ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Hi all, I am trying to configure FreeRadius 2.2.0. I am trying to test with the radtest utility. However, when I run radtest, on my radiusd server, I get the following error - "ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user". I know this is some issue with the authentication part. However, I have not been able to pinpoint the problem. Also, I haven't been able to find any relevant solutions on the web. I have just untarred the 2.2.0 tarball, and added just one line the users file: gokul Cleartext-Password:="abcde" Below is the output on the server and the client side: Server: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 47080, id=238, length=75 User-Name = "gokul" User-Password = "abcde" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0xf92ae1fda2ea8f435d95c4a7294e1e55 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "gokul", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> gokul attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 238 to 127.0.0.1 port 47080 Waking up in 4.9 seconds. Cleaning up request 0 ID 238 with timestamp +19 Ready to process requests. Client: shravan@ubuntu:~/freeradius-server-2.2.0/raddb$ sudo radtest gokul abcde localhost 0 testing123 [sudo] password for shravan: Sending Access-Request of id 238 to 127.0.0.1 port 1812 User-Name = "gokul" User-Password = "abcde" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=238, length=20 shravan@ubuntu:~/freeradius-server-2.2.0/raddb$ This is m first attempt at using FreeRadius, so please let me know if I have made any rookie mistakes. :) Thanks in advance. Shravan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help with DHCP server functionality
OK, that solved my dilemma of no Pool-Name defined, thanks! What are other operators doing to determine the appropriate pool? Should there be some unlang in policy.conf to update the control to the appropriate name? Or perhaps an SQL function? Thanks, Duane -Original Message- From: freeradius-users-bounces+duanecox=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+duanecox=gmail@lists.freeradius.org ] On Behalf Of Fajar A. Nugraha Sent: Thursday, November 01, 2012 4:58 PM To: FreeRadius users mailing list Subject: Re: help with DHCP server functionality On Fri, Nov 2, 2012 at 3:19 AM, Duane Cox wrote: > List: > > Hello. I have been working on this for a few days and have turned > here for help. > > The server is listening on port 67 and when a DHCP packet comes in the > server processes it, but in debug mode it give an error "No Pool-Name > defined". > > I have done some reading and I have added the following to the users > file (for testing purposes). > > DEFAULT Pool-Name := main_pool > Fall-Through = Yes > > This doesn't seem to define the Pool-Name nor do I see where the > server is processing any sql queries to determine the Pool-Name either. > > Am I mistaken? I thought that I could get a DHCP packet to be > received/processed by the server and hand out a response. My policy.conf has this: # # Assign compatibility data to request for sqlippool dhcp_sqlippool.post-auth { # Do some minor hacks to the request so that it looks # like a RADIUS request to the SQL IP Pool module. update control { Pool-Name = "DHCP-default" } update request { # ... and my sites-available/dhcp has additional instructions: # # * Create sqlippool table, if you haven't done so already. # * Import the schema (see sql/mysql/ipool.sql). # * Populate the records. At minimum each row must have # Framed-IP-Address and Pool-Name = 'DHCP-default' (or whatever # you set 'Pool-Name' to on policy.conf). # * If you want to use static IP allocation, create a row on # radippol table with 'callingstationid' set to client's MAC # address (e.g. '00:16:3E:02:15:6B') and expiry time far in the # future (e.g. '3000-01-01 00:00:00'). # Try updating your policy.conf and follow that instruction. If that works for you, I'll probably send a git pull request to update instructions in the included config files. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
My Fault, this message wasn't finish, I will continue here.: On Fri, Nov 9, 2012 at 1:09 PM, Periko Support wrote: > Hi. > > Centos 5.x > FreeRadius 2.1.1. > > I'm reading the book freeradius beginners Guide chapter 6: accounting. > > Page 139. > > Amount of Time. > > I have follow the book, would like to setup my freeradius and be > able to manage users time per day. > > Following the book, it say that to test we better setup 3 files: > > start session > stop session > > Make some changes to freeradius config files. > > Now, with this things ready, I follow the steps to see how it works: > > step 7) auth user. > step 8) send an accounting start request. wait 30 seconds of more send a accounting stop request. step 9) auth the users again. The session time out will be 1800-30=1770. This works, but I would like to understand, I can try that steps a lot times and every time it give me the same result: 1770, doesn't suppose that every time I run the same steps the counter must be lower? If I run the start session and wait 2 minutes, the same behavior it give to me 1770. This software is new for me but I want to understand this, thanks!!! file: 4088_06_acct_start.