Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Alan DeKok wrote: ... >> Let me guess... you have policies for accounting which use "SQL-Group"? >> > No It breaks the Authentication when I add the Accounting configuration Fine. You have *authentication* policies which use "SQL-Group". That's the issue. When there is *one* SQL module, the SQL-Group attribute refers only to it. When there are *two* SQL modules... which one does it refer to? That's the problem you're running into. The simple solution here is to use the "instantiate" section of radiusd.conf. List "sql-acct" first, and "sql-auth" section. That way, the SQL-Group comparison will use the "sql-auth" module, and not the "sql-acct" module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding additional row to radcheck table
Marius Pesé wrote: > Radcheck usually stores CAP and PASSWORD, I have added an additional > value to the dictionary and wanted to add that as a row in radcheck, like > > IDUsername Attribute Op Value > > 66 b...@internet cancelled == no Which checks if the "cancelled" attribute exists, and if it's value is "no". > However when I then try to authenticate debug returns “No known good > password” even though the Crypt-Password Attribute is still there. Probably because the "cancelled" attribute doesn't exist. > Deleting the line in the radcheck table and everything works again. > > Anybody see what I missed? Read the documentation for the SQL module to see how it works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding additional row to radcheck table
Hi everyone, Radcheck usually stores CAP and PASSWORD, I have added an additional value to the dictionary and wanted to add that as a row in radcheck, like IDUsername Attribute Op Value 66 b...@internet cancelled == no However when I then try to authenticate debug returns "No known good password" even though the Crypt-Password Attribute is still there. Deleting the line in the radcheck table and everything works again. Anybody see what I missed? Regards Marius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization FreeRadius on Switches Extreme
Mark Ricardez Zarate wrote: > Hi all > > I have a network with switches Extreme working with FreeRadius > (Authentication), on documentation of Extreme > http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_3_rev2.zip > explain that is possible implement with authorization, but I could not > implement. We're not going to download a large file, and read hundreds of pages of documentation just to figure out what you did wrong. You need to explain what you tried, and what happened. > Someone Know how could implement authorization with FreeRadius? or is > necessary use a language Script like unlang (Perl, Python)? The server includes a *lot* of documentation which tells you how to implement authorization rules. Do you have a specific question about it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 11:49 AM, rrperez wrote: > Now I'm trying to test different kind of mobile phones. I'm just confused > with iPhone because the certificate was sent when I tried to connect to the > network, while with the other phones, the certificates are installed > manually. Not really. Both TTLS and PEAP uses server certificate which is sent to the client/phones. Some clients ask whether you trust this certificate, and you can simply click yes/accept/continue. Some others probably simply reject it if it's not on the list of known certificates, thus you have to install it before connecting. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Finally it worked out, I commented out the mschapv2 and configured the peap to do gtc, and on the gtc to do auth type ldap. Thanks for the big help. Now I'm trying to test different kind of mobile phones. I'm just confused with iPhone because the certificate was sent when I tried to connect to the network, while with the other phones, the certificates are installed manually. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29549400.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization FreeRadius on Switches Extreme
Hi all I have a network with switches Extreme working with FreeRadius (Authentication), on documentation of Extreme http://www.extremenetworks.com/libraries/services/ExtremeXOSConceptsGuideSoftwareVersion12_3_rev2.zipexplain that is possible implement with authorization, but I could not implement. Someone Know how could implement authorization with FreeRadius? or is necessary use a language Script like unlang (Perl, Python)? Best Regards Mark Ricardez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 9:05 AM, rrperez wrote: > > Thanks for the response Fajar, > >>Did you try leaving everything the way it was when it works and only >>comment-out mschapv2 section? > > Yes i tried that yesterday, and it still works. > >>Did you try configuring iphone to use WPA2 enterprise security? > > I did that also, but I've never tried to do both at the same time, I'll try > that now. If that still doesn't work, try these links: http://blogs.sun.com/cphcampus/entry/setting_up_your_iphone_for http://www.apple.com/support/iphone/enterprise/ ... and as usual, post the debug logs -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, >Did you try leaving everything the way it was when it works and only >comment-out mschapv2 section? Yes i tried that yesterday, and it still works. >Did you try configuring iphone to use WPA2 enterprise security? I did that also, but I've never tried to do both at the same time, I'll try that now. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548832.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Fri, Aug 27, 2010 at 8:32 AM, rrperez wrote: > My previous config which is running smoothly was default_eap_type = gtc only > and the others are left as it is. Testing your posted configuration, the > authentication for the computers don't ask for username and password > anymore, and also the server uses the computer names as username that > automatically fails the authentication. Did you try leaving everything the way it was when it works and only comment-out mschapv2 section? Did you try configuring iphone to use WPA2 enterprise security? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, I don't have problem with my server using my previous configuration to authenticate with wifi computers. But when I reconfigured my server, thats the time it fails. My previous config which is running smoothly was default_eap_type = gtc only and the others are left as it is. Testing your posted configuration, the authentication for the computers don't ask for username and password anymore, and also the server uses the computer names as username that automatically fails the authentication. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548698.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, I think also that the clients are the ones that is needed to be configured. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29548673.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query
Uh... no. Nothing in the SQL accounting configuration uses the group
membership query. See the source code.
