FreeRadius with radiusclient-ng and Cisco h323 VoIP attributes
Hi there, I'm having real trouble getting FreeRadius and radiusclient-ng to talk to each other with Cisco h323 attributes. I believe I have set up FreeRadius correctly. I can connect using radiusclient-ng and do standard AUTH commands and all works fine. As soon as I try to add an attribute like:- h323-conf-id = '78FF6EBC 2F74D29E 4F400B22 8B4AA1C1' I get this parse error from radiusclient-ng:- : can't parse AV pair I assumed that this meant that radiusclient-ng didn't recognise the h323-conf-id attribute, so I included in the radiusclient-ng *client* dictionary the following:- VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair1 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-gw-id 33 string Cisco ATTRIBUTE h323-incoming-conf-id 35 string Cisco The client appears to be happy with this dictionary file (at least the client runs and still does standard AUTH's ok), but I still get the parse error on the h323 vars. The fact that the parse error states an error parsing AV pair makes me think that these attributes need to be formatted in a particular way. Could that be it? Any assistance or pointers in the right direction would be much appreciated Thanks, Dean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with radiusclient-ng and Cisco h323 VoIP attributes
Dean, Do you see that error on client side, right? Some very stupid thing I can tell you is remove the empty line between VENDOR line and first attribute. I have the same config (without the empty line) and is working fine. How and where do you added cisco attributes? Just a tip, you can create a new dictionary file (dictionary.cisco for example) and use an include directive at the end of the default dictionary file of radiusclient-ng $INCLUDE dictionary.cisco How are you testing this attribute? Regards Luciano On Tue, Jan 6, 2009 at 8:58 AM, Dean Elwood dean.elw...@gmail.com wrote: Hi there, I'm having real trouble getting FreeRadius and radiusclient-ng to talk to each other with Cisco h323 attributes. I believe I have set up FreeRadius correctly. I can connect using radiusclient-ng and do standard AUTH commands and all works fine. As soon as I try to add an attribute like:- h323-conf-id = '78FF6EBC 2F74D29E 4F400B22 8B4AA1C1' I get this parse error from radiusclient-ng:- : can't parse AV pair I assumed that this meant that radiusclient-ng didn't recognise the h323-conf-id attribute, so I included in the radiusclient-ng *client* dictionary the following:- VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair1 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-gw-id 33 string Cisco ATTRIBUTE h323-incoming-conf-id 35 string Cisco The client appears to be happy with this dictionary file (at least the client runs and still does standard AUTH's ok), but I still get the parse error on the h323 vars. The fact that the parse error states an error parsing AV pair makes me think that these attributes need to be formatted in a particular way. Could that be it? Any assistance or pointers in the right direction would be much appreciated Thanks, Dean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radreply Table
Hi! I have 2 freeradius servers running, one at 2.0.4 version and other at 2.0.5. On 2.0.4 i can use radreply without problem, but in 2.0.5 i can`t, the freeradius server don`t read the table. The two server have the same configuration. I need help. Tks Marcelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Table
We cant see your debug ! Maybe mr Ivan Kalik and his crystal ball know something :) By the way, Happy new year :) Marcelo Henique Cabral Ariza wrote: Hi! I have 2 freeradius servers running, one at 2.0.4 version and other at 2.0.5. On 2.0.4 i can use radreply without problem, but in 2.0.5 i can`t, the freeradius server don`t read the table. The two server have the same configuration. I need help. Tks Marcelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Table
I have 2 freeradius servers running, one at 2.0.4 version and other at 2.0.5. On 2.0.4 i can use radreply without problem, but in 2.0.5 i can`t, the freeradius server don`t read the table. The two server have the same configuration. It obviously isn't the same. Post the debug of server startup and request processing. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd logs good passwords even when told not to?