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = "4D2BB8AC-0098" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "alice" NAS-Port = 0 Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless" Calling-Station-Id = "00-1C-B3-AA-AA-AA" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 48Mbps 802.11b" File: 4088_06_acct_stop.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = "4D2BB8AC-0098" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "alice" NAS-Port = 0 Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless" Calling-Station-Id = "00-1C-B3-AA-AA-AA" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 48Mbps 802.11b" Acct-Session-Time = 30 Acct-Input-Packets = 25 Acct-Output-Packets = 7 Acct-Input-Octets = 3407 Acct-Output-Octets = 867 Acct-Terminate-Cause = User-Request Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best way to capture RADIUS passwords
On 9 Nov 2012, at 20:09, Steven Staples wrote: >> Subject: Best way to capture RADIUS passwords >> >> I am migrating from one RADIUS setup that checks against a flat file with >> usernames and passwords inside it . Over to a RADIUS server with and LDAP >> backend. I have used JTR to crack most of the passwords but I still have >> some left over that JTR cant crack. >> >> >> >> I was thinking of trying to run a packet capture to get the remaining >> usernames and passwords. What would be the best way to do this? Run RADIUS >> in debug mode Radius -X? Or try to use tcpdump and pick it up that way or >> is it even possible to do? I have been trolling the internet for a few > days >> and have not come up with a good way to do it. >> >> >> >> I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w >> rad-capture.lpc) , but when I check it out with wireshark I am unable to >> see the password (just the username). Am I going about this the wrong way? >> > > You can use the radpostauth and mysql... that will give you > username/passwords of connected, and failed connect attempts. post-auth { update request { Tmp-String-1 := `echo "%{User-Password}" >> /tmp/passwords` } } Provided you're doing PAP (as your copy of the passwords are hashed i'm guessing you are). The reason why you don't see them in TCP dump is because the passwords are also reversibly encrypted in the RADIUS packet. Also, you know OpenLDAP can use a bunch of different types of password hashes right? As in, it will even use them for validating authenticated binds. You just add the right header onto the password string... You probably don't even need to be cracking them. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP group child domain
Hi, I'm in an active directory domain with child domain, tata as my primary, and toto as my child domain. I'm doing authorization based on LDAP group. My User connect to freeradius using 802.1x and PEAP. Using mschap and ntlm this is working great. Now I want to give users access/or radius attribute based on their active directory group. I was able to do this using the LDAP module and users file. The problem I am have now is; If I have a user group with the same name in my primary domain (tata) and in my child domain (toto.tata), the freeradius does not seems to see the difference (for exemple the domain users group). In user file my LDAP policy look like that: DEFAULT Ldap-Group == "groupname" What I would like to do is write it like that: DEFAULT Ldap-Group == "cn=groupname, ou=OUofGroup, dc=toto, dc=tata" I'm pretty sure I have to work with those config in ldap: groupname_attribute groupmembership_filter groupmembership_attribute right now they are like that: groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = memberOf If anyone got some insight on how to solve this problem, I would greatly appreciate. Thank you, Yann -- Ce courriel a été filtré par ModusGate et Webshield afin de le certifier comme légitime et exempt de virus.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Aliased IPs
On Fri, Nov 9, 2012 at 12:47 PM, Phil Mayers wrote: > James Devine wrote: > > >I have a freeradius server which has multiple IPs aliased on the same > >interface. This works if I specify each IP explicitly in its own > >listen { > >} section but if I try to listen on * all responses are sent from the > >same > >IP regardless of which IP the request was received on. > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Yes. Don't do this. List each ip > > Or, look at udpfromto as an argument to ./configure > -- > Sent from my phone. Please excuse brevity and typos. > the --with-udpfromto configure option worked, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to capture RADIUS passwords