Exactly my problem and why I don't understand why it breaks the
authorization radius reply attributes.
which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
Let me guess... you have policies for accounting which use "SQL-Group"?
No It breaks the Authentication when I add the Accounting configuration
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is another more specific output from a debug
It runs like this without the accounting configuration
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} -> t...@testdomain.net
[sql-auth] sql_set_user escaped user --> 't...@testdomain.net'
rlm_sql (sql-auth): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE
UserName='t...@testdomain.net'
[sql-auth] sql_groupcmp finished: User is a member of group active
rlm_sql (sql-auth): Released sql socket id: 3
Runs like this when I add the rad-acct to accounting. It appears to be
using the sql-acct for the sql_groupcmp for some reason.
[sql-auth] sql_groupcmp
[sql-auth] expand: %{User-Name} -> t...@testdomain.net
[sql-auth] sql_set_user escaped user --> 't...@testdomain.net'
rlm_sql (sql-acct): Reserving sql socket id: 4
rlm_sql (sql-acct): Released sql socket id: 4
[sql-auth] sql_groupcmp finished: User is NOT a member of group active
Any ideas as to why It would do this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > All I am trying to do is run the radius auth querys on a database on one > machine and the accounting on another in another database. The problem I > am seeing is that when the additional sql configuration is put in for > the accounting database it begins to use that configuration for the > group_membership_query Uh... no. Nothing in the SQL accounting configuration uses the group membership query. See the source code. > which is not in the accounting database and > fails. If I remove the sql-auth from the accounting configuration it > runs fine using the rad-auth sql configuration. Here is the exerts from > my configuration. I am trying to set some radreply items with sql and > some by the users file by group. This works fine until I try to seperate > the databases. Let me guess... you have policies for accounting which use "SQL-Group"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and syslog-ng
Alan Buxey wrote: > unless, eg using the buffered-sql virtual server. in which case detail > files can go to SQL Well, no. Accounting can go to SQL. But that doesn't mean writing the detail files to SQL. And it doesn't need the buffered-sql virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and syslog-ng
Hi, > > Thanks for the replies. I was afraid that the format of detail wouldn't > > allow syslog. I suppose detail can be sent to mysql though, right? > > No. unless, eg using the buffered-sql virtual server. in which case detail files can go to SQL > > Is it possible within the radius log, where it logs successful or failed > > logins, to also include the client's IP address along with the MAC? > > Read raddb/radiusd.conf, the "log" section. yep - or call eg a PERL function which does funky things alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Alan DeKok wrote:
Trey Scarborough wrote:
Yes I am aware of how it is Documented I followed the documentation but
still is not functioning correctly.
I have a configuration that is similar to as follows
Similar is not the same.
Perhaps you could explain in *detail* what you are trying to do with
SQL groups. Use examples from your cvonfiguration, not invented ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All I am trying to do is run the radius auth querys on a database on one
machine and the accounting on another in another database. The problem I
am seeing is that when the additional sql configuration is put in for
the accounting database it begins to use that configuration for the
group_membership_query which is not in the accounting database and
fails. If I remove the sql-auth from the accounting configuration it
runs fine using the rad-auth sql configuration. Here is the exerts from
my configuration. I am trying to set some radreply items with sql and
some by the users file by group. This works fine until I try to seperate
the databases.
