Re: POP3
Slava wrote: > Could anyone tell me if there exists a solution to integrate FR with a > POP3 server > in order to provide Radius controlled access to mailboxes via POP3? > I am currently using cucipop Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: >Thanks for the reply, I've Update to freeradius 2.0.5, but still > didn't show result, the debug still the same, > here are the debug : > >... > rad_recv: Access-Request packet from host 192.168.12.130 port 1024, > id=27, length=213 > Sending duplicate reply to client local port 1024 - ID: 27 > Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 The client isn't receiving the response from the server. Use tcpdump or wireshark to debug your network. > I'm using default configuration, just only change client.conf and users. > there is clue, when I saw debug from 1.1.7 the second access request has > different id > but in this debug, it had same id ( that's is 27 ) maybe because client > didn't receive challenge, it tried to retransmit Yes. The ID's are chosen by the client. If it's re-using the same ID, it's because it didn't receive the reply. > I'm not expert at EAP but i think after challenge client should reply > with different id... ( that is what I see at 1.1.7 ) > Is there any configuration to be added ? No. Fix your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: > Below is the debug output from FreeRADIUS. The first attempt is using > the suffix [EMAIL PROTECTED], which works. The second attempt is using the > users file and no realm, which fails. ... > ++[eap] returns updated > ++[unix] returns notfound > users: Matched entry DEFAULT at line 207 > ++[files] returns ok The "files" module is listed after the "eap" module. So the server will start EAP *before* you tell it to proxy the request. The solution is to mark the request as being proxied *before* the EAP module runs. If you don't want to do EAP authentication locally, then just delete the reference to the EAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
POP3
Hi, Could anyone tell me if there exists a solution to integrate FR with a POP3 server in order to provide Radius controlled access to mailboxes via POP3? I am currently using cucipop Thank you Slava Shkarupin Kiev, UA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: > Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the >source tree. > > Alan DeKok. > Hi Alan, Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-b8-87" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = 0xf267668d55a632d7f6ff3b2b94735eca +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 97 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 61 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" EAP-Message = 0x016200160410706dc9d0aeae1c2c1fe2d41a5f8cc84a Message-Authenticator = 0x State = 0xba2a19f0ba481d03bf0d1926ffd8f60a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 Cleaning up request 0 ID 27 with timestamp +164 Ready to process requests. rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-b8-87" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0261000c0174657374696e67 Message-Authenticator = --- I'm not sure it will help but i include the configure warning for 2.0.5 config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: check-radiusd-config: No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. - I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had sa
Re: proxy-to-realm versus using a suffix
Alan DeKok wrote: Chris Fruehwirth wrote: Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Read the debug output to see where the differences are. I will review and post them tomorrow. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. Why "add realm name"? Why not just "proxy traffic"? The two statements are *very* different. I just want to proxy traffic. I got a little confused reviewing Ivan's reply. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. Good to know. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" That won't work. Ever. DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" If your NAS sends that NAS-Port-Type, it should work. DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" That should work, too. If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for "it doesn't work". i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? I thought I sent my debug to the list earlier, again apparently not. I do appreciate the help. I try to make it a little easier next time. Thanks, Chris Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
jbenben wrote: > I am a new user of freeRadius. I fount you are a expert for it. I have > same question about it. Can you give me a guideline : how to install and > enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. Read the documentation. It's all there. Do you have a specific question about the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: > Here is my update from testing with different versions. I tried to test > the same scenario with 2.0.5 and got the same failed results. Then I > went back to 1.1.7 and it worked. Read the debug output to see where the differences are. > I would like to add the realm name to specific RADIUS traffic either by > IP address, EAP type or NAS-Port-Type. Why "add realm name"? Why not just "proxy traffic"? The two statements are *very* different. On top of that, you *can't* proxy by EAP type. The server recommends an EAP type... which means that by the time an EAP type is selected, the EAP session has already started. You can't switch an EAP session from one server to another. > I was thinking of doing something like this below in the users file. > > DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" That won't work. Ever. > DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" If your NAS sends that NAS-Port-Type, it should work. > DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" That should work, too. > If there is a better way to do this in 2.0.4-5, please let me know. It SHOULD work. If it doesn't, read the FAQ for "it doesn't work". i.e. You've posted configurations that you think *might* work. You've also said that you tried *other* configurations (not posted) that didn't work. How do you expect anyone to help you when you don't say what you're doing, and you don't say what happened? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLANs based on AD group membership