> Subject: Best way to capture RADIUS passwords > > I am migrating from one RADIUS setup that checks against a flat file with > usernames and passwords inside it . Over to a RADIUS server with and LDAP > backend. I have used JTR to crack most of the passwords but I still have > some left over that JTR cant crack. > > > > I was thinking of trying to run a packet capture to get the remaining > usernames and passwords. What would be the best way to do this? Run RADIUS > in debug mode Radius -X? Or try to use tcpdump and pick it up that way or > is it even possible to do? I have been trolling the internet for a few days > and have not come up with a good way to do it. > > > > I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w > rad-capture.lpc) , but when I check it out with wireshark I am unable to > see the password (just the username). Am I going about this the wrong way? > You can use the radpostauth and mysql... that will give you username/passwords of connected, and failed connect attempts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Best way to capture RADIUS passwords
> Am I going about this the wrong way? Yes, yes you are. #1) You will REALLY want to check your local laws, you may have just committed from a class B misdemeanor to a class C felony. Here is a link for states in the US: http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws #2) It is almost always simpler to get the user to reset their password #3) A tcp dump will not give you all the info you need to crack a PW depending on the encryption method in use. To summarize: Don't crack user's passwords without the backing of a bunch of high paid lawyers and metric ton of signed notarized paperwork saying that the parties involved have given you specific permission to do so. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Chris Taylor Sent: Friday, November 9, 2012 1:37 PM To: freeradius-users@lists.freeradius.org Subject: Best way to capture RADIUS passwords I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Aliased IPs
James Devine wrote: >I have a freeradius server which has multiple IPs aliased on the same >interface. This works if I specify each IP explicitly in its own >listen { >} section but if I try to listen on * all responses are sent from the >same >IP regardless of which IP the request was received on. > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html Yes. Don't do this. List each ip Or, look at udpfromto as an argument to ./configure -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation
Please disregard this thread. I have solve my problem. Setup (as you probably guessed) mistake. Bill On 11/9/2012 1:20 PM, Bill Schoolfield wrote: Any help on this? I have deleted the db.ippool and db.ipindex files, restarted the server... But I get the same result. Different ip but from a private address range. Bill On 11/9/2012 12:31 PM, Bill Schoolfield wrote: Hi I'm trying to get dynamic ip allocation working. I ran a test via radtest: [root@freerad raddb]# radtest billtest2 "this#x7g" localhost 0 mysecret Sending Access-Request of id 53 to 192.168.111.55 port 1812 User-Name = "billtest2" User-Password = "this#x7g" NAS-IP-Address = 192.168.111.55 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.111.55 port 1812, id=53, length=32 Framed-IP-Address = 192.168.1.215 Framed-IP-Netmask = 255.255.255.0 and I'm getting a IP that's not from my pool. Here is the pertinent section in radiud.conf: ippool main_pool { range-start = 204.101.13.2 range-stop = 204.101.13.252 netmask = 255.255.255.0 } which is within the modules section. Database wise the billtest2 user is a user that belongs to a group linked to this pool. The default site file has this pool in the post auth section. Below is the radius log? What am I missing? Bill /usr/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar 25 2011 at 10:54:38 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/relay_detail including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default.orig including configuration file /etc/raddb/sites-enabled/inner-tunnel includi
Best way to capture RADIUS passwords
I am migrating from one RADIUS setup that checks against a flat file with usernames and passwords inside it . Over to a RADIUS server with and LDAP backend. I have used JTR to crack most of the passwords but I still have some left over that JTR cant crack. I was thinking of trying to run a packet capture to get the remaining usernames and passwords. What would be the best way to do this? Run RADIUS in debug mode Radius -X? Or try to use tcpdump and pick it up that way or is it even possible to do? I have been trolling the internet for a few days and have not come up with a good way to do it. I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w rad-capture.lpc) , but when I check it out with wireshark I am unable to see the password (just the username). Am I going about this the wrong way? Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic IP Allocation