= /etc/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.1.1:1812
Listening on accounting 192.168.1.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.10:2702, id=165,
length=53
User-Name = username
User-Password = removed
NAS-IP-Address = 10.10.10.10
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/etc/radacct/10.10.10.10/auth-detail-20090106'
rlm_detail: /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/etc/radacct/10.10.10.10/auth-detail-20090106
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
rlm_realm: No '@' in User-Name = username, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 153
users: Matched username at 316
modcall[authorize]: module files returns ok for request 0
modcall[authorize]: module mschap returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module unix returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [username] (from client hostname.com port 0)
Sending Access-Accept of id 165 to 10.10.10.10:2702
NS-Admin-Privilege = All-VSYS-Root-Admin
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
You can see it touched and updated the file with the new record..
# ll
total 4
-rw--- 1 root root 342 Jan 6 10:17 auth-detail-20090106
So why is it doing this? How can I stop it? Ideally I would like radius to
NOT store passwords in plain-text..
Any help is appreciated, thanks all!
-Tim Eberhard
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd logs good passwords even when told not to?
Free radius installed via a RPM:
# rpm -qa | grep radius
freeradius-1.0.1-3.RHEL4.5
# radiusd -v
radiusd: FreeRADIUS Version 1.0.1, for host , built on Apr 25 2007 at
08:19:46
That was years out of date even when installed. See about upgrading:
http://wiki.freeradius.org/Red_Hat_FAQ
Our /etc/raddb/radiusd.conf clearly states to not log passwords:
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
In radius.log file. And it doesn't:
Login OK: [username] (from client hostname.com port 0)
# cat auth-detail-20081023
Packet-Type = Access-Request
removed
User-Name = username
User-Password = password
NAS-IP-Address = 127.0.0.1
Client-IP-Address = 127.0.0.1
That's detail module at work:
Module: Loaded detail
detail: detailfile = /etc/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
In current versions there is a supress setting in detail module where you
can set attributes that you don't want to log in detail file. I have no
idea if such setting exists in the version you are using.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd logs good passwords even when told not to?
Hi,
Background info:
yes, ancient version
Our /etc/raddb/radiusd.conf clearly states to not log passwords:
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
correct - in the main log
However it's logging good password auth's still..
no, this is the detail file - and you've enabled the
detail logging module - which has an option for stopping
the password from being logged...however, I think that
was only from version 1.1.x - see the current version
docs and/or the current config files from the recent
release (download the tar.gz file, extract and then view
the config.
do you need or use the detail files in any of your
processes? if not, then disable the detail module
(comment out calls to it)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius process dies with some (bad?!) EAP requests
Hi, and we're facing a strange and very critical problem. Occasionally radius server just dies with no apparent reason. When I look at I've had similar issues and would recommend upgrading to latest issue - many many EAP issues were addressed during the more to 2.1.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd logs good passwords even when told not to?
I have no need for a details log the data stored in /var/log/radius.log is
more than sufficient for me.
So by commenting out detail { } in the radiusd.conf file should stop this?
I know I'm running a ancient version of free radius.. sadly it's what RHEL
came with and it's what we have as 'stable'. I'll look at upgrading but I'm
afraid this is one of those wonderful 100% uptime required services.
Thanks again all,
-Tim Eberhard
On Tue, Jan 6, 2009 at 11:51 AM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Background info:
yes, ancient version
Our /etc/raddb/radiusd.conf clearly states to not log passwords:
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
correct - in the main log
However it's logging good password auth's still..
no, this is the detail file - and you've enabled the
detail logging module - which has an option for stopping
the password from being logged...however, I think that
was only from version 1.1.x - see the current version
docs and/or the current config files from the recent
release (download the tar.gz file, extract and then view
the config.
do you need or use the detail files in any of your
processes? if not, then disable the detail module
(comment out calls to it)
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radreply Table
Hi, Hi! I have 2 freeradius servers running, one at 2.0.4 version and other at 2.0.5. On 2.0.4 i can use radreply without problem, but in 2.0.5 i can`t, the freeradius server don`t read the table. The two server have the same configuration. they talking to same database? are the databases different? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd logs good passwords even when told not to?
Hi,
I have no need for a details log the data stored in /var/log/radius.log is
more than sufficient for me.
So by commenting out detail { } in the radiusd.conf file should stop this?
you will also need to remove the calls to that detail config in
various other places in the config.