Daniel Baumann wrote: > Follow-up question (sorry I'm new this): I'm currently authenticating > users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I > still have to use the ldap module to get a user's AD group membership? Yes. There is no other way to get the AD group membership. See the AD documentation. If it says there's another way to get AD group membership, you can use that. Otherwise, use the method which IS documented: ldap queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Alan DeKok-4 wrote: > > Ryan Setiawan H wrote: >> Hi All, >>I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for >> 802.1X using freeradius 2.0.3 > > Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the > source tree. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Dear Alan, I am a new user of freeRadius. I fount you are a expert for it. I have same question about it. Can you give me a guideline : how to install and enable eap with 2.0.5 version ? Thanks a lot. Waiting your reply. -- View this message in context: http://www.nabble.com/about-EAP-using-1.1.7-and-2.0.3-tp18335676p18352554.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLANs based on AD group membership
Follow-up question (sorry I'm new this): I'm currently authenticating users with FreeRadius against an AD database (PEAP-MS-CHAPv2). Would I still have to use the ldap module to get a user's AD group membership? Thanks, Daniel -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Ivan Kalik Sent: Tuesday, July 08, 2008 03:34 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLANs based on AD group membership >How do I configure FreeRADIUS to "read" the AD group membership >attribute, See group membeship section in ldap module configuration. >and how do I then pass the matching VLAN-ID back to the >switch? Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>I would like to add the realm name to specific RADIUS traffic either by >IP address, EAP type or NAS-Port-Type. > >If there is a better way to do this in 2.0.4-5, please let me know. > http://freeradius.org/radiusd/man/unlang.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Here is my update from testing with different versions. I tried to test the same scenario with 2.0.5 and got the same failed results. Then I went back to 1.1.7 and it worked. Here is more information on what I am trying to do. I would like to add the realm name to specific RADIUS traffic either by IP address, EAP type or NAS-Port-Type. I was thinking of doing something like this below in the users file. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := "SW" or DEFAULT NAS-Port-Type == Wireless-802.11, Proxy-To-Realm := "SW" or by defining a huntgroup DEFAULT Huntgroup-Name == Wirelesscontrollers, Proxy-To-Realm := "SW" If there is a better way to do this in 2.0.4-5, please let me know. Thanks again, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLANs based on AD group membership
>How do I configure FreeRADIUS to "read" the AD group membership >attribute, See group membeship section in ldap module configuration. >and how do I then pass the matching VLAN-ID back to the >switch? Your switch documentation should tell you that. You normally use Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>Below is the debug output from FreeRADIUS. The first attempt is using >the suffix [EMAIL PROTECTED], which works. The second attempt is using the >users file and no realm, which fails. >I'm just trying to figure out the differences between the two >configurations and how to make the users file entry work like the suffix >behavior. > > >In the users file: > >DEFAULT Proxy-To-Ream := "SW" > If you want to add the realm to the username if one doesn't exist best place to do this is before processing (preprocess) in hints not users file. Your problem is that eap module is trying to process the request before it is proxied. And it shouldn't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLANs based on AD group membership
Does anyone have a FreeRADIUS server handing out dynamic VLANs based on group membership in AD to a HP 2800 series switch that's configured for 802.1X? How do I configure FreeRADIUS to "read" the AD group membership attribute, and how do I then pass the matching VLAN-ID back to the switch? Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). That relates to ldap "bind as user" authentication, not using ldap to store user information. Ivan Kalik Kalik Informatika ISP Dana 8/7/2008, "joris" <[EMAIL PROTECTED]> piše: >Hello, > >After reading the configuration file radiusd.conf, it explicitly says >that one can't use LDAP as the authentication backend when you use EAP >(in my case, i'm interested in EAP-TTLS). > >Nonetheless, I can read elsewhere on the web that some people seem to >use both EAP and LDAP, so I wonder who is right ? > >I would use LDAP for storing all my users/password and EAP to protect >my users credentials over insecure Wifi. > >Any advices ? > > >Cheers, > >Joris >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
Maciej Drobniuch wrote: >> You are forcing Auth-Type. Don't do that. > > So, what I must force to don't mess up things? Don't force anything. Use the default configuration. >> And the passwords don't match. > > The passwords match. Do they have to be in plaint text (in db) or some kind > of a hash ? No. See the FAQ for an example of how to configure a "known good" password for a user. > How can I see what password (in plain, when auth in pap) comes in to > freeradius from pppd. Then post the debug output from *that*, and not from a CHAP request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