Any help on this? I have deleted the db.ippool and db.ipindex files, restarted the server... But I get the same result. Different ip but from a private address range. Bill On 11/9/2012 12:31 PM, Bill Schoolfield wrote: Hi I'm trying to get dynamic ip allocation working. I ran a test via radtest: [root@freerad raddb]# radtest billtest2 "this#x7g" localhost 0 mysecret Sending Access-Request of id 53 to 192.168.111.55 port 1812 User-Name = "billtest2" User-Password = "this#x7g" NAS-IP-Address = 192.168.111.55 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.111.55 port 1812, id=53, length=32 Framed-IP-Address = 192.168.1.215 Framed-IP-Netmask = 255.255.255.0 and I'm getting a IP that's not from my pool. Here is the pertinent section in radiud.conf: ippool main_pool { range-start = 204.101.13.2 range-stop = 204.101.13.252 netmask = 255.255.255.0 } which is within the modules section. Database wise the billtest2 user is a user that belongs to a group linked to this pool. The default site file has this pool in the post auth section. Below is the radius log? What am I missing? Bill /usr/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar 25 2011 at 10:54:38 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/relay_detail including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default.orig including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/copy-acct-to-home-server includin
Dynamic IP Allocation
Hi I'm trying to get dynamic ip allocation working. I ran a test via radtest: [root@freerad raddb]# radtest billtest2 "this#x7g" localhost 0 mysecret Sending Access-Request of id 53 to 192.168.111.55 port 1812 User-Name = "billtest2" User-Password = "this#x7g" NAS-IP-Address = 192.168.111.55 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 192.168.111.55 port 1812, id=53, length=32 Framed-IP-Address = 192.168.1.215 Framed-IP-Netmask = 255.255.255.0 and I'm getting a IP that's not from my pool. Here is the pertinent section in radiud.conf: ippool main_pool { range-start = 204.101.13.2 range-stop = 204.101.13.252 netmask = 255.255.255.0 } which is within the modules section. Database wise the billtest2 user is a user that belongs to a group linked to this pool. The default site file has this pool in the post auth section. Below is the radius log? What am I missing? Bill /usr/sbin/radiusd -X FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar 25 2011 at 10:54:38 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/relay_detail including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default.orig including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/copy-acct-to-home-server including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/u
RE: Concatenating/inserting strings with backslashes
> Brian Candler wrote > > > try: > > > > if (%{reply:Reply-Message} =~ /(.*)/) { > >update reply { > > Reply-Message = "stuff %{1}" > >} > > } > > Nice idea, but it appears to suffer the same expansion problem. > > As you have written it gives this error: > > Bare %{...} is invalid in condition at: %{reply:Reply-Message} =~ /(.*)/) > > Adding the double quotes: Oh right. I usually do this with e.g. User-Name without having to specify the attribute list explicitly; I forget whether syntax works to do that with a raw variable. I know outer.VarName works raw, so maybe just reply:Reply-Message without the braces or quotes? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aliased IPs
I have a freeradius server which has multiple IPs aliased on the same interface. This works if I specify each IP explicitly in its own listen { } section but if I try to listen on * all responses are sent from the same IP regardless of which IP the request was received on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concatenating/inserting strings with backslashes
> try: > > if (%{reply:Reply-Message} =~ /(.*)/) { >update reply { > Reply-Message = "stuff %{1}" >} > } Nice idea, but it appears to suffer the same expansion problem. As you have written it gives this error: Bare %{...} is invalid in condition at: %{reply:Reply-Message} =~ /(.*)/) Adding the double quotes: update reply { Reply-Message := "foo" } if ("%{reply:Reply-Message}" =~ /(.*)/) { update reply { Reply-Message := "%{1}nbar" } } if ("%{reply:Reply-Message}" =~ /(.*)/) { update reply { Reply-Message := "%{1}nbaz" } } This gives foo bar baz update reply { Reply-Message := "foo" } if ("%{reply:Reply-Message}" =~ /(.*)/) { update reply { Reply-Message := "%{1}nbar" } } if ("%{reply:Reply-Message}" =~ /(.*)/) { update reply { Reply-Message := "%{1}nbaz" } } This gives foo bar baz Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ChilliSpot-UAM-Allowed on witch mysql table ?