authorize {
preprocess
chap
mschap
suffix
sql-auth
files
}
accounting {
detail
radutmp
sql-acct #works when this line is commented out
}
#sql.conf file
sql sql-auth {
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
nas_table = "nas"
deletestalesessions = no
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
sql_user_name = "%{User-Name}"
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = '%{SQL-User-Name}' \
ORDER BY id"
group_membership_query = "SELECT GroupName FROM ${usergroup_table}
WHERE UserName='%{SQL-User-Name}'"
#
# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes
}
sql sql-acct {
driver = "rlm_sql_mysql"
server = "192.168.5.84"
login = "radius"
password = "radpass"
radius_db = "radius-acct"
acct_table1 = "radacct"
acct_table2 = "radacct"
accounting_onoff_query = "UPDATE ${acct_table1} SET
AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') -
unix_timestamp(AcctStartTime),
AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
'%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
accounting_update_query = "UPDATE ${acct_table1} \
SET FramedIPAddress = '%{Framed-IP-Address}', \
AcctSessionTime = '%{Acct-Session-Time}', \
AcctInputOctets = '%{Acct-Input-Octets}', \
AcctOutputOctets = '%{Acct-Output-Octets}' \
WHERE AcctSessionId = '%{Acct-Session-Id}' \
AND UserName = '%{SQL-User-Name}' \
AND NASIPAddress= '%{NAS-IP-Address}'"
accounting_update_query_alt = "INSERT into ${acct_table1}
(AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,
NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, ServiceType, FramedProtocol, FramedIPAddress,
AcctStartDelay) values('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0})
SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0')"
accounting_start_query = "INSERT into ${acct_table1} (AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
accounting_start_query_alt = "UPDATE
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
On 27 August 2010 05:19, Nolan King wrote: > check the capitalization of username. I have seen instances where xp clients > sends all lower, and win7 capitalised the first two characters. > What do you do in this case then? Have a script run by freeradius putting all characters as lower case? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters. nolan -- Nolan King Moulton Niguel Water District 27500 La Paz Rd. Laguna Niguel, CA 92677 (949) 425-3542 24hr: (949) 831-2500 >>> On 8/26/2010 at 11:44 AM, in message , Jean-Yves Avenard wrote: > Hi > > On Thursday, August 26, 2010, Alan DeKok wrote: >> Jean-Yves Avenard wrote: >>> I am running freeradius that comes installed and configured with MacOS >>> 10.6 server. >>> >>> A Windows XP can connect just fine using Microsoft Protected EAP. >>> iPhone, mac os client connect just fine using EAP-TTLS >>> >>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but >>> not with the default build-in PEAP. >> >> The log you posted shows a clear issue: >> >>> When connecting with Windows 7, I would read: >>> >>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the >>> user's uuid. >>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): >>> dsGetRecordList() status = 0, recCount=0 >>> >>> >>> Any hint about what I should be looking at? >> >> Run the server in debugging mode (radiusd -X). Look for the above >> errors, and *read* the lines of text around them. >> >> Then use the information from the debug output to look the user up in >> OpenDirectory. Odds are that the user doesn't exist, which is why it >> can't get the UUID. > > I was the one doing the testing. Username/password are identical in all > tests. > >> >>> Mind new, I'm a complete noob when it comes to radius, I only started >>> playing with it 2 days ago. >> >> This isn't much of a RADIUS error. The user lookup in OpenDirectory >> fails, and the UUID wasn't found. The only issue is *who* was being >> looked up, and *why* the UUID wasn't found. >> > > Will run radius in debug mode and report back. I'm still puzzled why > there would be a difference between 7 and XP in the way they are > transmitting the user name > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Hi On Thursday, August 26, 2010, Alan DeKok wrote: > Jean-Yves Avenard wrote: >> I am running freeradius that comes installed and configured with MacOS >> 10.6 server. >> >> A Windows XP can connect just fine using Microsoft Protected EAP. >> iPhone, mac os client connect just fine using EAP-TTLS >> >> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but >> not with the default build-in PEAP. > > The log you posted shows a clear issue: > >> When connecting with Windows 7, I would read: >> >> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the >> user's uuid. >> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): >> dsGetRecordList() status = 0, recCount=0 >> >> >> Any hint about what I should be looking at? > > Run the server in debugging mode (radiusd -X). Look for the above > errors, and *read* the lines of text around them. > > Then use the information from the debug output to look the user up in > OpenDirectory. Odds are that the user doesn't exist, which is why it > can't get the UUID. I was the one doing the testing. Username/password are identical in all tests. > >> Mind new, I'm a complete noob when it comes to radius, I only started >> playing with it 2 days ago. > > This isn't much of a RADIUS error. The user lookup in OpenDirectory > fails, and the UUID wasn't found. The only issue is *who* was being > looked up, and *why* the UUID wasn't found. > Will run radius in debug mode and report back. I'm still puzzled why there would be a difference between 7 and XP in the way they are transmitting the user name - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 2.1.10 hanging
Alan DeKok wrote: > David Mitchell wrote: >> My 2.1.10 server I got compiled has a problem where it hangs after a few >> hours. I'm not sure if it's related to the number of requests it's >> processed or not. It's happened three times so far. Restarting the >> server always gets it working again. Using tcpdump I can confirm that >> it's receiving requests from the NAS but not processing them. Using >> strace I can see that it's stuck on a futex: >> >> write(1, "Wed Aug 25 16:13:45 2010 : Info: "..., 70) = 70 >> futex(0x827fe88, FUTEX_WAIT_PRIVATE, 2, NULL > > It's blocked in a write? Weird... > > See doc/bugs. You should be able to run it under gdb. Then when it's > blocked, hit -C, and do "bt". That should show *which* mutex is > locked. I have it running in gdb now. I'll follow up on the devel list once I get some useful info. Thanks, -David > >> Alan, let me know if you'd rather have this type of thread on the >> Developer list instead of the User list. Thanks, > > That's probably the better place. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with 2.1.10 hanging
David Mitchell wrote: > My 2.1.10 server I got compiled has a problem where it hangs after a few > hours. I'm not sure if it's related to the number of requests it's > processed or not. It's happened three times so far. Restarting the > server always gets it working again. Using tcpdump I can confirm that > it's receiving requests from the NAS but not processing them. Using > strace I can see that it's stuck on a futex: > > write(1, "Wed Aug 25 16:13:45 2010 : Info: "..., 70) = 70 > futex(0x827fe88, FUTEX_WAIT_PRIVATE, 2, NULL It's blocked in a write? Weird... See doc/bugs. You should be able to run it under gdb. Then when it's blocked, hit -C, and do "bt". That should show *which* mutex is locked. > Alan, let me know if you'd rather have this type of thread on the > Developer list instead of the User list. Thanks, That's probably the better place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with 2.1.10 hanging
