Re: SQL authentification
The mysql module at the moment (first it did.. but it's removed for the better) does not do the actual authenticate process. This means, you can NOT include 'sql' in the 'authenticate' part of the radiusd.conf file. Instead, mysql adds attributes so the 'chap' or 'pap' module can do the 'authenticate' part. see http://www.swx.nl/freeradius/freeradiussql.html configuration step 3 .. So it is completely possible to store passwords (or their hashes) in a database not in a file... Hi, why sql module is not allowed for authentification? When I place sql in authenticate section of radiusd.conf radius says: Error: radiusd.conf: SQL modules aren't allowed in 'authenticate' sections -- they have no such method. So, if that is ok, what is the reason for radcheck table in radius database for MySQL? I really need to store passwords (or their hashes) in a database not in a file. How can I do that? connor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Expiration date check
-Original Message- From: Valakos Yorgos [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 06, 2002 9:48 AM To: '[EMAIL PROTECTED]' Subject: Expiration date check Hello all and thanks for your help ! I have freeradius 0.7 running under SuSe linux 8.0 on intel platform ( I have to remind to all of you that I am a newcomer to both the linux and freeradius world ) so here is my question : What do I have to do to make freeradius to check authorization requests against an expiration date ? (If expiration date = current date then allow access else deny) Is this possible ? I have freeradius using MySql database for both authentication and accounting. And one more minor ... I want to keep start records on MySql s radius database s radacct table and stop records on another table of the same database (which I named 'radstop') I have altered sql.conf to match that and created radstop table in radius database ( I actually copied and pasted radacct and renamed it ) but freeradius is still writing both records in radacct table ..what more do I have to do ? Thanks again for your help and for that splendid software you ve made for us ... Yorgos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server not accounting, and dumping core...
Hello, I have FreeRADIUS working, with MySQL db and even have tested with a USR Netserver NAS and it works fine on default port 1812 (which I can set the NAS to authenticate to)... so I have got somewhere. However there are two issues I'd like feedback on, if anyone can help. 1) Core dumping on port 1645 with debugging on -- First of all the version etc FreeRADIUS Version 0.7.1, for host i686-pc-linux-gnu gcc-2.96-81 glibc-2.2.4-24 kernel-2.4.18 hand rolled /usr/sbin/mysqld Ver 3.23.49a -- Now the lines in my config file that I think make a difference radiusd.conf port = 1645 # also tried port = 0 and changed /etc/services Now if I start radiusd, it will state Ready to serve requests and then soon after (1-30 seconds) dump core with a segfault. I haven't tried this with all flags, etc, but with debugging (-xx) on, it dumps core unless I leave it on port 1812. This isn't handy for testing. I'm testing it now without debugging and I will get back to you. 2) Accounting not working I'm still not sure on this, since I haven't quite got around to full testing - my NAS doesn't have an option to set the port for accounting so I assumed (perhaps incorrectly) that it uses authport+1 as FreeRADIUS does. However with many tests on port 1812 I didn't seem to get any accounting, I haven't figured out yet if the packets that came from the NAS were on the right port (I am still working on this) but to help me speed things up right now I'd appreciate if anyone has a script handy that can generate accounting packets for me. Regards, -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration date check
On Wed, 13 Nov 2002 11:30:43 +0200
Squire Valakos Yorgos uttered the following:
-Original Message-
From: Valakos Yorgos [mailto:valakosg;ipnet.gr]
Sent: Wednesday, November 06, 2002 9:48 AM
To: '[EMAIL PROTECTED]'
Subject: Expiration date check
Hello all and thanks for your help !
I have freeradius 0.7 running under SuSe linux 8.0 on intel platform ( I
have to remind to all of you that I am a newcomer to both the linux and
freeradius world ) so here is my question : What do I have to do to make
freeradius to check authorization requests against an expiration date ?
(If expiration date = current date then allow access else deny) Is this
possible ? I have freeradius using MySql database for both
authentication and accounting. And one more minor ... I want to keep
start records on MySql s radius database s radacct table and stop
records on another table of the same database (which I named 'radstop')
I have altered sql.conf to match that and created radstop table in
radius database ( I actually copied and pasted radacct and renamed it )
but freeradius is still writing both records in radacct table ..what
more do I have to do ?
Thanks again for your help and for that splendid software you ve made
for us ...
Hi Yorgos
It's nice to see other SuSE users using freeradius :-)
Regarding the epiration date, I believe this is very easy to do, although I
have not done it myself. I think a quick search through the archives will
give you the answer.