joris wrote: > After reading the configuration file radiusd.conf, it explicitly says > that one can't use LDAP as the authentication backend when you use EAP I don't think it says that. What part of the configuration file leads you to think it's impossible? > Nonetheless, I can read elsewhere on the web that some people seem to > use both EAP and LDAP, so I wonder who is right ? It's possible. Lots of people are doing it. > I would use LDAP for storing all my users/password and EAP to protect > my users credentials over insecure Wifi. > > Any advices ? http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
2008/7/8 joris <[EMAIL PROTECTED]>: > Hello, > > After reading the configuration file radiusd.conf, it explicitly says > that one can't use LDAP as the authentication backend when you use EAP > (in my case, i'm interested in EAP-TTLS). > > Nonetheless, I can read elsewhere on the web that some people seem to > use both EAP and LDAP, so I wonder who is right ? > > I would use LDAP for storing all my users/password and EAP to protect > my users credentials over insecure Wifi. > > Any advices ? > > > Cheers, > > Joris > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > What documentation says is that you can't use encrypted password in LDAP with EAP/PEAP. But you can use EAP/TTLS + PAP with LDAP. The main problem for this approach is that the f**k Windows has not native support for TTLS, so you should install some software eg: SecureW2... -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
On Tue, 08 Jul 2008 18:49:48 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > > Upgrade to 2.0.5. > I had tht version and the same error appeared > > You are forcing Auth-Type. Don't do that. > So, what I must force to don't mess up things? > > And the passwords don't match. The passwords match. Do they have to be in plaint text (in db) or some kind of a hash ? How can I see what password (in plain, when auth in pap) comes in to freeradius from pppd. THANKS FOR YOUR SUPPORT! sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS / LDAP
Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP-Password does NOT match local User-Password
Maciej Drobniuch wrote: > I've tryied several freeradius versions, but i get always the same error: > auth: user supplied CHAP-Password does NOT match local User-Password > Currently i'm using freeradius 1.0.5 Upgrade to 2.0.5. > and i want to bind it with the ... > rlm_chap: Setting 'Auth-Type := CHAP' ... > rad_check_password: Found Auth-Type Local You are forcing Auth-Type. Don't do that. > auth: type Local > auth: user supplied CHAP-Password does NOT match local User-Password And the passwords don't match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP-Password does NOT match local User-Password
Hi everyone ! I'm a newbie in freeradius. I've tryied several freeradius versions, but i get always the same error: auth: user supplied CHAP-Password does NOT match local User-Password Currently i'm using freeradius 1.0.5 and i want to bind it with the pppoe-server(accounts are mysql based). This is the ppp auth part of the radiusd -X: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=50, length=90 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "qweqwe" CHAP-Password = 0x1a490e809284566aa959336e511314fe82 Calling-Station-Id = "00:04:61:5C:14:11" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20080705 modcall[authorize]: module "auth_log" returns ok for request 0 radius_xlat: ':' rlm_attr_rewrite: No match found for attribute User-Name with value 'qweqwe' modcall[authorize]: module "dwukropki" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "qweqwe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 radius_xlat: 'qweqwe' rlm_sql (sql): sql_set_user escaped user --> 'qweqwe' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'qweqwe' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id' rlm_sql_mysql: query: SELECT r.id,r.UserName,r.Attribute,inet_ntoa(n.ipaddr) as value,r.op ??FROM radreply as r, nodes as n WHERE r.Username = 'qweqwe' AND n.name=r.UserName ORDER BY r.id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'qweqwe' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied CHAP-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [qweqwe] (from client localhost port 0 cli 00:04:61:5C:14:11) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 50 to 127.0.0.1:32772 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 50 with timestamp 486f753f Nothing to do. Sleeping until we see a request. Thanks for the support and sorry for my lame eng. -- Maciej Drobniuch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
>I'm wonder what's the difference between using a suffix like @realmname >versus using the proxy-to-realm in the users file. > Not much. With suffix the request will be proxied to that realm by default (if that realm is defined) while proxy-to-realm attribute forces it in the cases when it normally wouldn't be proxied there. http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy-to-realm versus using a suffix
Hello, FreeRADIUS version 2.0.4 I'm wonder what's the difference between using a suffix like @realmname versus using the proxy-to-realm in the users file. My current setup is testing using the XP supplicant using PEAP. I've already been able to terminate the PEAP connection and then proxy the MSCHAPV2 to the IAS server, but the behavior I get by doing this doesn't allow the XP client to popup the re-enter you credentials window after you change your password. So now I'm just trying to proxy the whole request through, which works using just the @realmname. But it doesn't working using the stanza entry with the proxy-to-realm in the users file. Any help would be appreciated. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices: Sending Access-Accept of id 12 to 131.202.9.32 port 2048 User-Name = "u3t98" Tunnel-Private-Group-Id:0 = "Academic" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a MS-MPPE-Send-Key = 0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c EAP-Message = 0x03180004 Message-Authenticator = 0x Even though I have MPPE disabled in FR: mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no use_mppe = no Thoughts? Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SecureW2 (List) Sent: Monday, July 07, 2008 10:58 AM To: 'FreeRadius users mailing list' Subject: RE: xp sp3 and freeradius 2.0.5 Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups): >Sending Access-Accept of id 8 to 192.168.100.245 port 5001 >User-Name = "host/caja02.cosmart.bo" >MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 >MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 >EAP-Message = 0x03090004 >Message-Authenticator = 0x If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom > -Oorspronkelijk bericht- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Namens Ivan Kalik > Verzonden: maandag 7 juli 2008 15:32 > Aan: freeradius-users@lists.freeradius.org > Onderwerp: Re: xp sp3 and freeradius 2.0.5 > > >Has anybody achieved to authenticate xp sp3 with default 802.1x client to > freeradius ? > > You! > > >Sending Access-Accept of id 8 to 192.168.100.245 port 5001 > >User-Name = "host/caja02.cosmart.bo" > >MS-MPPE-Recv-Key = > 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 > >MS-MPPE-Send-Key = > 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 > >EAP-Message = 0x03090004 > >Message-Authenticator = 0x > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0.c patch to support Apache 2.2.x
Hi, I've tried sending this directly to the author, but there seems to be a problem somewhere, so I'm sending it to the list instead. Maybe I should file it as a bug report... This has been in the Debian package for a while now (http://packages.debian.org/libapache2-mod-auth-radius). - Forwarded message from Josip Rodin <[EMAIL PROTECTED]> - Date: Sat, 31 May 2008 22:37:00 +0200 From: Josip Rodin <[EMAIL PROTECTED]> To: Alan DeKok <[EMAIL PROTECTED]> Subject: mod_auth_radius-2.0.c patch to support Apache 2.2.x Hi, I'm resending the below e-mail just in case you didn't notice, it's been almost three months now. http://www.freeradius.org/mod_auth_radius/ is still only shipping the old versions... On Sun, Mar 09, 2008 at 09:12:19PM +0100, Josip Rodin wrote: > On Thu, Mar 06, 2008 at 03:36:27AM +0100, Josip Rodin wrote: > > On Sat, Jul 21, 2007 at 06:08:23PM +0200, joy wrote: > > > Is the mod_auth_radius-2.0.c supposed to work properly with Apache 2.2.x? > > > > > > I can compile it just fine, but can't get it to work on runtime. > > > > > > Maybe, like LDAP, this module should become a an AuthBasicProvider? > > > > I took a hint from mod_auth_xradius' changes for Apache 2.1+, and made the > > patch which is attached... but it still doesn't work. Apache is so annoying > > to debug, I need to compile the server with debugging symbols and run it > > through gdb... :( > > Okay, I debugged it a bit further (no help from gdb), and managed to produce > a working patch. The problem that threw me off was the early DECLINED > handling in the authenticate_basic_user() function, which got activated > both when the module was inactive and when the RADIUS server definition > was missing. However, these two conditions are functionally quite different, > so I split the handling in two, with the latter case leaving a warning > in the log file. > > The working patch is attached. It allows people to define: > AuthBasicProvider radius > and everything appears to be working well after that. > > -- > 2. That which causes joy or happiness. > --- libapache-mod-auth-radius-1.5.7.orig/mod_auth_radius-2.0.c > +++ libapache-mod-auth-radius-1.5.7/mod_auth_radius-2.0.c > @@ -300,6 +300,9 @@ > #include "apr_general.h" > #include "apr_tables.h" > #include "apr_strings.h" > +/* Apache 2.1+ */ > +#include "ap_provider.h" > +#include "mod_auth.h" > > module AP_MODULE_DECLARE_DATA radius_auth_module; > > @@ -1122,8 +1125,11 @@ > * basic authentication... > */ > > -static int > -authenticate_basic_user(request_rec *r) > +/* common stuff for both Apache 2.0 and 2.1+ */ > +int > +authenticate_basic_user_common(request_rec *r, > + const char* user, > + const char* sent_pw) > { >radius_dir_config_rec *rec = > (radius_dir_config_rec *)ap_get_module_config (r->per_dir_config, > &radius_auth_module); > @@ -1131,21 +1137,25 @@ >radius_server_config_rec *scr = (radius_server_config_rec *) > ap_get_module_config (s->module_config, &radius_auth_module); >conn_rec *c = r->connection; > - const char *sent_pw; >char errstr[MAX_STRING_LEN]; > - int res, min; > + int min; >char *cookie; >char *state = NULL; >char message[256]; >time_t expires; >struct stat buf; > > - if (!rec->active || !scr->radius_ip) /* not active here, or no > radius */ > -return DECLINED;/* server declared, decline */ > + /* not active here, just decline */ > + if (!rec->active) > +return DECLINED; > + > + /* no server declared, decline but note for debugging purposes -joy */ > + if (!scr->radius_ip) { > +ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_WARNING, 0, r->server, > + "AuthRadiusActive set, but no RADIUS server IP - missing > AddRadiusAuth in this context?"); > +return DECLINED; > + } > > - if ((res = ap_get_basic_auth_pw(r, &sent_pw))) > -return res; > - >if (r->user[0] == 0) /* NUL users can never be let in */ > return HTTP_UNAUTHORIZED; > > @@ -1227,9 +1237,57 @@ >return OK; > } > > +/* Apache 2.1+ */ > +static authn_status > +authenticate_basic_user_newargs(request_rec *r, > +const char *user, > +const char *password) > +{ > + int normalreturnvalue = authenticate_basic_user_common(r, user, password); > + > + if (normalreturnvalue == OK) > +return AUTH_GRANTED; > + else if (normalreturnvalue == HTTP_UNAUTHORIZED) > +return AUTH_DENIED; > + else > +return AUTH_GENERAL_ERROR; > + /* AUTH_USER_NOT_FOUND would be nice, but the typical RADIUS server > + never gives any such information, it just sends an Access-Reject > + packet, no reasons given > + */ > +} > + > +/* Apache 2.0 */ > +static int > +authenticate_basic_user(request_rec *r) > +{ > + int res; > + const char *sent_pw; > + > + /* this used to say just if
Re: xp sp3 and freeradius 2.0.5