My 2.1.10 server I got compiled has a problem where it hangs after a few hours. I'm not sure if it's related to the number of requests it's processed or not. It's happened three times so far. Restarting the server always gets it working again. Using tcpdump I can confirm that it's receiving requests from the NAS but not processing them. Using strace I can see that it's stuck on a futex: write(1, "Wed Aug 25 16:13:45 2010 : Info: "..., 70) = 70 futex(0x827fe88, FUTEX_WAIT_PRIVATE, 2, NULL The server is doing nothing more than EAP-TLS authentication for some wireless AP's. Debug from the config loading and the last few packets are below. Alan, let me know if you'd rather have this type of thread on the Developer list instead of the User list. Thanks, -David Mitchell Wed Aug 25 14:29:47 2010 : Info: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Aug 25 2010 at 07:46:58 Wed Aug 25 14:29:47 2010 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Wed Aug 25 14:29:47 2010 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Wed Aug 25 14:29:47 2010 : Info: PARTICULAR PURPOSE. Wed Aug 25 14:29:47 2010 : Info: You may redistribute copies of FreeRADIUS under the terms of the Wed Aug 25 14:29:47 2010 : Info: GNU General Public License v2. Wed Aug 25 14:29:47 2010 : Info: Starting - reading configuration files ... Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/radiusd.conf Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/proxy.conf Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/clients.conf Wed Aug 25 14:29:47 2010 : Debug: including files in directory /usr/local/etc/raddb/modules/ Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/cui Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/detail Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/exec Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/mac2ip Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/pam Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/unix Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/logintime Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/etc_group Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/inner-eap Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/ippool Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/expr Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/wimax Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/echo Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/linelog Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/always Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/preprocess Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/expiration Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/pap Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_filter Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/checkval Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/chap Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/smsotp Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/detail.example.com Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/otp Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/passwd Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_rewrite Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/ntlm_auth Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/perl Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/smbpasswd Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/acct_unique Wed Aug 25 14:29:47 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/ldap Wed
Re: CA_file vs. CA_path
Alan DeKok wrote: > David Mitchell wrote: >> I now have 2.1.10 compiled and running. It seems to work fine. I did >> have to make one change to my configuration. I had been using CA_path to >> refer to the certificates which can authenticate clients for EAP-TLS >> authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I >> specify a single file via CA_file that works fine. I can manage either >> way I think since the file referenced in CA_file can contain multiple >> certificates. I did verify that I had run 'c_rehash' in my CA_path >> directory. I'm not sure why CA_path doesn't work since the OpenSSL docs >> indicate that they are largely interchangable. Is it an intentional >> change? > > Nope. It's not an intentional change. I don't know why it would be > different. I did change OpenSSL versions as well so I can't say for sure that it has anything to do with FreeRadius. I'll try and poke around some and see if I can figure out what's going on. Thanks for confirming it wasn't meant to change. -David > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
Alan DeKok wrote: > David Mitchell wrote: >> I misread that page thinking that v2.1.x would just give me 2.1.9 and >> that master would be 2.1.10. Either way, I was able to get v2.1.x (aka >> 2.1.10) to configure openssl using the LIBS="-ldl" addition. I'm not >> sure what's changed in the "master" that configure seems to figure that >> out on it's own, but it might be nice to add to 2.1.10 if it's not too >> much work. > > You're probably using "--with-system-libtool". Change that to (or > add) --without-system-libtool I'll play around with those two options more the next time I compile. > >> Now I'm hitting the undefined reference to >> `lt__PROGRAM__LTX_preloaded_symbols' problem. I think I've moved past >> that by just adding >> #define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols >> to modules.c. > > That's also a libtool / libltdl issue. > >> It occurs to me. Is that libtool expecting a macro to be >> defined for _PROGRAM_ and thats why it's defining a symbol which doesn't >> actually exist? I'm just sort of thinking out loud based on your notes here: >> https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/421005 > > It's a libtool / libltdl versioning issue. Did I mention that they > cause nearly as many problems as they solve? Yeah, I think so. -David > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients not change after doing SIGHUP
Jeffrey Collyer wrote: > I really hope someone at some point implements this. It would be a big > win for us. > > Just adding my +1 to the want list. Put the clients in SQL. Then, configure dynamic clients. This works *today*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard wrote: > I am running freeradius that comes installed and configured with MacOS > 10.6 server. > > A Windows XP can connect just fine using Microsoft Protected EAP. > iPhone, mac os client connect just fine using EAP-TTLS > > Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but > not with the default build-in PEAP. The log you posted shows a clear issue: > When connecting with Windows 7, I would read: > > Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the > user's uuid. > Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef(): > dsGetRecordList() status = 0, recCount=0 > > > Any hint about what I should be looking at? Run the server in debugging mode (radiusd -X). Look for the above errors, and *read* the lines of text around them. Then use the information from the debug output to look the user up in OpenDirectory. Odds are that the user doesn't exist, which is why it can't get the UUID. > Mind new, I'm a complete noob when it comes to radius, I only started > playing with it 2 days ago. This isn't much of a RADIUS error. The user lookup in OpenDirectory fails, and the UUID wasn't found. The only issue is *who* was being looked up, and *why* the UUID wasn't found. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients not change after doing SIGHUP
I really hope someone at some point implements this. It would be a big win for us. Just adding my +1 to the want list. Jeff On 8/26/10 9:17 AM, Alan DeKok wrote: John wrote: Hi, We are using freeradius-2.1.8. After I modify (add/delete a client) our clients.conf, I will kill SIGHUP to radiusd process. But It does not take effect. I need to restart the radiusd process. Please give me some advise, thanks. Clients are not reloaded on HUP. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP VPN Auth yet not in group?