With the sql.conf problem, infact there is a mistake in the file (I am just
about to update the CVS to fix it now). While the file has at the top:
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = radacct
acct_table2 = radacct
it never actually uses the variable acct_table2 anywhere :-(
What you need to do is find the line near the bottom (of sql.conf) starting
with:
accounting_stop_query = UPDATE ${acct_table1} SET AcctStop
and change to:
accounting_stop_query = UPDATE ${acct_table2} SET AcctStop
Also you need to change:
accounting_stop_query_alt = INSERT into radacct (RadAcct
to:
accounting_stop_query_alt = INSERT into ${acct_table2} (RadAcct
That should fix that problem :-)
Note: I will have some new SuSE 8.0 rpms for freeradius available as soon
as freeradius 0.8 is released (Any minute/day now) at
http://www.susesecurity.com/files/
Cheers
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
msg10972/pgp0.pgp
Description: PGP signature
Re: Radius server not accounting, and dumping core...
On Wed, Nov 13, 2002 at 10:11:45AM +, Simon White wrote: speed things up right now I'd appreciate if anyone has a script handy that can generate accounting packets for me. radclient is part of freeradius and can generate accounting packets. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius-0.7.1 EAP/MD5 packet problem about RADIUS-ID/EAP-ID
Hello: We are developing Wireless Access-Point currently. When we test our Access-Point with 802.1x enable,we find this problem. environment: Windows XP -- Access-Point -- FreeRadius-0.7.1 The 802.1x on 802.11 conversation: XPAccess-Point FreeRadius - --- --- 1) EAPOL-Start -- 2) --EAP-Request/Identity 3)EAP-Response/Identity-- 4) Radius-Access-Request-- Radius-Access-Challenge 5) --/EAP-Request-MD5-challenge 6) --EAP-Request 7)EAP-Response /MD5-Challenge-- 8) Radius-Access-Request-- 9) --Radius-Access-Accept 10) -- EAP-Success It seems that freeradius will take Radius-ID in packet 4) as the value in packet 5)'s EAP-ID. When we test 802.1x, packet 2),3)'s EAP/ID and packet 4)'s Radius-ID are happening to the same value:1 . As the result, packet 5),6)'s EAP-ID are all the value:1 as packet 2),3). So,when windows XP receive packet 6), it replys packet 3) instend of packet 7) ,then.. an endless loop. here is packet dump with ethereal, http://www.ethereal.com Window XP -- Access-Point http://ultra.swing.idv.tw/~ala/ap-xp Access-Point -- FreeRadius http://ultra.swing.idv.tw/~ala/ap-freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP/TLS?
what does ldd /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so do? Jeffery Huang wrote: Thanks Artur, I have follow the document to compile freeradius! But I got a new problem now! :( ./radiusd: relocation error: /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so: undefined symbol: EVP_des_cbc this error let me cannot startup radiusd :( how can I resolve it? Regard, Jeffery ¦b ¶g¤G, 2002-11-12 19:49, Artur Hecker ¼g¹D¡G hi Jeffery Huang wrote: Hi! guys, I use freeradius via certificate got the following error message: ./radiusd: relocation error: /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so: undefined symbol: SSL_set_msg_callback Why it occur! how do I resolve the problem! try ldd /usr/local/radiusd/lib/rlm_eap_tls-0.8-pre.so and see if there are errors. if not, consider correcting your makefile in ./src/modules/rlm_eap/types/rlm-eap_tls manually as explained in http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Groupe Acce`s et Mobilite' hecker[at]enst[dot]fr De'partement Informatique et Re'seaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use problem
Hello,
I am trying to use Simultaneous-Use for group users through mysql with
freeradius-snapshot-20021101.
radiusd.conf:
==
# Session database, used for checking Simultaneous-Use. The radutmp module
# handles this
session {
# radutmp
sql
}
sql.conf:
==
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM ${acct_table1}
WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
radgroupcheck:
==
GroupName Attribute op Value
ppp-simul Simultaneous-Use:=3D1
I've also used op=:=
And now users from another groups (not ppp-simul) hasn't access too:
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := \r\nYou are already logged in - access denied\r\n\n
I think GroupName wasn't checked. Why?