>As you noted the client gets Access-Accept once, but then for some >reason i don't know, it looses connection and never gets access to the >network, on windows the network icon, shows trying to connect then >later get the exclamation sign on the icon, first thought it was >something with the vlan assignation, so removed it, and let it stay on >vlan 1, but the same behavior . Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Hello Alan. > further to previous post - your log shows several WARNING > entries - fix those. Yes, fixed with eap.conf indications. > finally, read eap.conf - especially the part about Windows > systems not responding to EAP challenges...which is what your > log looks like I've read it again, this time consciously, but i think is already there, maybe i'm loosing something, please correct me; as i know, sp3 already brings the patch needed with sp2. As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Other things that made me doubt was the username received by fr, most of the time is the machine name: host/caja02.cosmart.bo, instead of the domain username: COSMART\\jat, so as Tom pointed in previous email, i'm using wired configuration service on windows services, i'm not doing wireless at all, so disabled MPPE keys, put use_mppe = no on mschap module, but it continues to appear messages like these with radiusd -X MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 Last i will regenerate the certs with the new way, sorry i stayed with 1.X long ago and recently upgraded to 2.0.5, what i did was to copy the certs directory from my previous working setup, guess there's something different. I'll let you know as soon as possible. Best regards. Oxiel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Alan DeKok wrote: Norbert Wegener wrote: As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... Whoops. The intent was to allow Status-Server to any port, but to permit the statistics only to a "status" port. First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Hmm... The if src/include/libradius.h has a DICT_ATTR with attrname[40], then you have an old copy of the source. This was fixed in a commit on June 19. rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen Grab an update from the new CVS tree: cvs -d :pserver:[EMAIL PROTECTED]:/freeradius-server.git checkout -d radiusd master You should be able to just copy src/main/listen.c from there you your existing tree, so you don't have to do a full configure/make again. Thanks, works now. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
[EMAIL PROTECTED] wrote: Hi, ... I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen have you enabled the statistics virtual server? copy or link the entry in sites-available/ In radiusd.conf: status_server = yes If you mean the "status" file from sites-available: It is linked to sites-enabled. Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Norbert Wegener wrote: > As snmp is not available right now, I am looking in how to deal with > statistics, status_server and played a bit. > This way I was able to kill freeradius... Whoops. The intent was to allow Status-Server to any port, but to permit the statistics only to a "status" port. > First I noticed: > radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: > dict_addattr: attribute name too long > I commented out a few of the long-named values. Hmm... The if src/include/libradius.h has a DICT_ATTR with attrname[40], then you have an old copy of the source. This was fixed in a commit on June 19. > rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, > length=50 >Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 >FreeRADIUS-Statistics-Type = Authentication > ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE > Abgebrochen Grab an update from the new CVS tree: cvs -d :pserver:[EMAIL PROTECTED]:/freeradius-server.git checkout -d radiusd master You should be able to just copy src/main/listen.c from there you your existing tree, so you don't have to do a full configure/make again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASSERT FAILED
Hi, > As snmp is not available right now, I am looking in how to deal with > statistics, status_server and played a bit. > This way I was able to kill freeradius... > > First I noticed: > radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: > dict_addattr: attribute name too long > I commented out a few of the long-named values. > > Now with > cat x | radclient -d /usr/share/freeradius/ 127.0.0.1 status adminsecret, > where x contains: > Message-Authenticator = 0x00 > FreeRADIUS-Statistics-Type=1 > > > I got: > > rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, > length=50 >Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 >FreeRADIUS-Statistics-Type = Authentication > ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE > Abgebrochen have you enabled the statistics virtual server? copy or link the entry in sites-available/ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ASSERT FAILED
As snmp is not available right now, I am looking in how to deal with statistics, status_server and played a bit. This way I was able to kill freeradius... First I noticed: radclient: dict_init: /usr/share/freeradius//dictionary.freeradius[47]: dict_addattr: attribute name too long I commented out a few of the long-named values. Now with cat x | radclient -d /usr/share/freeradius/ 127.0.0.1 status adminsecret, where x contains: Message-Authenticator = 0x00 FreeRADIUS-Statistics-Type=1 I got: rad_recv: Status-Server packet from host 127.0.0.1 port 33453, id=117, length=50 Message-Authenticator = 0x32f28212809676b99d5943988a714aa8 FreeRADIUS-Statistics-Type = Authentication ASSERT FAILED stats.c[318]: request->listener->type == RAD_LISTEN_NONE Abgebrochen Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
>users: Matched entry testing at line 102 What is this entry? Does it contain Cleartext-Password as debug clearly suggests? Fix that. >Sending duplicate reply to client test port 1024 - ID: 4 <--- any >clue what is it ? Your supplicant is sending initial request again. Server is responding with the duplicate reply assuming supplicant didn't recieve the initial reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR on CentOS 5 via yum?