freerad...@corwyn.net wrote: > I tracked down where this is different. > In huntgroups I have: > VPN_Huntgroup NAS-IP-Address == x.x.x.x > In users I have: > DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users" > Reply-Message := "Authorized Users Only" > > For a normal user, I see: > Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name == > "VPN_Huntgroup") returns ok The "if" statement there is NOT the "users" file. It is an entry you added in the file raddb/sites-available/default. Run the server in FULL debugging mode to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients not change after doing SIGHUP
John wrote: > Hi, > We are using freeradius-2.1.8. After I modify (add/delete a client) our > clients.conf, I will kill SIGHUP to radiusd process. But It does not > take effect. I need to restart the radiusd process. Please give me > some advise, thanks. Clients are not reloaded on HUP. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compiling with newest OpenSSL
David Mitchell wrote: > I misread that page thinking that v2.1.x would just give me 2.1.9 and > that master would be 2.1.10. Either way, I was able to get v2.1.x (aka > 2.1.10) to configure openssl using the LIBS="-ldl" addition. I'm not > sure what's changed in the "master" that configure seems to figure that > out on it's own, but it might be nice to add to 2.1.10 if it's not too > much work. You're probably using "--with-system-libtool". Change that to (or add) --without-system-libtool > Now I'm hitting the undefined reference to > `lt__PROGRAM__LTX_preloaded_symbols' problem. I think I've moved past > that by just adding > #define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols > to modules.c. That's also a libtool / libltdl issue. > It occurs to me. Is that libtool expecting a macro to be > defined for _PROGRAM_ and thats why it's defining a symbol which doesn't > actually exist? I'm just sort of thinking out loud based on your notes here: > https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/421005 It's a libtool / libltdl versioning issue. Did I mention that they cause nearly as many problems as they solve? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Following on an earlier thread:
http://lists.freeradius.org/pipermail/freeradius-users/2010-June/msg00116.html
Of which I couldn't get any answer unfortunately..
I am experiencing a similar problem.
I am running freeradius that comes installed and configured with MacOS
10.6 server.
A Windows XP can connect just fine using Microsoft Protected EAP.
iPhone, mac os client connect just fine using EAP-TTLS
Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
not with the default build-in PEAP.
I have modified module/mschap as followed, as per various instructions:
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
authtype = MS-CHAP
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# the "best" user name for the request.
#
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
In the log, when connecting using Windows XP I would see:
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: Opening sqlite
database /private/etc/raddb/sqlite_radius_client_database for #4
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: Ready to process requests.
Thu Aug 26 02:07:43 2010 : Auth: rlm_opendirectory: User
is authorized.
When connecting with Windows 7, I would read:
Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
user's uuid.
Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
dsGetRecordList() status = 0, recCount=0
Any hint about what I should be looking at?
Mind new, I'm a complete noob when it comes to radius, I only started
playing with it 2 days ago.
Thank you for your help troubleshooting this matter.
Regards
Jean-Yves
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext username
Kristoffer Milligan wrote: > The same thing happens during authentication when the CPE intially > enters the network .. but then the username/password is decrypted and > successfully compared in the database. > > What's the difference between the accounting and the authentication .. > apart from the info that's exchanged? Read the debug log to see? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext username
The same thing happens during authentication when the CPE intially
enters the network .. but then the username/password is decrypted and
successfully compared in the database.
What's the difference between the accounting and the authentication ..
apart from the info that's exchanged?
- Kristoffer Milligan
On 08/26/2010 01:11 PM, Alan DeKok wrote:
Kristoffer Milligan wrote:
as a small test. However, %{SQL-User-Name} is an encrypted version of
the username, which of course will not match anything in my database.
Ask the client PC why it's sending an encrypted user name.
How can I get the username in a cleartext format?
