Re: conflicts/duplicates need
On Mon 03 Apr 2006 23:08, Duane Cox wrote: > List: > > I've been using free radius for about a month and learning as I go. > > But I've noticed that I get a period every few hours when freeradius > doesn't authenticate. I'm not sure what the problem is, but here is the > log as captured in /var/log/radiusd > > Any idea what could be causing this? Hi Duane Good to see you using FreeRADIUS :-) Probably you have a cron script of some kind running a report or vacuum on your database and it is not responding to RADIUS. Are you using the database for something else as well? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpdNGQ7LtdGs.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
use of reply-items in acct_users file??
hi, what is the use of reply-items attributes in acct_users file??? where and how can they be used? also what is the way to avoid logging some (not all) accounting users (in radacct directory)?? Basically i don't want to log the accouting packets of some specified users. --DilipSimha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Install freeradius 1.1.1 get error
After ./configure �Cprefix=/usr/local/freeradius make make install I get: /home/test/freeradius-1.1.1/install-sh -c -c .libs/libradius-1.1.1.so /usr/local/freeradius/libradius-1.1.1.so (cd /usr/local/freeradius && rm -f libradius.so && ln -s libradius-1.1.1.so libradius.so) /home/test/freeradius-1.1.1/install-sh -c -c .libs/libradius.lai /usr/local/freeradius/libradius.la /home/test/freeradius-1.1.1/install-sh -c -c .libs/libradius.a /usr/local/freeradius/libradius.a ranlib /usr/local/freeradius/libradius.a chmod 644 /usr/local/freeradius/libradius.a libtool: install: warning: remember to run `libtool --finish /usr/local/freeradius/lib' rm -f /usr/local/freeradius/lib/libradius-1.1.1.la; ln -s libradius.la /usr/local/freeradius/lib/libradius-1.1.1.la ln: creating symbolic link `/usr/local/freeradius/lib/libradius-1.1.1.la' to `libradius.la': No such file or directory gmake[4]: *** [install] Error 1 gmake[4]: Leaving directory `/home/test/freeradius-1.1.1/src/lib' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/test/freeradius-1.1.1/src' gmake[2]: *** [install] Error 2 gmake[2]: Leaving directory `/home/test/freeradius-1.1.1/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/test/freeradius-1.1.1' make: *** [install] Error 2 how can I fix that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why must clients exist when radius starts?
Alan DeKok wrote: > Douglas Phillipson <[EMAIL PROTECTED]> wrote: >> Is there a configuration option that will allow me to put a client IP in >> the clients file without the client actually existing yet? It seems >> when radius starts, if a client doesn't exist the daemon dies. > > Huh? It does that only if you put a hostname in, and the hostname > isn't resolvable to an IP address. > > The answer is to use IP addresses in the clients.conf file. Since > IP addresses always exist, the serbver will always start. Or if you really feel you must have a domain name in there, add it to your local /etc/hosts file until it is added to DNS. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two times authorization and/or both proxying and serving
"Mark Supersonik" <[EMAIL PROTECTED]> wrote: > I need to find the cheapest way to reject a request in proxy radius in the > case that a domain doesn't has quota. If domain has quota, the proxy must > forward the request to the corresponding authserv and finish the cycle in > its natural porpose. Write a shell script to do this. Without a more detailed description of *how* you check if a domain has enough quota, it's impossible to give a better answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why must clients exist when radius starts?
Douglas Phillipson <[EMAIL PROTECTED]> wrote: > Is there a configuration option that will allow me to put a client IP in > the clients file without the client actually existing yet? It seems > when radius starts, if a client doesn't exist the daemon dies. Huh? It does that only if you put a hostname in, and the hostname isn't resolvable to an IP address. The answer is to use IP addresses in the clients.conf file. Since IP addresses always exist, the serbver will always start. > Also is it the case that when the log is rolled, the daemon re-reads the > config files and would die if it can't contact a client at this time? The server never contacts the clients. The clients always start off the RADIUS conversation by contacting the server. You can list 10,000 IP's in the clients.conf file, none of which are real machines, and the server will *always* start. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why must clients exist when radius starts?