Ok i get farther, solving dictionary missing attribute. The problem is that this doesn't give what i was looking for. this attribute is only available for granted user, and tried to solve the uamallowed issue under DD-WRT box. I mean i want to replace the UAM allowed embed in DD-WRT chillispot with those provide by server before to grant users Le mercredi 07 novembre 2012 à 00:33 +0100, yzy-oui-fi a écrit : > OOps i meant "radcheck or radreply", but radgroupreply will be my > choice...Thanks for your reply > > Le samedi 27 octobre 2012 à 19:05 +0100, Phil Mayers a écrit : > > > On 10/27/2012 05:03 PM, yzy-oui-fi wrote: > > > Hi, > > > > > > I just wonder if this parameter should be set on Raddact or radreply or > > > what ever. > > > > Attributes you want to send go in radreply or radgroupreply, if you're > > using groups. > > > > Attributes never go in radacct; radacct stores accounting info. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Concatenating/inserting strings with backslashes
On 09/11/12 15:39, Brian Candler wrote: Here's something weird. I'm trying to concatenate some strings which contain (i.e. not a newline). Uh oh... here be dragons! In a normal string literal, I have to enter four backslashes: update reply { Reply-Message := "anb" } ("\\n" gives a newline, "\\\n" gives backslash followed by newline) Yeah; I think there is a similar thing happening here to the regexp stuff I discussed on -devel recently. I think what happens in the code is this: 1. lib/token.c:gettoken loads the config file and performs backslash processing on any quoted strings 2. conffile.c:cf_pairtovp loads the VP update list at config load time, and sets the "do_xlat" flag on any that are double-quoted 3. modcall.c:modcall calls radius_update_attrlist 4. evaluate.c:radius_update_attrlist checks the "do_xlat" flag on the VP, which was set at config load, and calls expand_string (which calls radius_xlat) followed by pairparsevalue. The net effect is that: update x { Foo = "an" } ...is de-escaped many times: * into "an" by the gettoken / config file loader * into "an" by radius_xlat * into "a" by pairparsevalue (on the result of radius_xlat) This kind of thing is pretty common - exim has a similar problem. It's difficult to know what to do about it in a manner that's universally satisfactory. One solution is to not process "\x" anywhere except loading from config files, but that's likely a very significant backwards compatibility break... you also might *want* to provide a way for people to interpret escapes again (though this can be done with an xlat e.g. "%{unescape:%{something-that-returns-backslash-n}}" == "" Others options exist. Personally I find the existing behaviour quite surprising, but it's also something I very seldom run into, so don't worry too much about. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant with ldap and sql not working
Hi all, I'm trying to do failoverusing redundant section but it seems not working: file : site-enable/eduroam (here the redundant section works fine) authorize { preprocess if ("%{User-Name}" == "L3Test") { redundant { sql_l3Test files } } mschap suffix eap { ok = return } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail radutmp sql_acct exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } file : site-enable/eduroam-inner-tunnel where the redundant section doesn't work server eduroam-inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } redundant { ldap sql_auth } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } Maybe it is not possible? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Concatenating/inserting strings with backslashes
> Brian Candler writes: > Or is there another way I can concatenate strings, which doesn't involve > expanding them into another string? The workaround I've used for this is to feed the value through a regexp match to get it into %{1}, which does not seem to be subject to unescaping. try: if (%{reply:Reply-Message} =~ /(.*)/) { update reply { Reply-Message = "stuff %{1}" } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On 9 Nov 2012, at 14:07, Deep Shah wrote: > Hi Arran, > > On one another board, still I am getting the same error. Still should I need > to change any other thing? Apparently MIPS and SPARC CPU's have configurable endianess, so the __sparc and __mips checks are probably wrong. I know autoconf has a macro for this, probably should add an autoconf script and use that instead of the compiler definitions. could you remove: #elif defined(__sparc) || defined(__mips) #define HIGHFIRST in md5.c and check that this fixes the issue. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different EAP methods for different users