Figure out how the client PC is encrypting it, and decrypt it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usergroup problems with separate auth and accounting databases
Trey Scarborough wrote: > Yes I am aware of how it is Documented I followed the documentation but > still is not functioning correctly. > > I have a configuration that is similar to as follows Similar is not the same. Perhaps you could explain in *detail* what you are trying to do with SQL groups. Use examples from your cvonfiguration, not invented ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and syslog-ng
gtcoldfire wrote: > Thanks for the replies. I was afraid that the format of detail wouldn't > allow syslog. I suppose detail can be sent to mysql though, right? No. > Is it possible within the radius log, where it logs successful or failed > logins, to also include the client's IP address along with the MAC? Read raddb/radiusd.conf, the "log" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and syslog-ng
Thanks for the replies. I was afraid that the format of detail wouldn't
allow syslog. I suppose detail can be sent to mysql though, right?
Is it possible within the radius log, where it logs successful or failed
logins, to also include the client's IP address along with the MAC?
On Thu, Aug 26, 2010 at 2:27 AM, Phil Mayers wrote:
> On 08/25/2010 09:51 PM, mack ragan wrote:
>
>> Hi,
>>
>> I have freeradius v2.0.5. I modified the log{} section of radiusd.conf
>> to send logs to syslog-ng. In syslog-ng, I filter them out to a log
>> collector. This seems to be working well. Now, I would like to get
>> detail and auth to the log collector. Anyone know if this is possible?
>>
>
> detail files cannot be sent to syslog. It wouldn't work - they're
> multi-line records.
>
> What do you mean by "auth"?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows7 machine authentication solved
Hello Thank you all for the tips - one put me in the rigth direction : "keeping in mind that SSIDs ARE case sensitive." And this was my problem - that i created a wireless-lan on the laptop with false cases and so windows ignores this one and used allways the default settings. Also it was not a Radius problem ! Thanks and bye luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients not change after doing SIGHUP
Hi, We are using freeradius-2.1.8. After I modify (add/delete a client) our clients.conf, I will kill SIGHUP to radiusd process. But It does not take effect. I need to restart the radiusd process. Please give me some advise, thanks. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext username
Kristoffer Milligan wrote:
> as a small test. However, %{SQL-User-Name} is an encrypted version of
> the username, which of course will not match anything in my database.
Ask the client PC why it's sending an encrypted user name.
> How can I get the username in a cleartext format?
Figure out how the client PC is encrypting it, and decrypt it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA_file vs. CA_path
David Mitchell wrote: > I now have 2.1.10 compiled and running. It seems to work fine. I did > have to make one change to my configuration. I had been using CA_path to > refer to the certificates which can authenticate clients for EAP-TLS > authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I > specify a single file via CA_file that works fine. I can manage either > way I think since the file referenced in CA_file can contain multiple > certificates. I did verify that I had run 'c_rehash' in my CA_path > directory. I'm not sure why CA_path doesn't work since the OpenSSL docs > indicate that they are largely interchangable. Is it an intentional > change? Nope. It's not an intentional change. I don't know why it would be different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 3:49 PM, Fajar A. Nugraha wrote: > Using this setup I simply have to select the wifi network name on > iphone, enter username & password, and accept the certificate warning. Scratch that. Perhaps it's because I had connected to the network previously that it was asking username & password. When configuring new network you need to manually specify that you want "WPA2 Enterprise". On wireless network list, choose other, type your SSID name, choose "WPA2 Enterprise" security, and then you can input username and password. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS reading LDAP attributes
Sigurd Foshaug wrote: > I have added the My-Local-LDAP-Comment into the raddb/dictionary file > like this: > > ATTRIBUTE My-Local-LDAP-Comment 3000string ... > Now, what I am failing to understand is how I can get the proxy server > to receive the My-Local-LDAP-Comment attribute from RADIUS, Read the comments in the dictionary file that you edited. They explain why that attribute is not being placed in a RADIUS packet. > Any suggestions on what to do, or which documentation to read would be > appreciated. $ man dictionary This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Getting "Access-Reject" when using radtest
kartik dadwal wrote: > OS: Ubuntu 9.10 > Freeradius 2.1.0 (Installed using synaptic packet manager) > On the server terminal: > r...@kartik-laptop:/etc/freeradius# *radiusd -X* I would suggest reading the debug output. The answer to your question is in there. Also, try pasting the debug output into this form: http://networkradius.com/freeradius.html And look for the highlighted text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
rrperez wrote: > I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even > though I configured my server to do TTLS-PAP. The client chooses the authentication method. Go fix the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 4:59 PM, rrperez wrote: > > Thanks for the response Fajar, > > Regarding your configurations, when I configured mine, my computers are now > unable to connect, my computer clients now are not ask by their username and > password, the server uses the computer name instead. Which part did you change? If you completely disable TTLS (like I did), and your clients are still configured to do TTLS/PAP, then they wouldn't be able to connect. You should start by disabling MSCHAPv2 on eap.conf first, and see if iphone can connect (just in case it can support TTLS/PAP). To be honest, after reading the comment on eap.conf, I'm not sure how you can use EAP-GTC and TTLS/PAP simultaneusly. Perhaps Alan can answer this. # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, >you can kludge this by using EAP-GTC but then you get request for password >all the time - as the device is expecting it to be a one time token... when I configured my server like what Fajar posted, it doesn't ask for username and password anymore. I'm quite confused now with the EAP-GTC configuration. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540679.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, >you can kludge this by using EAP-GTC but then you get request for password >all the time - as the device is expecting it to be a one time token... when I configured my server like what Fajar posted, it doesn't ask for username and password anymore. I'm quite confused now. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540678.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, Regarding your configurations, when I configured mine, my computers are now unable to connect, my computer clients now are not ask by their username and password, the server uses the computer name instead. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29540666.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext username
Hello list,
I am currently using FreeRADIUS as my AAA server for a WiMAX network.