Is there a configuration option that will allow me to put a client IP in the clients file without the client actually existing yet? It seems when radius starts, if a client doesn't exist the daemon dies. I looked in the archives but I don't quite know what to query for. Also is it the case that when the log is rolled, the daemon re-reads the config files and would die if it can't contact a client at this time? Regards Doug P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
post-auth question, prevent exec if attribute == foo
Title: change NAS-IP-Address before relaying Hello List: I'm using the post-auth section in radiusd.conf along with the Post-Auth-Type REJECT (thanks alan) to log auth replies to my sql server. My question is... Is there a way within the radiusd.conf file to say, "if nasipaddress = "x.x.x.x" then don't process the sql module in post-auth" I would like to prevent certain auth replies from being logged, like our monitoring software for example. Thanks Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault due to bind_address = 0.0.0.0
Rainer Poisel <[EMAIL PROTECTED]> wrote: > I got a segmentation fault when i tried to run freeradius (Versions > 1.0.4, 1.0.5, 1.1.0 and 1.1.1) on Debian (Sarge) or Suse (10.0) with > options enabled in the attached config-file. Please see doc/bugs > Meanwhile I found out that the segmentation fault happened because of > the following setting: > > > bind_address = 0.0.0.0 I don't see why that would affect anything. It's always worked in my tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
change NAS-IP-Address before relaying
Title: change NAS-IP-Address before relaying sorry all, the first mail had no subject Hi all, i want to use FreeRADIUS (1.0.5) as an RADIUS Proxy, and must change the NAS-IP-Address and the User-Realm before sending it to an other Rasius Server. I tried it within the preproxy_users file with DEFAULT User-Name := `%{Stripped-User-Name:[EMAIL PROTECTED], NAS-IP-Address := x.x.x.x The change of the User-Realm works, but not the NAS-IP-Address. The server sends the authentication requests with its hostname (in detail with the aoutput of the /etc/hostname command). Any ideas of helpfull information are welcome. Regards Oliver Stutzke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi all, i want to use FreeRADIUS (1.0.5) as an RADIUS Proxy, and must change the NAS-IP-Address and the User-Realm before sending it to an other Rasius Server. I tried it within the preproxy_users file with DEFAULT User-Name := `%{Stripped-User-Name:[EMAIL PROTECTED], NAS-IP-Address := x.x.x.x The change of the User-Realm works, but not the NAS-IP-Address. The server sends the authentication requests with its hostname (in detail with the aoutput of the /etc/hostname command). Any ideas of helpfull information are welcome. Regards Oliver Stutzke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault due to bind_address = 0.0.0.0
Hi, I got a segmentation fault when i tried to run freeradius (Versions 1.0.4, 1.0.5, 1.1.0 and 1.1.1) on Debian (Sarge) or Suse (10.0) with options enabled in the attached config-file. Meanwhile I found out that the segmentation fault happened because of the following setting: > bind_address = 0.0.0.0 No I replaced it with the default value > bind_address = * and everything is fine :) Thanks for reading, best regards, Rainer ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.161 2003/11/17 18:10:27 kkalev Exp $ ## # PATHS # prefix = /usr/local/freeradius exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/freeradius raddbdir = ${sysconfdir}/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib/freeradius pidfile = ${run_dir}/freeradius.pid # GLOBAL SETTINGS # max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = 0.0.0.0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_pass = no nospace_user = no nospace_pass = no Checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } # MODULE SETTINGS # modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } mschap { authtype = MS-CHAP } realm realmslash { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } realm realmpercent { format = suffix delimiter = "%" } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } } authorize { preprocess realmslash suffix files } preacct { preprocess suffix files } accounting { acct_unique detail radutmp } session { radutmp } post-auth { } pre-proxy { } pumba:/etc/freeradius# gdb /usr/local/freeradius/sbin/radiusd GNU gdb 6.4-debian Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU
Re: conflicts/duplicates need
"Duane Cox" <[EMAIL PROTECTED]> wrote: > But I've noticed that I get a period every few hours when freeradius doesn't > authenticate. I'm not sure what the problem is, but here is the log as > captured in /var/log/radiusd > > Any idea what could be causing this? Usually it's because your database is slow or not responding. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
conflicts/duplicates need
