usr/lib + LD_PRELOAD=/usr/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + radiusd -sAX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_destination = files main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = Local rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = kickass tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated
Re: rlm_sqlcounter question
Ok I have found the problem. Under authorize { noresetcounter sql . } and it should be in different order first sql and then noresetcounter. Thank you very much for your help and time. Reagrds, Bartosz - Original Message - From: Julius Igugu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 1:40 PM Subject: Re: rlm_sqlcounter question raddb/sqlcounter.conf: sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } SNIP radiusd.conf SNIP modules { # some other stuff here # $INCLUDE ${confdir}/sql.conf $INCLUDE ${confdir}/sqlcounter.conf # some other stuff here } authorize { # # some other stuff here # # Enforce daily limits on time spent logged in. # daily noresetcounter # # some other stuff here # } --- SNIP I think that's all I changed to get it working. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Yes I have set Max-All-Session to 60 seconds in mysql radcheck. I use 1.0.0pre3 on Debian (Woody) Please could you provide me your configuration files so I can compare it. It will be very heplful. Becuase I cannot find anything eals... :( Bartosz Sorry, you don't set the Sessiun-Timeout, you set the Mas-All-Session, the server calculates the session-timeout. Do this: INSERT into radcheck VALUES ('','test0001','Max-All-Session','54000',':='); Where 'test0001' is the username and '54000' is the number of seconds of total online time. --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Did you set 'Session-Timeout := ???' for the account? I have tryed it just now with Session-Timeout and I have tryed without. Still the same problem. And did you follow the instructions in doc/rlm_sqlcounter? Yes I have followed instructions from doc/rlm_sqlcounter. I have searched archives and a lot of peoples has problem with the same error but there is no solution. Can somebody help ? Please... Bartosz --- Bartosz Jozwiak [EMAIL PROTECTED] wrote: Ok I have managed to configure rlm_sqlcounter but I get fallowing error while login: rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module noresetcounter returns noop for request 0 How I can fix it ? I have seen it in archives of mailing list but I could not solve the problem. Bartosz I would like to set up following configuration: I am trying to set up prepaid solution for dialup customers. Some accounts in radius should be allowed to login (total time on line) for 60 minutes. Some accounts in should be configured to login (total time on line) 30 minutes. This time on-line should never be cleard or renew (no dail, no monthly etc...). But when customer whats to by more time on-line I can change it in database (recharge his account) Is such a configuration possible with rlm_sqlcounter ? yes it is possible. my advise for you to read more of rlm_sqlcounter and other freeradius attributes.more help are existing with the mailling list, just dig more of it. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html = Julius Igugu SouthWork Co. Ltd. __ Do you Yahoo!? New and Improved
RE: Dialup Admin - Can't see any mysql record
On Wed, 7 Jul 2004, Stadler Karel wrote: @Kostas Kalevras: sql_debug is enabled. I see dialup admin can connect to mysql radius db. Sometimes (Show Groups Button) it says. Returning 6 rows. But i don't see any row returning. While using the new CVS snippet, the only thing i did not upgrade is to use the changed mysql scheme's. I saw some fields changed. For example: in userinfo.sql Name changed to Admin. But i don't think this is the problem. Can you help ? Does this happen with all the pages or only with specific ones? Are the sql queries run correct? best rgds Karel -Original Message- From: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' Sent: 07.07.04 17:12 Subject: Re: Dialup Admin - Can't see any mysql record On Wed, 7 Jul 2004, Stadler Karel wrote: Just downloaded and tried the latest CVS snippet from dialup_admin. I'm not using the http_credentials (#sql_use_http_credentials: yes) to connect to the radius database. Instead I use the same mySQL User as before. But dialup admin does not show one single record (f.e.: our radacct table has about 25 records) But I see, it connects to the DB. Enable sql_debug to see what's happening. I saw, there's a new file called username.mappings and I added my name, since we use htpasswd. But, it still doesn't work. Any ideas are welcome ? --- Karel Stadler Network Technican Paul Scherrer Institute CH-5332 Villigen Switzerland --- PGP KeyId:0x1B740D81 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Freeradius and LDAP
Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? Here is my radiusd.conf about ldap ldap { server = server.utt.fr basedn = ou=people,ou=personnels,dc=utt,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {crypt} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } Thx Arthur EBEL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap + Windows XP
Be sure you have added the CA certificate into the trusted root store on your windows machine. If you haven't, your PEAP conversation will stop at this point (right after receiving the EAP-Identity response). --Mike On Wed, 2004-07-07 at 12:01, Mark Hoffer wrote: Hello Rinaldo- I tried what you told me, and it did not help. I'm looking at the log here, and see that it is building the TLS connection, but it is not going to the next step, whatever that may be. The XP machine just sits at Attempting to authenticate If I do a packet dump, then I am able to see the traffic go back and forth, with no NAKs. I even tried setting a static IP for the machine. Is there something that I am missing? -Mark /root/start-rad -sAX + LD_LIBRARY_PATH=/usr/lib + LD_PRELOAD=/usr/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + radiusd -sAX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_destination = files main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: debug_level = 0 main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = Local rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = kickass tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line
Re: Reauthentication interval for WPA w/ EAP-TTLS
Hi Gary, Does disabling the linksys wireless manager solve the problem? If so, sounds like the problem is with the supplicant side? Any experience with other supplicant? I am not using the linksys card, what I have is a cisco 350 wireless card in a IBM T30 notebook. - Yi Gary McKinney [EMAIL PROTECTED] wrote: HI Yi, I have basically the same setup here at home and ran into the same issues! If you are running the Linksys PCMCIA wireless network card you need to disable the wireless manager software - the Odyssey Supplicant software and the Linksys wireless manager software do not play nice together! gm... - Original Message - From: Yi Zheng To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 8:56 PM Subject: Reauthentication interval for WPA w/ EAP-TTLS Hi, I downloaded the "third" pre-release of version 1.0.0 and was able to make a windows 2k client running Funk client softwareto work with a linksys wrt54g AP using WPA with EAP/TTLS authentication against the FreeRadius server. The windows 2k client gets its DHCP address andthe connectionseems to work fine.However the funk softwarerepeated the reauthenticationagainst the Radius server continuously every 3 to 4 seconds. It greatly impact the performance of the AP and makes the connection very unstable. I read abouttheSession-Timeout mentioned in some email threads in the archieve but did not figure out where tomakechanges to that. It seems to be that it is the funk client(supplicant) who initiates the reauthticaton. Can someone help me on this? Thanks, - Yi
Re: Question about Freeradius and LDAP
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
how about setting up 2 ldap modules? ldap people { ... } ldap students { ... } Not sure if this would do it, just a suggestion. On Wed, 7 Jul 2004, Alexander M. Pravking wrote: On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Mike == Network Engineer Pathway Internet Services 616.774.3131 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reauthentication interval for WPA w/ EAP-TTLS
Hi Yi, When I installed the PCMCIA wireless network card software on my laptop the wireless network card manager was installed along with the wireless network card drivers. I had to disable the wireless network card manager so the Funk Software Odyssey Supplicant would work properly (the wireless network card manager and the Funk software were fighting each other for control of the network card)... Your description of the problem is exactly what I had experienced with my configuration prior to disabling the wireless network card manager that came with the PCMCIA wireless network card I used in my laptop Gary N. McKinney -- Original Message -- From: Yi Zheng [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 7 Jul 2004 12:28:58 -0700 (PDT) Hi Gary, Does disabling the linksys wireless manager solve the problem? If so, sounds like the problem is with the supplicant side? Any experience with other supplicant? I am not using the linksys card, what I have is a cisco 350 wireless card in a IBM T30 notebook. - Yi Gary McKinney [EMAIL PROTECTED] wrote: HI Yi, I have basically the same setup here at home and ran into the same issues! If you are running the Linksys PCMCIA wireless network card you need to disable the wireless manager software - the Odyssey Supplicant software and the Linksys wireless manager software do not play nice together! gm... - Original Message - From: Yi Zheng To: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 8:56 PM Subject: Reauthentication interval for WPA w/ EAP-TTLS Hi, I downloaded the third pre-release of version 1.0.0 and was able to make a windows 2k client running Funk client software to work with a linksys wrt54g AP using WPA with EAP/TTLS authentication against the FreeRadius server. The windows 2k client gets its DHCP address and the connection seems to work fine. However the funk software repeated the reauthentication against the Radius server continuously every 3 to 4 seconds. It greatly impact the performance of the AP and makes the connection very unstable. I read about the Session-Timeout mentioned in some email threads in the archieve but did not figure out where to make changes to that. It seems to be that it is the funk client (supplicant) who initiates the reauthticaton. Can someone help me on this? Thanks, - Yi Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with proxying using fail_over setup
Hi, With pre3 release, I am seeing the following problem when I am testing with proxying set up to a REALM which is has two radius servers for fail_over. In the REALM NULL, I set up two radius servers, but I only have the second one listed running. When a request comes in, it tries the first one but no replies from there for 3 retries as expected. What I expect to happen next is to send the request to the second one which is running. However, the behavior that I see is it first marks the host from a totally unrelated realm as dead first and then the one that did not answer as dead. And, it did not send to the second radius server set up. I have copied, relevent sections from radiusd.conf, proxy.conf files and also the debug run output of what I just described. Radiusd.conf - realm suffix { format = suffix delimiter = @ ignore_default = yes ignore_null = no } And, I have suffix listed in authorize and preacct sections. Proxy.conf --- realm engineering.verniernetworks.com { type= radius authhost= 192.168.10.43:1812 accthost= 192.168.10.43:1813 secret = vernier ldflag = fail_over nostrip } realm NULL { type= radius authhost= 192.168.10.43:1812 accthost= 192.168.10.43:1813 secret = vernier ldflag = fail_over nostrip } realm NULL { type= radius authhost= 192.168.10.43:2004 accthost= 192.168.10.43:2005 secret = vernier ldflag = fail_over nostrip } Debug Run log: --- rad_recv: Access-Request packet from host 192.168.10.113:1026, id=104, length=20 1 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) Framed-MTU = 1466 NAS-IP-Address = 192.168.10.113 NAS-Identifier = D-link Corp. Access Point User-Name = user_1 Service-Type = Framed-User NAS-Port = 65 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = ether2_65 Called-Station-Id = 00-05-5d-99-5f-3a Calling-Station-Id = 00-30-65-24-4c-5b Connect-Info = CONNECT Ethernet 0Mbps Full duplex EAP-Message = 0x0202000b01757365725f31 Message-Authenticator = 0x004068846052c8bf92b6db7610fdf43d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: No '@' in User-Name = user_1, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Proxying request from user user_1 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Preparing to proxy authentication request to realm NULL modcall[authorize]: module suffix returns updated for request 0 radius_xlat: '/var/log/radius//auth-detail-20040707' rlm_detail: /var/log/radius/%{Client-IP-Address}/auth-detail-%Y%m%d expands to / var/log/radius//auth-detail-20040707 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_eap: Request is supposed to be proxied to Realm NULL. Not doing EAP. modcall[authorize]: module eap returns noop for request 0 xmlrpcAuthorize called. FRXmlRpcModule::authorize called. FRXmlRpcModule::authorize vpUsername found. Proxying is turned on. modcall[authorize]: module xmlrpc returns noop for request 0 modcall: group authorize returns updated for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 radius_xlat: '/var/log/radius//pre-proxy-detail-20040707' rlm_detail: /var/log/radius/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius//pre-proxy-detail-20040707 modcall[pre-proxy]: module pre_proxy_log returns ok for request 0 modcall: group pre-proxy returns ok for request 0 Sending Access-Request of id 0 to 192.168.10.43:1812 Framed-MTU = 1466 NAS-IP-Address = 192.168.10.113 NAS-Identifier = D-link Corp. Access Point User-Name = user_1 Service-Type = Framed-User NAS-Port = 65 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = ether2_65 Called-Station-Id = 00-05-5d-99-5f-3a Calling-Station-Id = 00-30-65-24-4c-5b Connect-Info = CONNECT Ethernet 0Mbps Full duplex EAP-Message = 0x0202000b01757365725f31 Message-Authenticator = 0x Proxy-State = 0x313034 Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.10.113:1026, id=104, length=20 1 Ignoring duplicate packet from client DLink-7000AP:1026 - ID: 104, due to outsta nding proxied request 0. --- Walking the entire request list
Re: problem with proxying using fail_over setup
Htin Hlaing [EMAIL PROTECTED] wrote: However, the behavior that I see is it first marks the host from a totally unrelated realm as dead first and then the one that did not answer as dead. It's not a totally unrelated realm. It's a realm at the same IP address and port. The issue is that you have the same IP port listed in two realms: engineering.verniernetworks.com and NULL. This is not a supported configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute User-Password is required for authentication
No matter what I seem to try and configure I always get the error message: Attribute User-Password is required for authentication I have tried rlm_unix, rlm_pam, rlm_ldap, rlm_eap_leap always with the same result. The only thing that does work is if I put a user in the users file specifying User-Password == test123 I want to be able to use an existing user/password source like pam or ldap. Now I figure it must have something to do with the device that is pointing at the freeradius server that is different because I used a nortel router and pointed it at this freeradius box and it works perfectly all the way out to the ldap server and back. The device that is configured to point at the freeradus server is configured for leap. The leap negotiation works fine but it fails on the user auth. Ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
Tony Sciortino [EMAIL PROTECTED] wrote: No matter what I seem to try and configure I always get the error message: Attribute User-Password is required for authentication I have tried rlm_unix, rlm_pam, rlm_ldap, rlm_eap_leap always with the same result. rlm_unix, rlm_pam, and rlm_ldap do authentication only when there is a User-Password attribute in the packet. rlm_eap_leap does LEAP authentication, but requires you to supply it a clear-text password, or NT-Password so that it can authenticate the LEAP session. The only thing that does work is if I put a user in the users file specifying User-Password == test123 This won't make any difference for rlm_unix, rlm_pam, and rlm_ldap. I want to be able to use an existing user/password source like pam or ldap. PAM is not a password source. LDAP is. See raddb/ldap.attrmap. The device that is configured to point at the freeradus server is configured for leap. The leap negotiation works fine but it fails on the user auth. Ideas? Grab a clear-text password, or NT-Password, from LDAP, and give it to the server. LEAP will then work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with proxying using fail_over setup
Thanks for that info Alan. That makes sense. Also, what I was looking for is that the second server set up will be tried automatically as the first one is marked death. But, it returns access-reject and the client has to initiate authentication again while the first one is marked dead for the dead time. Any way for me to achieve what I am looking for? Thanks, Htin -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 07, 2004 2:04 PM To: [EMAIL PROTECTED] Subject: Re: problem with proxying using fail_over setup Htin Hlaing [EMAIL PROTECTED] wrote: However, the behavior that I see is it first marks the host from a totally unrelated realm as dead first and then the one that did not answer as dead. It's not a totally unrelated realm. It's a realm at the same IP address and port. The issue is that you have the same IP port listed in two realms: engineering.verniernetworks.com and NULL. This is not a supported configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need to implement EAP/TLS, what version of FreeRadius is good for that?