Authentication is working perfectly, and the server is performing well.
As part of my infrastructure-design I need to be able to forcibly kick
users off the radiolink. As far as I have understood, this needs to be
done using CoA/Disconnect-Request packets forged to match the NAS
requirement.
So far, so good.
I have set up this query in my accounting section:
if("%{sql:SELECT value FROM radcheck WHERE UserName =
'%{SQL-User-Name}' and attribute = 'Acct-Logout-Now'}") {
update disconnect {
Reply-Message = "You have been closed."
}
}
as a small test. However, %{SQL-User-Name} is an encrypted version of
the username, which of course will not match anything in my database.
Thu Aug 26 11:16:42 2010 : Info: (2) expand: SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now' -> SELECT value FROM radcheck WHERE UserName =
'=8Ham=3D1=7A62345d3c567f85678749f233ebe4577fbad' and attribute =
'Acct-Logout-Now'
Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Thu Aug 26 11:16:42 2010 : Info: (2) SQL query did not return any results
Thu Aug 26 11:16:42 2010 : Debug: rlm_sql (sql): Released sql socket id: 0
Thu Aug 26 11:16:42 2010 : Info: (2) expand: %{sql:SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'} ->
Thu Aug 26 11:16:42 2010 : Info: (2) ? Evaluating ("%{sql:SELECT value
FROM radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'}") -> FALSE
Thu Aug 26 11:16:42 2010 : Info: (2) ++? if ("%{sql:SELECT value FROM
radcheck WHERE UserName = '%{SQL-User-Name}' and attribute =
'Acct-Logout-Now'}") -> FALSE
How can I get the username in a cleartext format?
Thanks in advance,
- Kristoffer Milligan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Hi, > > I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even > > though I configured my server to do TTLS-PAP. if the device can do TTLS/MSCHAPv2 then it'll do that. if the device cant do EAP-TTLS/PAP (any many dont) then theres nothing you can do on the server to change that. ie client needs to be capable and configured correctly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Hi, > yes i do use EAP-TTLS/PAP, so does that mean that configurations should done > on the mobile devices and not on the server? some devices eg symbian nokias wont do EAP-TTLS/PAP (iirc its all of them) - you can kludge this by using EAP-GTC but then you get request for password all the time - as the device is expecting it to be a one time token... there is nothing more you can do on the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 3:24 PM, rrperez wrote:
>>For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS,
>>EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with
>>PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see
>>how it goes. If it doesn't, they try other methods.
>
> I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even
> though I configured my server to do TTLS-PAP.
That's odd. Did you already disable EAP/MS-CHAP on eap.conf (since you
can't use it anyway with your setup)?
In my eap.conf, I have (most important parts only)
eap {
default_eap_type = peap
gtc {
auth_type = LDAP # back then it was needed to
specify this, not sure about now
}
peap {
default_eap_type = gtc
}
}
other lines not shown there (like TLS part) should be left as it is,
but I specifically comment out all mschapv2 and TTLS entries. In your
case you might want to start by simply comment-out mschapv2 entry on
eap.conf.
Using this setup I simply have to select the wifi network name on
iphone, enter username & password, and accept the certificate warning.