List: I've been using free radius for about a month and learning as I go. But I've noticed that I get a period every few hours when freeradius doesn't authenticate. I'm not sure what the problem is, but here is the log as captured in /var/log/radiusd Any idea what could be causing this? Thanks Duane Cox Mon Apr 3 15:02:36 2006 : Auth: Login OK: [intermapper] (from client intermapper port 0) Mon Apr 3 15:03:06 2006 : Auth: Login OK: [intermapper] (from client intermapper port 0) Mon Apr 3 15:03:09 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 81 due to unfinished request 1345 Mon Apr 3 15:03:12 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 81 due to unfinished request 1345 Mon Apr 3 15:03:34 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:38 2006 : Error: WARNING: Unresponsive child (id 32771) for request 1345 Mon Apr 3 15:03:39 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 83 due to unfinished request 1347 Mon Apr 3 15:03:40 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:42 2006 : Error: Dropping conflicting packet from client intermapper:32769 - ID: 83 due to unfinished request 1347 Mon Apr 3 15:03:44 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:45 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:49 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:50 2006 : Error: Dropping conflicting packet from client omnilec2:1647 - ID: 62 due to unfinished request 1346 Mon Apr 3 15:03:53 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:03:54 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:03:59 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:03:59 2006 : Error: Discarding duplicate request from client omnilec2:1647 - ID: 177 due to unfinished request 1348 Mon Apr 3 15:04:03 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:04:03 2006 : Error: WARNING: Unresponsive child (id 49156) for request 1346 Mon Apr 3 15:04:06 2006 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Mon Apr 3 15:04:09 2006 : Error: Discarding duplicate request from client omnilec1:1647 - ID: 120 due to unfinished request 1349 Mon Apr 3 15:04:09 2006 : Error: WARNING: Unresponsive child (id 16386) for request 1347 Mon Apr 3 15:04:09 2006 : Error: WARNING: Unresponsive child (id 65541) for request 1348 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP against Active Directory
Hello, Can you say me, which log-file I must control? I use already the other basename and also I use PAP. Greets Dominique PS: Sorry for my bad english! Which log-File Am Montag, den 03.04.2006, 14:42 +0100 schrieb Caines, Max: > Hi Dominique > > There appears to be something wrong with the search base definition for your > LDAP search. It looks like you are using the "traditional" LDAP > basename which goes "ou=mydepartment, o=mycompany, c=ch". Active Directory > uses basenames that look like "dc=ad, dc=ch". Your LDAP server is > returning "operations error", so I should look in its log file for more > details. > > By the way, bear in mind that unless you use Microsoft IAS, you can only do > RADIUS authentication against AD using PAP (i.e. users send passwords > in cleartext), which isn't too secure. > > Max Caines > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > eeradius.o > > rg]On Behalf Of [EMAIL PROTECTED] > > Sent: 03 April 2006 10:27 > > To: freeradius-users@lists.freeradius.org > > Subject: Problem with LDAP against Active Directory > > > > > > Hi folks, > > I want authenticate users from a WLAN with freeradius. The > > Users are stored in the Active Directory of a Windows 2003 > > Server. > > > > With some Tutorials from the Internet I have configured > > freeradius to make that. > > > > Unfortunately the Authentication function not succesfully. > > > > Thats the output from FreeRadius during the Authentication: > > > > rad_recv: Access-Request packet from host > > 192.168.210.15:4596, id=13, length=100 > > NAS-Port-Type = Ethernet > > Service-Type = Login-User > > User-Name = "ldap" > > User-Password = "ldap" > > Called-Station-Id = "00:01:02:ad:64:f7" > > Calling-Station-Id = "00:c0:49:54:b5:43" > > NAS-Port = 1 > > Mon Apr 3 11:12:08 2006 : Debug: Processing the > > authorize section of radiusd.conf > > Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group > > authorize for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling preprocess (rlm_preprocess) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from preprocess (rlm_preprocess) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "preprocess" returns ok for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling chap (rlm_chap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from chap (rlm_chap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "chap" returns noop for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling mschap (rlm_mschap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from mschap (rlm_mschap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "mschap" returns noop