I know I'm running a ancient version of free radius.. sadly it's what RHEL
came with and it's what we have as 'stable'. I'll look at upgrading but I'm
afraid this is one of those wonderful 100% uptime required services.
aye - set it up on another server and then swap-over during a
pre-disclosed maintainance window we have 3 servers + 2 dev
systems to allow for upgrades (and pre-testing of upgrades!)
since 2.x came out we can lose 2 service boxes and the 3rd can
handle the load (pre 2.x we needed 2 up)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius process dies with some (bad?!) EAP requests
Nelson Vale nelsonduv...@gmail.com wrote: We have several machines running freeradius 2.0.2 as authentication server, and we're facing a strange and very critical problem. Occasionally radius server just dies with no apparent reason. When I look at the logs, the last lines I see before it happens are like: ... Error: rlm_eap: No EAPsession matching the State variable. Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request ... ** I've googled for problems like this and I found some simillar occurrences, but no solutions provided... Is this a known problem that is fixed in a recent version? This is a big issue for us because this causes several thousands of users to complain about it, so we would appreciate your help... For us it was not FreeRADIUS at fault, it was glibc. As we *ran* Debian 'stable' the version of libc6 was really really old (2.3.6) and it just kept randomly segfaulting (turned out it waas in libc6). The EAP session timeouts looked like a possible clue but in the end I discarded it as a red herring. In the end bumping to Debian lenny (currently 'testing' but soon to be stable) fixed all our problems and I have not had *any* reliability issues either...all down to the libc6 version (now 2.7). Another added bonus (this was just before etchandahalf) I was able to start using gdb on FreeRADIUS as a kernel bug[1] (earlier than 2.6.23) prevents it from functioning. When reliability hits you, it's good to learn briefly how to use gdb. Very simply[2]: * log in as root * open a screen session[3] * make sure FreeRADIUS is not running * make sure you have all the debug symbols about, or a debugable version installed * configure screen to log to a file; 'Ctrl-A H' * type 'gdb /usr/sbin/freeradius' * in gdb type 'run -X' * detach from screen 'Ctrl-A D' * when you notice FreeRADIUS has died, reconnect to your screen session * and the gdb prompt type 'where' or for *lots* of info try 'thread apply all bt full'[3] * tell screen to stop logging, 'Ctrl-A H' * logout of screen Means you can run FreeRADIUS and get the debugging you need to either blame the OS or Alan :) From what I can remember, I think the segfault for use was in the GNU regexp library it's-self. Cheers Alex [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449181 [2] a different approach to the one on http://bugs.freeradius.org/ [3] http://blogamundo.net/code/screen/ [4] http://wiki.debian.org/HowToGetABacktrace -- Alexander Clouter .sigmonster says: The jig's up, Elman. Which jig? -- Jeff Elman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest authentication and perl authorization
Hi, On Mon, Jan 5, 2009 at 2:23 PM, t...@kalik.net wrote: I am thinking in something like this: - Radius client (b2bua) sends an access-request with Service_type = Authorize-Only - Adding perl module to authorization section. - In authorize function of perl module check if the balance is enough to make the call. if yes add an attribute to the reply with granted credit time and return return RLM_MODULE_OK. If no, return RLM_MODULE_REJECT. That can work. As long as radius client understands that Service-Type. My questions are: how is the best way of making authorization without authentication? The way you described it. - Should perl module set Auth-Type := Accept if the user is authorized? Yes. - What should I need to add in the users file for this to work, something like this? DEFAULT Auth-Type := Accept, Service-Type == Authorize-Only No nedd. perl can do it all. It can add Service-Type to reply as well. I have done that and everything seems to be ok. Now, I have an stupid question. When I do digest authentication with this config, digest module set Auth-Type = Digest but I am overriding it with Auth-Type = Accept in perl module. How do I set Auth-Type in perl only if it is not already set? What is the value for a not-set attribute in perl? Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Framed-IP-Address override NAS pool?