You could also contact Apple support and ask if they support TTLS-PAP.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Fajar, >Are you still authenticating against Lotus Domino LDAP? Yes, I still do. >Basically to get an authentication method to work, the device needs to >be configured to use it, and the server needs to support it. So you >need to have a method that's supported by both device and server. It's >easy enough to configure the server to support multiple methods, but >if you're still authenticating against Lotus Domino LDAP, you might >want to enable only TTLS-PAP and PEAP-GTC. I'm quite aware now about this, thanks to your hints from my previous posts. I configure my server to do the two eap methods (TTLS-PAP/PEAP-GTC) and supported my computer clients with supplicant (secureW2). So now I'm trying to do authentication for wifi mobile phones. >For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS, >EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with >PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see >how it goes. If it doesn't, they try other methods. I tested also an iPhone 2G to my server, but it still uses MS-CHAPv2 even though I configured my server to do TTLS-PAP. -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29539973.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
On Thu, Aug 26, 2010 at 2:53 PM, rrperez wrote: > > Thanks for the response Alan, > >>if using eg EAP-TTLS/PAP then you would have issues - some phones wont do > that method natively > > yes i do use EAP-TTLS/PAP, so does that mean that configurations should done > on the mobile devices and not on the server? Are you still authenticating against Lotus Domino LDAP? Basically to get an authentication method to work, the device needs to be configured to use it, and the server needs to support it. So you need to have a method that's supported by both device and server. It's easy enough to configure the server to support multiple methods, but if you're still authenticating against Lotus Domino LDAP, you might want to enable only TTLS-PAP and PEAP-GTC. For example, iphone (from Apple's docs) supports EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP. I've tried it with PEAP-GTC, and it works, so you might want to try EAP-TTLS/PAP and see how it goes. If it doesn't, they try other methods. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi-Enabled Phones + FreeRadius
Thanks for the response Alan, >if using eg EAP-TTLS/PAP then you would have issues - some phones wont do that method natively yes i do use EAP-TTLS/PAP, so does that mean that configurations should done on the mobile devices and not on the server? -- View this message in context: http://old.nabble.com/Wifi-Enabled-Phones-%2B-FreeRadius-tp29538516p29539779.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS reading LDAP attributes
Hi all, I have a freeradius 2.1.3 running and I can successfully authenticate users. I would like to use a users LDAP attribute so I can provide them with different permissions on the proxy server. I have currently mapped a RADIUS attribute to the LDAP attribute and it successfully reads the attribute when a user is authenticating. >From radiusd -X: rlm_ldap: description -> My-Local-LDAP-Comment = "STAFF" So the user in question has STAFF as a comment in his ldap description attribute. I have added the My-Local-LDAP-Comment into the raddb/dictionary file like this: ATTRIBUTE My-Local-LDAP-Comment 3000string and in the raddb/ldap.attrmap I have added: replyItem My-Local-LDAP-Comment description Now, what I am failing to understand is how I can get the proxy server to receive the My-Local-LDAP-Comment attribute from RADIUS, so I can make rules depending on its contents? Any suggestions on what to do, or which documentation to read would be appreciated. Thanks, Sigurd - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting "Access-Reject" when using radtest
Hi,
OS: Ubuntu 9.10
Freeradius 2.1.0 (Installed using synaptic packet manager)
I have installed FreeRadius server and now I am testing it with the
r...@kartik-laptop:/usr/local/etc/raddb# *radtest testing password 127.0.0.1
0 testing123*
OUTPUT:
Sending Access-Request of id 248 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=248,
length=20
===
On the server terminal:
r...@kartik-laptop:/etc/freeradius# *radiusd -X*
FreeRADIUS Version 2.1.0, for host i686-pc-linux-gnu, built on Aug 17 2010
at 22:33:30
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client
Re: Wifi-Enabled Phones + FreeRadius
Hi, > Now I want to test if it is possible for me to do authentication on > wifi-enabled phones? And also, do I need to make additional configurations > on the server? which method? if eg PEAP/MSCHAPv2 then theres not really anything different - certainly no changes to the server...just configure the phone - eg iPhone, Android or Nokia. if using eg EAP-TTLS/PAP then you would have issues - some phones wont do that method natively alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and syslog-ng
mack ragan wrote:
> Hi,
>
> I have freeradius v2.0.5. I modified the log{} section of radiusd.conf
> to send logs to syslog-ng. In syslog-ng, I filter them out to a log
> collector. This seems to be working well. Now, I would like to get
> detail and auth to the log collector. Anyone know if this is possible?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl multiple attributes in rad_reply was: Adding Multiple Cisco-AVPairs using rlm_perl
Boian Jordanov writes:
> On Aug 22, 2010, at 3:06 PM, Alexander Kubatkin wrote:
>
>> В сообщении от Воскресенье 22 августа 2010 10:48:56 автор Alan DeKok написал:
>>> Alexander Kubatkin wrote:
This isn't working, i'm trying to put 2 dns-servers in dhcp configuration
like this:
$RAD_REPLY{'DHCP-Domain-Name-Server'} = ["$ns1","$ns2"] ;
>
> To return multiple items you have to use array ref.
>
> Try this way.
>
> $data[0] = "nameserver_1";
> $data[1] = "nameserver_2";
>
> $data[2] = "nameserver_3";
>
> $data[3] = "nameserver_x";
>
>
> $RAD_REPLY{'DHCP-Domain-Name-Server'} = \...@data;
Which should be equivalent to doing
$RAD_REPLY{'DHCP-Domain-Name-Server'} = ["nameserver_1",
"nameserver_2",
"nameserver_3",
"nameserver_x"];
so I don't think that's the problem.
But we are all guessing, since we haven't yet seen the actual debug
output from FreeRADIUS, only selected bits and pieces of the non-working
end result.
Since we *know* that FreeRADIUS and rlm_perl work when configured
correctly, we can deduce that there is "something" wrong with the
configuration. I believe that's the best we can do, given the input
available to us.
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