Hello, i'm Maria Bezaida and i'm going to implement EAP/TLS with Xsupplicant and Windows XP. What version of FreeRadius and Openssl do you recommend me to a correct implementation. Can you tell me if there is a good manual or somethig that help me in the implementation? And how can i generate my own certificates? Thanks you very Much. Maria BezaidaMSN Amor Busca tu ½ naranja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with proxying using fail_over setup
Hi, Now this time with round robin setup. What I am seeing is that each access request are being sent out in round robin even within the same authentication session. So, server1 gets the first access-request and sends access-challenge out and the access-request in response to the challenge gets sent to server2. Now, server1 waits for the access-request while the server2 does not know about the access-request it gets and drops. So, authentication never finishes. The attached files are the debug output from home server1 and server 2 and the proxy. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Htin Hlaing Sent: Wednesday, July 07, 2004 2:32 PM To: [EMAIL PROTECTED] Subject: RE: problem with proxying using fail_over setup Thanks for that info Alan. That makes sense. Also, what I was looking for is that the second server set up will be tried automatically as the first one is marked death. But, it returns access-reject and the client has to initiate authentication again while the first one is marked dead for the dead time. Any way for me to achieve what I am looking for? Thanks, Htin rad_recv: Access-Request packet from host 192.168.10.118:1814, id=5, length=206 --- Walking the entire request list --- Waking up in 31 seconds... Thread 5 got semaphore Thread 5 handling request 39, (8 handled so far) Framed-MTU = 1466 NAS-IP-Address = 192.168.10.113 NAS-Identifier = D-link Corp. Access Point User-Name = user_1 Service-Type = Framed-User NAS-Port = 65 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = ether2_65 Called-Station-Id = 00-05-5d-99-5f-3a Calling-Station-Id = 00-30-65-24-4c-5b Connect-Info = CONNECT Ethernet 0Mbps Full duplex EAP-Message = 0x0202000b01757365725f31 Message-Authenticator = 0xf99be789d247177bdd244c5bc5f62a20 Proxy-State = 0x313635 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 39 modcall[authorize]: module preprocess returns ok for request 39 radius_xlat: '/home/hhlaing/Install/radius-June-21-configs/log/radius/radacct/192.168.10.118/auth-detail-20040707' rlm_detail: /home/hhlaing/Install/radius-June-21-configs/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/hhlaing/Install/radius-June-21-configs/log/radius/radacct/192.168.10.118/auth-detail-20040707 modcall[authorize]: module auth_log returns ok for request 39 modcall[authorize]: module chap returns noop for request 39 modcall[authorize]: module mschap returns noop for request 39 rlm_realm: No '@' in User-Name = user_1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 39 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 39 users: Matched user_1 at 104 modcall[authorize]: module files returns ok for request 39 modcall: group authorize returns updated for request 39 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 39 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 39 modcall: group authenticate returns handled for request 39 Sending Access-Challenge of id 5 to 192.168.10.118:1814 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xbffaa2e18c3fe0a78e5183ee7aee01ac Proxy-State = 0x313635 Finished request 39 Going to the next request Thread 5 waiting to be assigned a request --- Walking the entire request list --- Cleaning up request 39 ID 5 with timestamp 40ec8b45 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.10.118:1814, id=4, length=315 --- Walking the entire request list --- Waking up in 31 seconds... Thread 3 got semaphore Thread 3 handling request 7, (2 handled so far) Framed-MTU = 1466 NAS-IP-Address = 192.168.10.113 NAS-Identifier = D-link Corp. Access Point User-Name = user_1 Service-Type = Framed-User NAS-Port = 65 NAS-Port-Type = Wireless-802.11 NAS-Port-Id = ether2_65 Called-Station-Id = 00-05-5d-99-5f-3a Calling-Station-Id = 00-30-65-24-4c-5b Connect-Info = CONNECT Ethernet 0Mbps Full duplex State = 0xbffaa2e18c3fe0a78e5183ee7aee01ac EAP-Message = 0x020300661980005c16030100570153030140ec8baa55d9dce47661e05d6f5d2789eb9c12a381fe48eacd30a88ffca482dd2c00050004000aff830009ff82000300080006ff810016001500140013001200110018001b001a001700190100 Message-Authenticator
Re: Cisco confirming Dynamic WEP
Mark Coccimiglio wrote: OK. I'm having a little problem confirming DynamicWEP usage on my systems. I'm running FreeRadius1.0.0-pre2 on FedoraCore 2 Cisco AP352 Client card is the Cisco AIR352 on WinXP. Everything works and authenticates as expected. However on the client side the ACU (Aironet Client Utility) reports Encryption as NONE. Likewise the AP reports Encryption as NONE. My output from debugging shows (i think) that dynamic keys are being passed to the client computer. If I go into the ACU Profile Manager and in Network Security and set Network Auth to Host Based EAP and enable Dynamic WEP then everyone reports WEP as being used. if leap is user acu .My config Cisco AP1100 and Cisco air 352 on 2k user leap is good. pls check ap config . Is there a setting in FreeRadius that forces the client to use WEP or is that an interplay between client and AP? If anyone can help and needs more info hit me off-list. Thanks. Mark C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://my.chinaunix.net/wanghao/ http://www.chinaunix.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html