Hi: In my years running a dialup ISP, I used Cistron Radius and Cisco and Lucent NAS's. I am no using FreeRadius and a Cisco router to authenticate pptp VPN users. The default IP address pool is defined in the Cisco like this (parsed): interface Virtual-Template1 peer default ip address pool vpnpool no keepalive ppp encrypt mppe auto ! ip local pool vpnpool 192.168.0.1 192.168.0.254 That works fine authenticating unix system users using this raddb/users config (one of the supplied samples): DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is there something else that needs to be done to allow this? Thanks in advance! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Some help with etc_smbpasswd auth and eap ttls
Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. Finally I simply added the username and password I was testing to the users file. It works there. My default realm strips the domain, proxies it back to localhost, authenticates of the users file and is successful. Arrg what Im I doing wrong. I really need to use the etc_smbpasswd module as I cant get ntlm_auth to work. It says no logon servers found. I think its because I am running it on the actual samba server I want to auth off of. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Here is the /usr/sbin/radiusd -X output. Sorry its long. Below that I will put the relevant lines of config. Thanks a ton for any help. -Josh [r...@file raddb]# /usr/sbin/radiusd -s -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = ttls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file =
Authentication failed from Radius server
hi Radius(freeradius) server has configured and integrated with Openldap server for user authentication in RHEL 5. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security. From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed. How to send the User-Password in clear text format.? Is there any way to decrypt the userpassword in RADIUS server which was coming from access point.? here is the radius debug level log rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = sivaji* Framed-MTU = 1400 Called-Station-Id = 0023.045c.3f20 Calling-Station-Id = 001f.3c78.503a Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = 542 NAS-IP-Address = 192.168.1.100 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 *rlm_realm: No '@' in User-Name = sivaji, looking up realm NULL* *rlm_realm: No such realm NULL* modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module files returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute User-Password is required for authentication.* * * * modcall[authenticate]: module ldap returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failed from Radius server
Aravind Arjunan wrote: ... You already asked this question, and it was already answered. If you are not going to read the replies to your questions, then you shouldn't be asking questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Josh Hiner wrote: Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius (freeradius) server integrated with openldap for user authentication
hi Radius(freeradius) server has configured and integrated with Openldap server for user authentication. Using radtest, NTRadPing and Radiustest (Utility) it is working fine. I got Access-Acept by using this utility. When i try from enduser through Wireless access point i may not able to authenticate. Wireless access point is configured with WPA for security. From the radius debug level log and slapd log i can able to see that it can able to fetch username and it was successful but in the case of userPassword authetication was getting failed. Am attaching the radius debug level log or your reference rad_recv: Access-Request packet from host 192.168.1.100:1645, id=45, length=130 * User-Name = sivaji* Framed-MTU = 1400 Called-Station-Id = 0023.045c.3f20 Calling-Station-Id = 001f.3c78.503a Service-Type = Login-User Message-Authenticator = 0xd56b1bff210c624ccf5b1d5c56285f10 EAP-Message = 0x0202000b01736976616a69 NAS-Port-Type = Wireless-802.11 NAS-Port = 542 NAS-Port-Id = 542 NAS-IP-Address = 192.168.1.100 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 *rlm_realm: No '@' in User-Name = sivaji, looking up realm NULL* *rlm_realm: No such realm NULL* modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 157 * modcall[authorize]: module files returns ok for request 0* rlm_ldap: - authorize rlm_ldap: performing user authorization for sivaji *radius_xlat: '(uid=sivaji)'* *radius_xlat: 'dc=rgipt,dc=in'* rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 *rlm_ldap: bind as / to localhost:389* *rlm_ldap: waiting for bind result ...* *rlm_ldap: Bind was successful* *rlm_ldap: performing search in dc=rgipt,dc=in, with filter (uid=sivaji)* rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... *rlm_ldap: user sivaji authorized to use remote access* rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 *rlm_ldap: - authenticate* *rlm_ldap: Attribute User-Password is required for authentication.* * * * modcall[authenticate]: module ldap returns invalid for request 0* *modcall: leaving group LDAP (returns invalid) for request 0* *auth: Failed to validate the user.* *Login incorrect: [sivaji] (from client AP port 542 cli 001f.3c78.503a)* *Delaying request 0 for 1 seconds* *Finished request 0* Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.1.100 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 4960b0d2 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