On Mon, 2008-07-07 at 20:51 +0200, Jos Vos wrote: > On Mon, Jul 07, 2008 at 02:27:18PM -0400, John Dennis wrote: > > > NOTE: The Fedora src rpms's were never meant to build on RHEL (centos), > > you may encounter build problems as a consequence. YMMV, you're on your > > own :-) > > I have recently built the Fedora 2.0.5-1 src.rpm on RHEL4, so it will > probably also build ok on RHEL5. > > For RHEL4 I had to comment out the following lines in the spec file: > > BuildRequires: libtool-ltdl-devel > > BuildRequires: perl-devel > > Furthermore, comment out the first line of %post ("chown ..."), as this > is a bug and will be removed in the next Fedora RPM. > Likewise we have CentOS 5.2 servers, but have rebuilt FR 5.0.1 from the source RPM from a Fedora 10 mirror. For that just comment out the 'perl-devel' from the spec file, run 'rpmbuild -ba freeradius.spec', then install the 'freeradius', 'freeradius-libs' and 'freeradius-utils' RPMs. It works fine. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: > Hi All, >I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for > 802.1X using freeradius 2.0.3 Use 2.0.5. Or, install raddb/sites-available/inner-tunnel from the source tree. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Norbert Wegener wrote: > I took today's cvs/git, modified the nas table: ... > Modified nas_query: >{"nas_query", PW_TYPE_STRING_PTR, Err raddb/sql/mysql/dialup.conf, "nas_query". :) It's not in the default config yet, but it should be updated before 2.0.6 is released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP using 1.1.7 and 2.0.3
Hi All, I've an issue about EAP in 802.1X. right now, I'm trying EAP-MD5 for 802.1X using freeradius 2.0.3 and procurve switch, sadly it doesn't work. but when I 'am using freeradius 1.1.7 it works smoothly I've tried not only using native windows XP SP 2 supplicant but also wpa_supplicant. both don't work using freeradius2. I've also tried reinstall the freeradius 2.0.3 ( i'm forget using mercurial ), I thought I misconfigure something..but. even using "fresh from the oven" configuration still just don't work. , here are the debug: Sending duplicate reply to client test port 1024 - ID: 4 Cleaning up request 2 ID 4 with timestamp +46 Ready to process requests. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-0a-e4-13-58-c7" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x023a000c0174657374696e67 Message-Authenticator = 0x55d6fa8c198752bd6c62c351b234a57b +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 58 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry testing at line 102 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 2 NAS-Port-Type = Ethernet Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" EAP-Message = 0x013b001604101fee1ce904aea0659f790123de5bc761 Message-Authenticator = 0x State = 0x9e1dcf679e26cbc870b5fae6a11d133d Finished request 3. Going to the next request Waking up in 4.9 seconds. Sending duplicate reply to client test port 1024 - ID: 4 <--- any clue what is it ? Cleaning up request 3 ID 4 with timestamp +56 Ready to process requests. from the wpa_supplicant's debug it broke right before EAP message method, so it (the supplicant) doesn't receive any MD5 Challenge from radius. anyone have same problem? really appreciate for any help Thank you Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius user disconnection and same account multiplication problem inradacct
>A new doubt. Is there anyway to safe disconnet an user from the radius server, >in a way that it auto disconnects him from the nas (a pppoe server)? Users are not connected to the radius server, so there is no need to "disconnect" them. >The server is an ISP in production and we have to restart the connection suit >(pppoe, radius, firewall) everytime some account starts to multiply itself, so >the users that are multiplying can log in again, and not receive the message >'Still logged in' . Radius server is working fine. Your NAS is broken. >| radacctid | acctsessionid | acctuniqueid | username | groupname | realm | >nasipaddress | naspor >tid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | >acctauthentic | connectinfo_start | connectinfo_stop >| acctinputoctets | acctoutputoctets | calledstationid | callingstationid | >acctterminatecause | servicetype | framedprotocol | >framedipaddress | acctstartdelay | acctstopdelay | xascendsessionsvrkey | >+---+--+--++---+---++--- >+-+-+--+-+---+---+-- >+-+--+-+--++-++- >++---+--+ >| 14419 