Thanks! On Fri, Nov 9, 2012 at 3:12 PM, Alan DeKok wrote: > Stefano Zanmarchi wrote: > > we're currently supporting only PEAP, that is we base our security on > > passwords. > > We'd like to introduce higher security for a limited set of users this > way: > > 1. support both PEAP and EAP/TTLS > > 2. configure freeradius to authenticate these users (stored in a local > > table) > >*only* if they use EAP/TTLS. They should *not* be authenticated if > >they used PEAP. > > Put the users into a group. Then, in the "authorize" section, after > "eap", do: > > > if ((EAP-Type == PEAP) && (My-Group == "notpeap")) { > reject > } > > See "man rlm_passwd" for examples of creating a group. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Concatenating/inserting strings with backslashes
Here's something weird. I'm trying to concatenate some strings which contain (i.e. not a newline). In a normal string literal, I have to enter four backslashes: update reply { Reply-Message := "anb" } ("\\n" gives a newline, "\\\n" gives backslash followed by newline) But when I try to insert one string into another it goes completely haywire. update reply { Reply-Message := "foonbar" } update reply { Reply-Message := "%{reply:Reply-Message}nbaz" } This gives me "foo" "bar" "baz". That is, even the second n is being collapsed into a newline! Some more test cases: update reply { Reply-Message := "foonbar" } update reply { Reply-Message := "quxnbaz" } correctly gives me "qux" "baz" update reply { Reply-Message := "foonbar" } update reply { Reply-Message := "%{Wibble:-qux}nbaz" } gives me "baz". In fact, I need *eight* backslashes to get a literal backslash here: Reply-Message := "%{Wibble:-qux}nbaz" So somehow, the presence of a string expansion within a string affects the interpretation of subsequent backslashes within that string. Now, this works: update reply { Reply-Message := "foonbar" } update reply { Reply-Message := "%{reply:Reply-Message}nbaz" } But then if I do another layer of string insertion they get translated to newlines again. update reply { Reply-Message := "foonbar" } update reply { Reply-Message := "%{reply:Reply-Message}nbaz" } update reply { Reply-Message := "%{reply:Reply-Message}" } This seems pretty broken to me, but if someone would care to explain how to deal with it, please do. Or is there another way I can concatenate strings, which doesn't involve expanding them into another string? Thanks, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oddity with configurable failover
Brian Candler wrote: > Module: Checking authorize {...} for more modules to load > /etc/freeradius/sites-enabled/default[20]: Failed to find "mymodule" in the > "modules" section. You can't over-ride the return codes of policies. You can only do this for real modules. > Is configurable failover not available for user-defined modules? (If so, I > couldn't find this in doc/configurable_failover.rst ) See "man unlang". It might be there. > What I'm actually trying to do is run a user-defined module up to 20 times, > but stop after the first return of 'notfound' - without making a horrible > 20-deep nested if statement. It's not important to do it this way, but I > was surprised I couldn't. I'd just nest it 20 times. Or, use a Perl script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different EAP methods for different users
Stefano Zanmarchi wrote: > we're currently supporting only PEAP, that is we base our security on > passwords. > We'd like to introduce higher security for a limited set of users this way: > 1. support both PEAP and EAP/TTLS > 2. configure freeradius to authenticate these users (stored in a local > table) >*only* if they use EAP/TTLS. They should *not* be authenticated if >they used PEAP. Put the users into a group. Then, in the "authorize" section, after "eap", do: if ((EAP-Type == PEAP) && (My-Group == "notpeap")) { reject } See "man rlm_passwd" for examples of creating a group. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Regards, Deep On Tue, Oct 30, 2012 at 8:31 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > On 30 Oct 2012, at 14:13, Deep Shah wrote: > > > Sorry for inconvenience. > > > > I have enabled flag of mips in md5.c file of pam_radius_auth and my > issue is resolved now. > > Ahhh. > > > https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa735306f779ea64 > > -Arran > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different EAP methods for different users