rad_recv: Access-Request packet from host XXX.XX.XX.XX:1026, id=250, length=82
User-Name = ppgip
User-Password = XXX
NAS-IP-Address = XXX.XX.XX.XX
NAS-Port = 11
NAS-Port-Type = Async
Connect-Info = 14400
Framed-Protocol = PPP
Service-Type = Framed-User
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
radius_xlat: 'ppgip'
sql_set_user: escaped user -- 'ppgip'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'ppgip' ORDER BY id'
rlm_sql: Reserving sql socket id: 2
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'ppgip' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ppgip' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql: Released sql socket id: 2
modcall[authorize]: module sql returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module noresetcounter returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module dailycounter returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module monthlycounter returns noop
users: Matched DEFAULT at 12
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local User-Password
modcall: entering group session
radius_xlat: 'ppgip'
sql_set_user: escaped user -- 'ppgip'
radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='ppgip' AND
AcctStopTime = 0'
rlm_sql: Reserving sql socket id: 1
radius_xlat: 'SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress,
NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE
UserName='ppgip' AND AcctStopTime = 0'
rlm_sql: Released sql socket id: 1
modcall[session]: module sql returns ok
modcall: group session returns ok
Multiple logins (max 1) : [ppgip] (from client riak port 11)
Sending Access-Reject of id 250 to XXX.XX.XX.XX:1026
Reply-Message := \r\nYou are already logged in - access denied\r\n\n
Finished request 5
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: duplicate-users and mySQL
Would it be possible to use both the username and password in the authentication query? I could then customize the database to work with my user database. Brian J. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users-admin;lists.cistron.nl] On Behalf Of Alan DeKok Sent: Tuesday, November 12, 2002 11:03 AM To: [EMAIL PROTECTED] Subject: Re: duplicate-users and mySQL Brian Johnson [EMAIL PROTECTED] wrote: Does anyone have a solution for implementing duplicate users with mySQL. You've got to get BOTH user's passwords out of the SQL database, and then convince the authentication methods to try both, too. Right now, that's not possible without source code patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 08:21 PM 11/12/2002 -0600, Marcin Groszek wrote: Version 0.7.1 I am using default radius.config file and i experience problem with denying access to group of users. Normally I use realm, hunt-group work fine port limit also work but Wen i send request to server with realm the server responds OK for user in reject group but wen i send same request to same server without realm the request is getting reject as should be. realms file is setup to LOCAL for my realm. I include debug from auth. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=2, length=57 User-Name = marcin modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = marcin rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop HASH: user marcin found in hashtable bucket 68338 HASH: matched user marcin in group users users: Matched DEFAULT at 71 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Reject rad_recv: Access-Request packet from host 127.0.0.1:1025, id=6, length=70 User-Name = [EMAIL PROTECTED] modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm hostplus.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm hostplus.net rlm_realm: Adding Stripped-User-Name = marcin rlm_realm: Proxying request from user marcin to realm hostplus.net rlm_realm: Adding Realm = hostplus.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System This seems like a bug in the operation of the server. Assuming you have an entry along the lines of: DEFAULT Group == reject, Auth-Type := Reject Fall-Through = No You could try adding the realm to the check items in a second entry such that you now have: DEFAULT Group == reject, Auth-Type := Reject Fall-Through = No DEFAULT Group == reject, Realm == hostplus.net, Auth-Type := Reject Fall-Through = No That may or may not work. I suspect the problem lies with the Group lookup attempting to use 'User-Name' which I think will still contain '[EMAIL PROTECTED]'. Can you include your realm entry for the realm? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
I've read all about this subject from archives. My radutmp file is created, (and writed) when someone is logged on, but the file have always 0 size, and radwho just print the head of raport (if i remove the radutmp, radwho doesn't display a thing, adn, logically, with strace, says that radutmp not found, but after a client logon, the file is created, but 0 size ...) please advise thx -- Remus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
I have try this and i did not get any positive results. user get reject but user@realm did not. I thind i will wait for version 0.8. Chris Parker wrote: At 08:21 PM 11/12/2002 -0600, Marcin Groszek wrote: Version 0.7.1 I am using default radius.config file and i experience problem with denying access to group of users. Normally I use realm, hunt-group work fine port limit also work but Wen i send request to server with realm the server responds OK for user in reject group but wen i send same request to same server without realm the request is getting reject as should be. realms file is setup to LOCAL for my realm. I include debug from auth. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=2, length=57 User-Name = marcin modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm NULL for User-Name = marcin rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop HASH: user marcin found in hashtable bucket 68338 HASH: matched user marcin in group users users: Matched DEFAULT at 71 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Reject rad_recv: Access-Request packet from host 127.0.0.1:1025, id=6, length=70 User-Name = [EMAIL PROTECTED] modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm hostplus.net for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm hostplus.net rlm_realm: Adding Stripped-User-Name = marcin rlm_realm: Proxying request from user marcin to realm hostplus.net rlm_realm: Adding Realm = hostplus.net rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System This seems like a bug in the operation of the server. Assuming you have an entry along the lines of: DEFAULT Group == reject, Auth-Type := Reject Fall-Through = No You could try adding the realm to the check items in a second entry such that you now have: DEFAULT Group == reject, Auth-Type := Reject Fall-Through = No DEFAULT Group == reject, Realm == hostplus.net, Auth-Type := Reject Fall-Through = No That may or may not work. I suspect the problem lies with the Group lookup attempting to use 'User-Name' which I think will still contain '[EMAIL PROTECTED]'. Can you include your realm entry for the realm? -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards: Marcin Groszek Http://www.hostplus.net Where we offer: Server Co-location, Web Site Hosting and Internet Access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
realm hostplus.net {
type = radius
authhost= LOCAL
accthost= LOCAL
}
and file realms
hostplus.netLOCAL
Chris Parker wrote:
At 10:11 AM 11/13/2002 -0600, Marcin Groszek wrote:
I have try this and i did not get any positive results.