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 >| Ethernet | 2008-07-04 08:46:31 | NULL | 0 | | | >| 0 | 0 | | X | | Framed-User | PPP | >XXX.XXX.XXX.182 | 0 | 0 | | >| 14421 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 >| Ethernet | 2008-07-04 08:46:34 | NULL | 40 | | | NULL >| 31795 | 102873 | | X | | Framed-User | PPP | >XXX.XXX.XXX.182 | 0 | NULL | | >| 14424 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 >| Ethernet | 2008-07-04 08:46:37 | NULL | 80 | | | NULL >| 59226 | 215383 | | X | | Framed-User | PPP | >XXX.XXX.XXX.182 | 0 | NULL | | It's sending different start times for this session. Fix your NAS to do accounting properly. Or get one that works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius user disconnection and same account multiplication problem in radacct
A new doubt. Is there anyway to safe disconnet an user from the radius server, in a way that it auto disconnects him from the nas (a pppoe server)? And about that Packet of Disconnect, is it still working? I forgot to cite the version I'm using, and considering the message was sent on weekend, with less chance of reading, I'm replying it. If I'm doing wrong, I apologize, but I still trust in your experience to provide me with some ideas. I'm using all the last stuff (Freeradius 2.0.3) from the ports repository on a FreeBSD 6.3. The server is an ISP in production and we have to restart the connection suit (pppoe, radius, firewall) everytime some account starts to multiply itself, so the users that are multiplying can log in again, and not receive the message 'Still logged in' . I'll be realy grateful for any reply. Thanks Again. >Hi again, I solved the last trouble with ippool.db using the sqlippool instead. >But I got a new shining problem. :) >Now, almost everything seems to be working fine. Almost, cause I have some >account >multiplication in the radacct table. Only a few users are doing that. >And the multiplication >doesn't stop while the users remain logged on. Only a >few appear in table, I'm using an unique >index with acctstarttime and >nasipaddress. And the numbers of radacctid jump a lot (from 1400 >to 4000, for >example). >I'm using also the set rad_alive 40 in ppp.conf and in the radiusd.conf, >cleanup_delay 8 and >max_request_time 50. All that with chap authentication. >Select on one of the users who get the problem: +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ | radacctid | acctsessionid | acctuniqueid | username | groupname | realm | nasipaddress | naspor tid | nasporttype | acctstarttime | acctstoptime | acctsessiontime | acctauthentic | connectinfo_start | connectinfo_stop | acctinputoctets | acctoutputoctets | calledstationid | callingstationid | acctterminatecause | servicetype | framedprotocol | framedipaddress | acctstartdelay | acctstopdelay | xascendsessionsvrkey | +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ | 14419 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:31 | NULL | 0 | | | | 0 | 0 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | 0 | | | 14421 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:34 | NULL | 40 | | | NULL | 31795 | 102873 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | | 14424 | 37142-user212151719 | | user2 | | | XXX.XXX.XXX.252 | 688 | Ethernet | 2008-07-04 08:46:37 | NULL | 80 | | | NULL | 59226 | 215383 | | X | | Framed-User | PPP | XXX.XXX.XXX.182 | 0 | NULL | | +---+--+--++---+---++--- +-+-+--+-+---+---+-- +-+--+-+--++-++- ++---+--+ >Radius log exact when the problem starts: 74242 Fri Jul 4 03:40:25 2008 : Info: Ready to process requests. 74243 Fri Jul 4 03:41:02 2008 : Info: Allocated IP: XXX.XXX.XXX.121 from valid (did cli 0 port 678 user x) 74244 Fri Jul 4 03:41:10 2008 : Info: Allocated IP: XXX.XXX.XXX.179 from valid (did cli 0 port 679 user x) 74245 Fri Jul 4 04:40:00 2008 : Info: Allocated IP: XXX.XXX.XXX.186 from valid (did cli 0 port 680 user x) 74246 Fri Jul 4 06:37:33 2008 : Info: Allocated IP: XXX.XXX.XXX.67 from valid (did cli 0 port 681 user x) 74247 Fri Jul 4 06:57:05 2008 : Info: Released IP XXX.XXX.XXX.67 (did cli 0 user x) 74248 Fri Jul 4 07:01:50 2008 : Info: Allocated IP: XXX.XXX.XXX.153 from valid (did cli 0 port 682 user x) 74249 Fri Jul 4 07:07:34 2008 : Info: Allocated IP: XXX.XXX.XXX.105 from valid (did cli 0 port 683 user x) 74250 Fri Jul 4 07:29:44 2008 : Info: Released IP XXX.XXX.XXX.186 (did cli 0 user x) 74251 Fri Jul 4 07:33:22 2008 : Info: Allocated IP: XXX.XXX.XXX.141 from valid (did cli