for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling suffix (rlm_realm) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in > > User-Name = "ldap", looking up realm NULL > > Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such > > realm "NULL" > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from suffix (rlm_realm) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "suffix" returns noop for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling eap (rlm_eap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No > > EAP-Message, not doing EAP > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from eap (rlm_eap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "eap" returns noop for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling files (rlm_files) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > returned from files (rlm_files) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > > module "files" returns notfound for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > > calling ldap (rlm_ldap) for request 2 > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user > > authorization for ldap > > Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: > > '(uid=ldap)' > > Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, > > o=ad.ch' > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: > > Checking Id: 0 > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: > > Got Id: 0 > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP > > reconnection > > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing >
rlm_ldap wont authenticate
I've tried to authenticate to an LDAP server through RADIUS using the rlm_ldap module I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend. The problem is that rlm_ldap module binds successfully to an authentication request in the authorization section, but fails to bind when its tryin to authenticate log for RADIUS server is given below along with the LDAP configuration... plz help me out /* In the client terminal ,now i've tried to authenticate with user : ldapuser [EMAIL PROTECTED] ~]# radtest ldapuser ldapuser localhost 2 testing123 Sending Access-Request of id 119 to 127.0.0.1 port 1812 User-Name = "ldapuser" User-Password = "ldapuser" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=119, length=20 * // On the server side, response to ldapuser user authentication request... rad_recv: Access-Request packet from host 127.0.0.1:32769, id=119, length=60 User-Name = "ldapuser" User-Password = "ldapuser" NAS-IP-Address = 255.255.255.255 NAS-Port = 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403' rlm_detail: /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser radius_xlat: '(uid=ldapuser)' radius_xlat: 'ou=People,dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=ldapuser) rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "ldapuser" with password "ldapuser" rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client localhost port 2) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 127.0.0.1 port 32769 Waking up in 4 seconds... // THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW /* example.com.ldif (base entries added to LDAP database) Dn: dc=example,dc=com Objectclass: dcObject Objectclass : organization o: Example company dc: example dn: cn=manager,dc=example,dc=com objectclass: organizationalRole cn: manager dn: ou=people,dc=example,dc=com ou: people description: All people in the organization objectClass: dcObject objectClass: organizationalUnit dc: example /* ldapuser.ldif (details of user account for authentication added to the LDAP database */
Other attributes
Hi all Does freeradius integer specific attributes from boxes as redback ? if yer, how can we use it ? Thanks Jacques ___ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implimenting Capping with FreeRadius
On Mon 03 Apr 2006 16:22, Shawn Hamman wrote: > Hi, > > OS: Fedora C4 > FR: 1.0.2-2 > DB: MySQL 4.1.11-2 > > I was wondering if anybody has a more elegant solution to implementing > capping with FreeRadius than writing a script that totals the bytes in/out > in the radacct table every couple of minutes and updates the radcheck table > to deny further logins? Sure. The elegant solution is to simply check the sum of the user's minutes/bytes from the radacct table in the same query that queries the radcheck table. You can either do this as a (quite complex) join or preferably inside a stored procedure. (You may wish to put appropriate indexes on the radacct table to speed things up) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpNPCiXlewzQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two times authorization and/or both proxying and serving