user get reject but userrealm did not.
I thind i will wait for version 0.8.
What is the realm entry you have in proxy.conf for this realm?
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Best Regards: Marcin Groszek
Http://www.hostplus.net
Where we offer:
Server Co-location, Web Site Hosting and Internet Access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS re-keying
Title: EAP-TLS re-keying
Hi,
I have an Orinoco AP-2000 (2.0.2) and a windows XP client SP1.
MPPE-{Send/Recv}-key seems to be successfully interpreted by the
AP-2000, as 3 EAPOL-Key frames are sent to the client. So this scheme is
different than Cisco's scheme that seems to send only one EAPOL-Key
according to Lars Viklund.
Moreover, re-keying seems to work by configuring a short key lifetime on
AP-2000, every time t : 3 new EAPOL-Key frames are sent from AP-2000 to
WinXP client.
What i'm trying to do is : validating that the new WEP key sent by
AP-2000 using EAPOL-Key is really used.
I have several questions / remarks :
* Sending a new WEP key doesn't prove that it is really used on both
client and access point sides. It should be dependent on both hardware
(as WEP ciphering should be done in firmware WLAN card, so WLAN card
drivers must support 802.1X) and software in Windows XP.
* I didn't tested re-keying on Cisco, but if Cisco use MPPE-Send-Key to
have data-link ciphering with WEP (truncating the MPPE-Send key); it is
necessary to have a full re-authentication if we want a real
re-keying, am i wrong ?
* Do you know any tip to validate that ?
- By using NDIS hooking ?
- By any debug mode on AP-2000 ?
- Any other idea ?
Thank you very much for any help.
Best regards,
Laurent.
Re: group reject with realm problem
I try to use realms or proxy.cong with deferent options: nostrip norealm
But non of the combination do the job.
Chris Parker wrote:
At 10:43 AM 11/13/2002 -0600, Marcin Groszek wrote:
realm hostplus.net {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and file realms
hostplus.netLOCAL
You'll want to use one or the other. I recommend not using 'realms'
as that is an older syntax and has fewer features than 'proxy.conf'.