Hi, we're currently supporting only PEAP, that is we base our security on passwords. We'd like to introduce higher security for a limited set of users this way: 1. support both PEAP and EAP/TTLS 2. configure freeradius to authenticate these users (stored in a local table) *only* if they use EAP/TTLS. They should *not* be authenticated if they used PEAP. Is this (in particular point 2.) easily achievable? Thank you very much in advance, Stefano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oddity with configurable failover
This is with freeradius 2.2.0. Support in policy.conf I define a module: policy { mymodule { update reply { Reply-Message += "boo" } } ... } Now in sites-available/default, I can happily do authorize { mymodule ... } But if I write it as authorize { mymodule { ok = return } ... } then the server fails to load at all, and freeradius -X reports: ... Module: Checking authorize {...} for more modules to load /etc/freeradius/sites-enabled/default[20]: Failed to find "mymodule" in the "modules" section. /etc/freeradius/sites-enabled/default[19]: Errors parsing authorize section. However, authorize { chap { ok = return } } is fine. Is configurable failover not available for user-defined modules? (If so, I couldn't find this in doc/configurable_failover.rst ) What I'm actually trying to do is run a user-defined module up to 20 times, but stop after the first return of 'notfound' - without making a horrible 20-deep nested if statement. It's not important to do it this way, but I was surprised I couldn't. Thanks, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recursive modules?
On 9 Nov 2012, at 11:51, Brian Candler wrote: > I was wondering if an unlang module in 2.2.x could call itself recursively. No > Does this mean that module can only invoke other modules which have been > previously declared? Yes -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recursive modules?
I was wondering if an unlang module in 2.2.x could call itself recursively. For example, I have a reply list with potentially large number of Framed-Route attributes and I want to replace each one with something else. Could I do the following? rewriteFramedRoutes { if ("%{reply:Framed-Route}") { update reply { Cisco-AVPair += "ip:route=...etc..." Framed-Route -= "%{reply:Framed-Route}" } rewriteFramedRoutes } } Unfortunately a quick test suggests that the module can't find itself. /etc/freeradius/policy.conf[310]: Failed to find "rewriteFramedRoutes" in the "modules" section. Does this mean that module can only invoke other modules which have been previously declared? Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:freeradius + ldap + cisco ap can not work
On Fri, Nov 09, 2012 at 04:59:44PM +0800, Manifold Yu wrote: > pap against LDAP works find,but others can not works find (eg:mschap) . > [ldap] looking for check items in directory... > [ldap] userPassword -> Cleartext-Password == > "{MD5}85Q3W/VY9rt11BfdBNzdfQ==" Your password, from LDAP, is not clear text. You need clear text passwords or NTLM (NT-Password) for mschap to work. http://deployingradius.com/documents/protocols/compatibility.html Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: DAViCal Server Cannot Sent Invites]
Dear All, i understand this should be addressed to DAViCal list, and i did but no one responded AT ALL third day today. i am sure someone would be defiantly using the program. kindly help if anyone have solution or idea. Original Message Subject: [Davical-general] DAViCal Server Cannot Sent Invites From:"Shiv. Nath" Date:Thu, November 8, 2012 12:53 pm To: davical-gene...@lists.sourceforge.net -- Dear List Community Greetings Kindly Help, i have been given a task to implement enterprise level calendar, than i decided to go with Davical using Debain 6x. But i have stack at one stage and almost no idea. Kindly help, if someone have come across this problem & remember the solution: 1.) Davical installation Successful 2.) I can login to ADMIN page, create users, groups, resources etc.. 3.) i can login to CALENDAR web interface by admin or any other user created 4.) I can create account in sunbird calendar application Successfully. 5.) I can create account in iCal calendar application Successfully. 6.) Sharing is working in clients, can see each others events Successfully Problems: I cannot send invites from either Mac iCal client or sunbird calendar application. it is fully functional mail server that DAViCal is running on with proper MX & PTR. i can send emails out & receive using squirrelmail application that is tested. This directive has been tried both ways $c->enable_auto_schedule = true; $c->enable_auto_schedule = false; -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov ___ Davical-general mailing list davical-gene...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/davical-general Thanks / Shiv. Nath - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html