I know I'm a little bit tedious, but i need your help, please... I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose. Sorry for my bad english, i'm trying to write it as clearest as i can! From: "Mark Supersonik" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Fri, 31 Mar 2006 12:00:54 +0200 First of all, thanks for your help !!! We appreciate so much!! Let me explain that the misunderstanding of the sentence is probably much a problem of my poor acaedemichal english semantics. Well, I will explain the scenario I told again, trying to do it finnest possible: We have a proxy Radius that must proxy or reject the request depending on if the authserver's WISP has quota on our system. Inside proxy, we must forward the incoming request from a roaming user to a domain authserv ONLY AND ONLY IF we can verify WISP-domain has a prepaid quota in proxy's database. We want so to programme the pre-proxy block in order to determine if the request must be proxied to the final authserv or must be reject by the proxy. How can we implement this functionality from a technical point of view? Can we use a module in pre-proxy state? Or we only have the solution of programme JRadius handling the incoming request to proxy? Or maybe the logical solution is to use exec module? We need a little more help...sorry and thanks a lot from all the stuff here!!! Nets Research Group (Pompeu Fabra University of Barcelona) From: "Alan DeKok" <[EMAIL PROTECTED]> Reply-To: FreeRadius users mailing list To: FreeRadius users mailing list Subject: Re: Two times authorization and/or both proxying and serving Date: Thu, 30 Mar 2006 13:19:30 -0500 "Mark Supersonik" <[EMAIL PROTECTED]> wrote: > My doubt is: can a freeradius server do first an authorization of a > request throught a DB (i.e MySQL) and proxy then if so or reject it > (if all isn't in rule)? Yes. > We want only to accept access if each one of the two > servers process the authentication successfully. MySQL doesn't do authentication. Your statement is incorrect. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius module for post-auth
Hi, This is related to my previous mail on setting up Freeradius for 2 factor authentication with chanllenge-response. I looked at what JRadius module can do and am going to attempt the following approach 1. insert a JRadius module into the "post-auth" section, such that the module will process an "Access-Accept" packet into an "Access-Chanllange" packet Question: is this allowed by FreeRadius? i.e. would FreeRadius allow an module in "post-auth" to change the packet type(Code)? 2. insert a JRadius module into either the "authorize" or "authenticate" section, such that it will recognize an access-request packet which answers the chanllenge, and process it using its own logic Question: Would freeradius allow a module called in "authorize" part to directly accept or reject a request, without making it go through to the "authenticate" section? Thank you and best regards Kaden --- Alan DeKok <[EMAIL PROTECTED]> wrote: > Yizhi Lao <[EMAIL PROTECTED]> wrote: > > What I am worried about is not the second > authentication method, but > > to chain two authentication together. is there any > convenient way to > > do it? > > As I said, you have to write you own module to do > this. > > The "example" module that is included with the > server shows how to > chain two authentications together. Take a look at > it. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Implimenting Capping with FreeRadius
"Shawn Hamman" <[EMAIL PROTECTED]> wrote: > I was wondering if anybody has a more elegant solution to implementing > capping with FreeRadius than writing a script that totals the bytes in/out > in the radacct table every couple of minutes and updates the radcheck table > to deny further logins? Have a script that runs when the server receives accounting packets, and do the work there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MACs
HelloI\'m trying to log the users MAc address using pppoe and FR + mysqli added AVpair to the users file "calling-station-id" but checkval could not find itenrlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairsmodcall[authorize]: module "checkval" returns notfound for request 21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP against Active Directory
Hi Dominique There appears to be something wrong with the search base definition for your LDAP search. It looks like you are using the "traditional" LDAP basename which goes "ou=mydepartment, o=mycompany, c=ch". Active Directory uses basenames that look like "dc=ad, dc=ch". Your LDAP server is returning "operations error", so I should look in its log file for more details. By the way, bear in mind that unless you use Microsoft IAS, you can only do RADIUS authentication against AD using PAP (i.e. users send passwords in cleartext), which isn't too secure. Max Caines > -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > eeradius.o > rg]On Behalf Of [EMAIL PROTECTED] > Sent: 03 April 2006 10:27 > To: freeradius-users@lists.freeradius.org > Subject: Problem with LDAP against Active Directory > > > Hi folks, > I want authenticate users from a WLAN with freeradius. The > Users are stored in the Active Directory of a Windows 