Re: EAP-SIM and EAP-AKA fast-reauth support
Geoffroy Arnoud wrote: > I have a question about EAP-SIM and EAP-AKA authentication. > Is fast-reauthentication supported (in eap or eap2 module)? Fast re-authentication is supported only in the eap2 module, so far as I know. We should add the EAP-AKA patches to rlm_eap at some point. I've bene avoiding it because the patches do a *lot* of "cut & paste" of existing code, rather than re-using it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
[EMAIL PROTECTED] wrote: Hi, Modified nas_query: {"nas_query", PW_TYPE_STRING_PTR, offsetof(SQL_CONFIG,nas_query), NULL, "SELECT id,nasname,shortname,type,secret,server FROM nas"}, rebuild the server. huh? thats the default query in the code - if you edit sql.conf and modify nas_query in the config it will do the required task. Correct, thanks. I have been confused by the nas_query in rlm_sql.c Norbert Wegener alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Hi, > Modified nas_query: >{"nas_query", PW_TYPE_STRING_PTR, > offsetof(SQL_CONFIG,nas_query), NULL, "SELECT > id,nasname,shortname,type,secret,server FROM nas"}, > rebuild the server. huh? thats the default query in the code - if you edit sql.conf and modify nas_query in the config it will do the required task. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Alan DeKok wrote: Norbert Wegener wrote: where those changes alone did not seem to help... See raddb/sql/mysql/nas.sql The field name is "server", not "virtual_server". And it's commented out by default. So in 2.0.5 something seems to be missing. The SQL tables have to be updated to contain the right information, too. Once that's done, and the queries updated, it should work. I took today's cvs/git, modified the nas table: mysql> select * from nas; ++-+---+---+---+++---++ | id | nasname | shortname | type | ports | secret | server | community | description| ++-+---+---+---+++---++ | 1 | 149.246.185.169 | testbox | linux | 123 | testing123 | cisco | none | no description | ++-+---+---+---+++---++ 1 row in set (0.00 sec) Modified nas_query: {"nas_query", PW_TYPE_STRING_PTR, offsetof(SQL_CONFIG,nas_query), NULL, "SELECT id,nasname,shortname,type,secret,server FROM nas"}, rebuild the server. ... rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret FROM nas^M rlm_sql (sql): Reserving sql socket id: 4^M rlm_sql (sql): Read entry nasname=149.246.185.169,shortname=testbox,secret=testing123^M rlm_sql (sql): Adding client 149.246.185.169 (testbox, server=) to clients list^M so the server does not seem to arrive. So I changed in rlm_sql.c: /* NAS query isn't xlat'ed */ /*strlcpy(querystr, inst->config->nas_query, sizeof(querystr));*/ strlcpy(querystr, "SELECT id,nasname,shortname,type,secret,server FROM nas", sizeof(querystr)); Which is probably not how it is expected to be done, but it works: rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret,server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=149.246.185.169,shortname=testbox,secret=testing123 rlm_sql (sql): Adding client 149.246.185.169 (testbox, server=cisco) to clients list rlm_sql (sql): Released sql socket id: 4 Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM and EAP-AKA fast-reauth support
Hi all, I have a question about EAP-SIM and EAP-AKA authentication. Is fast-reauthentication supported (in eap or eap2 module)? Thanks in advance for your answers. Geoff. _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Norbert Wegener wrote: > where those changes alone did not seem to help... See raddb/sql/mysql/nas.sql The field name is "server", not "virtual_server". And it's commented out by default. > So in 2.0.5 something seems to be missing. The SQL tables have to be updated to contain the right information, too. Once that's done, and the queries updated, it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server and clients from sql
Alan DeKok wrote: Norbert Wegener wrote: will this be in 2.0.6 by default? Yes. It's also in 2.0.5, if you're willing to try it out in a testing environment. I will try it, but what about the comment from [EMAIL PROTECTED]: the logic is in rlm_sql.c alrady, all you need to do is update your nas_query so that it looks like eg SELECT id,nasname,shortname,type,secret,virtual_server FROM nas then it'll pull in the details from the DB alan where those changes alone did not seem to help... So in 2.0.5 something seems to be missing. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html