Something else you could try to to set the users 'shell' entry in the
system password to '/bin/false' or some other shell that is not
listed in /etc/shells. This should also allow the users to be rejected,
even if the password matches.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Best Regards: Marcin Groszek
Http://www.hostplus.net
Where we offer:
Server Co-location, Web Site Hosting and Internet Access.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication of users ADSL
Samyr Alves [EMAIL PROTECTED] wrote: how to configure radius for authentication of users ADSL? Read the docs? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groups not working in user file
I just copied the configuration over from cistron to freeradius (making necessary modifications) and we can't get group checking to work in the user file. this is freeradius 0.71, I've even tried the default samples in the users file, such as: DEFAULT Group == ''disabled, Auth-Type := Reject Reply-Message = Account Disabled Nothing matches this, although it should... I have tried a user with a primary group disabled and secondary group disabled... nothing works. Everything comes through like this: modcall: group authorize returns ok Why isn't the user matching the group check ? Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group reject with realm problem
At 12:28 PM 11/13/2002 -0600, you wrote: OK so other group setup with realm will not work ie: DEFAULT group == isdn, Simultaneous-Use := 2 So how can i setup 2 port connection for user ? You might want to use Cistron Radius (which Freeradius was based on) until this problem is fixed in Freeradiushttp://www.radius.cistron.nl/ Unless you want to use Mysql or Ldap, etc. as your Authentication/Authorization mechanism. I think most of the people that are using Freeradius are using alternate Authentication/Authorization mechanisms like Mysql and LDAP, which mostly work, so the Group check problem and Realms with Unix passwd/group files has not been that big an issue. (but it has been reported a few times over the last several months to this list.). vince - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limiting DSL users bandwidth
Dan [EMAIL PROTECTED] wrote: Is there any way to limit the amount of bandwidth available to a user through radius? Only if your NAS supports it in a RADIUS attribute. running radiusd in full debug I dont even see it sending this back to the user. and the user is not limited at all. Then there's something else in your configuration preventing this. I thought I'd try a very simple config like this: testuser Auth-Type := System Framed-Ip-Address = Cisco-AVPair = lcp:interface-config=rate-limit output 128000 32000 64000 conform-action transmit exceed-action drop Try 'Cisco-AVPair += ' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ppp authentication windows NT domain
Hi there, I'm new using/configuring freeradius, and it's working great so far. I now would like to use it to authenticate our remote PPP users. I want to use our NT domain server so as not to have to create a new password file for all the users on the freeradius server. I currently have NT domain authentication working using PAM/SMB and PAP. PAP works great with my existing NT domain authentication configuration, but if I use CHAP it fails. I've read that I have to create users credentials on the freeradius server if I want to use CHAP. Question: Is there anyway around the username/password duplication on the freeradius server. Is there any way to have the password encrypted through the phone line (using CHAP) and get authenticated by the NT domain server without using password in the clear PAP. Thanks, Miriam Benham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp authentication windows NT domain
Miriam Benham [EMAIL PROTECTED] wrote: PAP works great with my existing NT domain authentication configuration, but if I use CHAP it fails. I've read that I have to create users credentials on the freeradius server if I want to use CHAP. That's not true. PAP is fine. As for why CHAP fails, see the FAQ. The problem with SMB authentication is exactly the same as for Unix authentication against /etc/passwd Question: Is there anyway around the username/password duplication on the freeradius server. Is there any way to have the password encrypted through the phone line (using CHAP) and get authenticated by the NT domain server without using password in the clear PAP. No. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp authentication windows NT domain
On Wed, Nov 13, 2002 at 03:58:48PM -0500, Alan DeKok wrote: Miriam Benham [EMAIL PROTECTED] wrote: PAP works great with my existing NT domain authentication configuration, but if I use CHAP it fails. I've read that I have to create users credentials on the freeradius server if I want to use CHAP. That's not true. PAP is fine. As for why CHAP fails, see the FAQ. The problem with SMB authentication is exactly the same as for Unix authentication against /etc/passwd Unless you're doing MS-CHAP. Then you only have implementation obstacles to overcome, rather than matters of mathematical certainty. :) -- Steve Langasek postmodern programmer msg10996/pgp0.pgp Description: PGP signature
EAP/TLS
Hi, I was able to get Radius running with EAP/TLS. But when I get my Windows XP logon through 802.11 (with root.der and cert-clt.p12 installed), after couple rounds of exchanges of info with Radius server, I got : rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid end up with Access-Reject I cut out part of the log info as below. Does anyone encounter this problem? What causing it? What's the fix? Please help. Thanks. -Paul Called-Station-Id = 004096495de0 Calling-Station-Id = 0006250baad2 NAS-Identifier = AP350-495de0 NAS-Port = 37 Framed-MTU = 1400 State = 0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = \002\272\000\006\r Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated rlm_realm: No '' in User-Name = kevin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched kevin at 95 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 Sending Access-Reject of id 56 to 66.135.138.204:19375 EAP-Message = \004\272\000\004 Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS
More information: I checked rlm_eap_tls-0.8-pre.so using ldd and found that libssl.so.0.9.8 = not found. Is this normal? If not, how to fix it? Thanks. [root@curve EAP]# ldd /usr/local/lib/rlm_eap_tls-0.8-pre.so libssl.so.0.9.8 = not found libcrypto.so.0.9.8 = not found libnsl.so.1 = /lib/libnsl.so.1 (0x40025000) libresolv.so.2 = /lib/libresolv.so.2 (0x4003a000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4004b000) libc.so.6 = /lib/i686/libc.so.6 (0x4200) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) -Original Message- From: Ynjiun P. Wang [mailto:ypw;worldnet.att.net] Sent: Wednesday, November 13, 2002 3:15 PM To: [EMAIL PROTECTED] Subject: EAP/TLS Hi, I was able to get Radius running with EAP/TLS. But when I get my Windows XP logon through 802.11 (with root.der and cert-clt.p12 installed), after couple rounds of exchanges of info with Radius server, I got : rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid end up with Access-Reject I cut out part of the log info as below. Does anyone encounter this problem? What causing it? What's the fix? Please help. Thanks. -Paul Called-Station-Id = 004096495de0 Calling-Station-Id = 0006250baad2 NAS-Identifier = AP350-495de0 NAS-Port = 37 Framed-MTU = 1400 State = 0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = \002\272\000\006\r Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = kevin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched kevin at 95 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 Sending Access-Reject of id 56 to 66.135.138.204:19375 EAP-Message = \004\272\000\004 Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISCO LEAP
We are about to setup a wireless network based on CISCO 1200 APs and need to control access. Does anyone know how to get Freeradius working with CISCO LEAP? Mike Paneth Melbourne Australia
RE: EAP/TLS
you need to find out these two library! If u follow the howto setup! It will at /usr/local/openssl/lib so before u run radiusd you must $ export LD_LIBRARY_PATH=/usr/local/openssl/lib Regard, Jeffery ¦b ¶g¥|, 2002-11-14 08:26, Ynjiun P. Wang ¼g¹D¡G More information: I checked rlm_eap_tls-0.8-pre.so using ldd and found that libssl.so.0.9.8 = not found. Is this normal? If not, how to fix it? Thanks. [root@curve EAP]# ldd /usr/local/lib/rlm_eap_tls-0.8-pre.so libssl.so.0.9.8 = not found libcrypto.so.0.9.8 = not found libnsl.so.1 = /lib/libnsl.so.1 (0x40025000) libresolv.so.2 = /lib/libresolv.so.2 (0x4003a000) libpthread.so.0 = /lib/i686/libpthread.so.0 (0x4004b000) libc.so.6 = /lib/i686/libc.so.6 (0x4200) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) -Original Message- From: Ynjiun P. Wang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 13, 2002 3:15 PM To: [EMAIL PROTECTED] Subject: EAP/TLS Hi, I was able to get Radius running with EAP/TLS. But when I get my Windows XP logon through 802.11 (with root.der and cert-clt.p12 installed), after couple rounds of exchanges of info with Radius server, I got : rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid end up with Access-Reject I cut out part of the log info as below. Does anyone encounter this problem? What causing it? What's the fix? Please help. Thanks. -Paul Called-Station-Id = 004096495de0 Calling-Station-Id = 0006250baad2 NAS-Identifier = AP350-495de0 NAS-Port = 37 Framed-MTU = 1400 State = 0xdbe3f75a75d354c306c7870c1762e63dc8d4d23d9ec744a89fcd5df6fd96d72d69fecdab NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = \002\272\000\006\r Message-Authenticator = 0x7c7f78aa5e807d1d3ed5aaddbca89613 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = kevin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched kevin at 95 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 66.135.138.204:19375, id=56, length=183 Sending Access-Reject of id 56 to 66.135.138.204:19375 EAP-Message = \004\272\000\004 Message-Authenticator = 0x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regard, Jeffery Huang iMining Technology Inc., 8F-4, No.432, Sec.1 Keelung Rd., Taipei,Taiwan Tel:886-2-27235122 ext 20 Fax:886-2-27232287 http://www.imining.com.tw email:[EMAIL PROTECTED] w - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO LEAP
On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote: We are about to setup a wireless network based on CISCO 1200 APs and need to control access. Does anyone know how to get Freeradius working with CISCO LEAP? It can't. . LEAP is a Cisco Proprietary EAP type to cisco.. you'll have to shell out the cash for this one. Mike Paneth Melbourne Australia -- http://tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using FreeRADIUS SecurID/RSA?
What about using the radius server built into the SecurID product and let Freeradius proxy to it for that function? Just a thought. Gene Parks VIP Direct - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO LEAP
On Wed, 2002-11-13 at 16:06, Jeremy Salch wrote: On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote: We are about to setup a wireless network based on CISCO 1200 APs and need to control access. Does anyone know how to get Freeradius working with CISCO LEAP? It can't. Not yet anyway. LEAP is a Cisco Proprietary EAP type to cisco.. Yes. you'll have to shell out the cash for this one. I don't think that's necessarily true. Someone just have to write a FreeRADIUS module for it. There are public descriptions of the protocol (http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt) and it doesn't seem hard to implement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