2003 > Server. > > With some Tutorials from the Internet I have configured > freeradius to make that. > > Unfortunately the Authentication function not succesfully. > > Thats the output from FreeRadius during the Authentication: > > rad_recv: Access-Request packet from host > 192.168.210.15:4596, id=13, length=100 > NAS-Port-Type = Ethernet > Service-Type = Login-User > User-Name = "ldap" > User-Password = "ldap" > Called-Station-Id = "00:01:02:ad:64:f7" > Calling-Station-Id = "00:c0:49:54:b5:43" > NAS-Port = 1 > Mon Apr 3 11:12:08 2006 : Debug: Processing the > authorize section of radiusd.conf > Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group > authorize for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling preprocess (rlm_preprocess) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from preprocess (rlm_preprocess) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "preprocess" returns ok for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling chap (rlm_chap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from chap (rlm_chap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "chap" returns noop for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling mschap (rlm_mschap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from mschap (rlm_mschap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "mschap" returns noop for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling suffix (rlm_realm) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in > User-Name = "ldap", looking up realm NULL > Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such > realm "NULL" > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from suffix (rlm_realm) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "suffix" returns noop for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling eap (rlm_eap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No > EAP-Message, not doing EAP > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from eap (rlm_eap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "eap" returns noop for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling files (rlm_files) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > returned from files (rlm_files) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: > module "files" returns notfound for request 2 > Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: > calling ldap (rlm_ldap) for request 2 > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user > authorization for ldap > Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: > '(uid=ldap)' > Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, > o=ad.ch' > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: > Checking Id: 0 > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: > Got Id: 0 > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP > reconnection > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing > existing LDAP connection > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to > ad.ch:389, authentication 0 > Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to > ad.ch:389 > Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for > bind result ... > Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was > successful > Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing > search in ou=Sion, o=ad.ch, with filter (uid=ldap) > Mon Apr 3
Implimenting Capping with FreeRadius
Hi, OS: Fedora C4 FR: 1.0.2-2 DB: MySQL 4.1.11-2 I was wondering if anybody has a more elegant solution to implementing capping with FreeRadius than writing a script that totals the bytes in/out in the radacct table every couple of minutes and updates the radcheck table to deny further logins? Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate query for authentication and authorization
thanks a lot Alan. was very much confused between the two Authentication and Authorization -- View this message in context: http://www.nabble.com/Separate-query-for-authentication-and-authorization-t1373817.html#a3722776 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: could not start TLS
Hi. I had the same problem with the same version of freeradius to authenticate to an OpenLDAP. Check this (it worked for me): - verify your TLS configuration: you must have the same name as the certificate. For instance, don't use IP address when it is expecting the DNS name. - verify that your ldap library has TLS suport: I used OpenLDAP's library without tls and had the same problem. - configure and compile freeradius with the open-ssl flags: point to the openssl that you want/need. Marc Delisle wrote: George C. Kaplan a écrit : On Apr 1, 2006, at 5:28 AM, Marc Delisle wrote: Hi, I'm trying to make freeradius 1.1.0 contact a LDAP server. I configured freeradius --with-edir. The error I get is "rlm_ldap: could not start TLS Can't contact LDAP server" I followed this document http://www.novell.com/coolsolutions/tip/15922.html except that in my case, the LDAP server is on Netware 6.5 SP5. On this Netware server, LDAP responds correctly over SSL, as tested with Novell's ldapsearch on port 636. I had a problem similar to this: 'ldapsearch' worked, but Freeradius couldn't make an LDAP connection with TLS. It turns out that my system had two versions of the openssl library, and radiusd was linking to the wrong version. It was kind of confusing, since the rlm_ldap module was linked to the correct library (in /usr/local/lib), but radiusd was linked to the one in /usr/lib, and that's the one that got loaded at run time. I ended up setting --with-openssl-includes and --with-openssl-libraries in the Makefile for the port (I'm using FreeBSD 5.4), and that solved the problem. --George C. Kaplan[EMAIL PROTECTED] Communication & Network Services510-643-0496 University of California at Berkeley Thanks George for your answer. I checked: both radiusd and rlm_ldap-1.1.0.so are linked to /usr/lib/libssl.so.0.9.7. I am on Linux. Should this version (openssl 0.9.7e) work? Marc Delisle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Atentamente, |Paulo Cabrita, Msc| |Director do Centro de Informática | |da Universidade Autónoma de Lisboa| |Tel: +351-213177635 | |Fax: +351-213533702 | |E-mail: [EMAIL PROTECTED]| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP against Active Directory
Hi folks, I want authenticate users from a WLAN with freeradius. The Users are stored in the Active Directory of a Windows 2003 Server. With some Tutorials from the Internet I have configured freeradius to make that. Unfortunately the Authentication function not succesfully. Thats the output from FreeRadius during the Authentication: rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 NAS-Port-Type = Ethernet Service-Type = Login-User User-Name = "ldap" User-Password = "ldap" Called-Station-Id = "00:01:02:ad:64:f7" Calling-Station-Id = "00:c0:49:54:b5:43" NAS-Port = 1 Mon Apr 3 11:12:08 2006 : Debug: Processing the authorize section of radiusd.conf Mon Apr 3 11:12:08 2006 : Debug: modcall: entering group authorize for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "mschap" returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No '@' in User-Name = "ldap", looking up realm NULL Mon Apr 3 11:12:08 2006 : Debug: rlm_realm: No such realm "NULL" Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Mon Apr 3 11:12:08 2006 : Debug: modcall[authorize]: module "files" returns notfound for request 2 Mon Apr 3 11:12:08 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: - authorize Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: performing user authorization for ldap Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: '(uid=ldap)' Mon Apr 3 11:12:08 2006 : Debug: radius_xlat: 'ou=Sion, o=ad.ch' Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: attempting LDAP reconnection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: closing existing LDAP connection Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: (re)connect to ad.ch:389, authentication 0 Mon Apr 3 11:12:08 2006 : Debug: rlm_ldap: bind as / to ad.ch:389 Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: waiting for bind result ... Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: Bind was successful Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: performing search in ou=Sion, o=ad.ch, with filter (uid=ldap) Mon Apr 3 11:12:18 2006 : Error: rlm_ldap: ldap_search() failed: Operations error Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: search failed Mon Apr 3 11:12:18 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Apr 3 11:12:18 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall[authorize]: module "ldap" returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: modcall: group authorize returns fail for request 2 Mon Apr 3 11:12:18 2006 : Debug: Finished request 2 Mon Apr 3 11:12:18 2006 : Debug: Going to the next request Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.210.15:4596, id=13, length=100 Mon Apr 3 11:12:18 2006 : Debug: Discarding duplicate request from client testnet:4596 - ID: 13 Mon Apr 3 11:12:18 2006 : Debug: --- Walking the entire request list --- Mon Apr 3 11:12:18 2006 : Debug: Cleaning up re
RE: pppoe-server
Hi, 1. try sending the interval in the Acct-Interim-Interval attribute to your pppoe-server 2. try to send the questions to the mailing list Regards, Edvin From: Wassim abbas [mailto:[EMAIL PROTECTED] Sent: Montag, 03. April 2006 00:18 To: [EMAIL PROTECTED] Subject: Re: (no subject) Hello 1. modify your pppoe-server to send accouting updates every hour or less How? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Anyone can help me please? Thanks, Antonio on 30/03/2006 17.39 Antonio Matera said the following: hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "TEST4" Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration Are there other mistakes? Thanks for your answers... Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html