interoperability
Title: interoperability Alan, Have you ever heard of Bridgewater or any other radius server dropping attributes being sent by freeradius? This is what I have, just curious if you have ever heard or seen this. We are sending the normal 6 and 7 attributes and those are passing through to our carriers. Ascend 242 is being dropped but not all the time and not all the 242 attributes either. Now my tests from my network and against my freeradius proxies and radius servers show the attributes being passed back all the time without error. Do you have any thoughts on this one? Thanks Gene Parks VIP Direct
China Motorcycle
Dear Sir We fetch your name through our internet. Last month, Our Group ( Chongqing Yingxiang motorcycle group Co.Ltd)'s breach company had set up one JV with Korean Hyosung Motors & Machinery Inc Our Group manufacture and distributes various whole motorcycle units (displacement ranging from 48cc to 250cc, including two-wheel motorcycle , three-wheel motorcycle and four wheels motorcycle , for carrying goods and taking passengers) and accessories especially main accessories of motorcycle, such as engine (including crankcase, crankshaft connecting rod, carburetor, engine cylinder head, cylinder body, clutch, piston and piston rings), frame, fuel tank, shock absorber, disk brake, panels, wheel hub and so on. So far, they have sold very well to markets in many countries and areas around Asia, Africa and Latin America, meanwhile, we establish service spots and sub-factories around there. We would now like to market the motorcycles and spare parts directly in your country. We would appreciate your advise on whether your company would be interested in acting as a distributor in the your country or if you have any recommendations on any other your country¡¯s associates who might also be interested. For further information about our products, kindly please visit our web page: http://www.cq114.com.cn/English/production/jiaotongys/moto/motozhanshi/YX/YX50QT-2.htm We look forward to your reply. Yours sincerely, Wang(Mr. Sales Manager) Fax: 86-23-67732102 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED]
EAP/TLS
After checking the ethereal log and the eap_tls.c code, I really don't get it how can
the rlm_eap_tls response both
"Received EAP-TLS ACK message" and "Invalid ACK received"!?
Problem:
"rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: Invalid ACK received
modcall[authenticate]: module "eap" returns invalid"
code excerpt from eap_tls.c:
if ((eap_ds->response->length == EAP_HEADER_LEN + 2/*EAPtype+flags*/) &&
((eaptls_packet != NULL) && (eaptls_packet->flags == 0x00))) {
if (prev_eap_ds->request->id == eap_ds->response->id) {
radlog(L_INFO, "rlm_eap_tls: Received EAP-TLS ACK message");
return EAPTLS_ACK;
} else {
radlog(L_ERR, "rlm_eap_tls: Received Invalid EAP-TLS ACK
message");
return EAPTLS_INVALID;
}
}
ethereal capture of the EAP-TLS ACK message (you may see the context in previous
email):
t:EAP-Message(79) l:8
Extensible Authentication Protocol
Code: Response (2)
Id: 4
Length: 6
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x0):
Length no problem, flag correct, id same as previous packet from server, and the
eap_tls.c response "Received EAP-TLS
ACK message" correctly, but then why the "Invalid ACK received" follow? Any advise?
Thank you much for your help.
-Paul
-Original Message-
From: Ynjiun P. Wang [mailto:ypw@;eSignX.com]
Sent: Friday, November 15, 2002 2:43 PM
To: [EMAIL PROTECTED]
Subject: EAP/TLS
Now I have full captured logs (ethereal(0.9.3), freeradius(snapshot10282002) and
AP350(v.12T))regarding to the problem
of:
"rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: Invalid ACK received
modcall[authenticate]: module "eap" returns invalid"
Could you please take a look to see if there is any obvious blonder? Thanks.
/Ethereal (0.9.3) capture: ***/
Frame 14 (191 on wire, 191 captured)
Arrival Time: Nov 15, 2002 13:44:03.415674000
Time delta from previous packet: 1.267728000 seconds
Time relative to first packet: 19.405991000 seconds
Frame Number: 14
Packet Length: 191 bytes
Capture Length: 191 bytes
Ethernet II
Destination: 00:c0:9f:05:12:a6 (curve.esignx.com)
Source: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Type: IP (0x0800)
Internet Protocol, Src Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204), Dst
Addr: curve.esignx.com
(66.135.138.207)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
00.. = Differentiated Services Codepoint: Default (0x00)
..0. = ECN-Capable Transport (ECT): 0
...0 = ECN-CE: 0
Total Length: 177
Identification: 0x3981
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0xa711 (correct)
Source: ip204.aec-1.sfo.interquest.net (66.135.138.204)
Destination: curve.esignx.com (66.135.138.207)
User Datagram Protocol, Src Port: 22563 (22563), Dst Port: radius (1812)
Source port: 22563 (22563)
Destination port: radius (1812)
Length: 157
Checksum: 0x50c2 (correct)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x4d (77)
Length: 149
Authenticator
Attribute value pairs
t:User Name(1) l:7, Value:"kevin"
t:Vendor Specific(26) l:20, Vendor:Cisco, Type:Cisco AV Pair, Len:12
Value:"ssid=tsunami"
t:NAS IP Address(4) l:6, Value:192.168.0.8
t:Called Station Id(30) l:14, Value:"004096495de0"
t:Calling Station Id(31) l:14, Value:"0006250baad2"
t:NAS identifier(32) l:14, Value:"AP350-495de0"
t:NAS Port(5) l:6, Value:37
t:Framed MTU(12) l:6, Value:1400
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11
t:Service Type(6) l:6, Value:Login
t:EAP-Message(79) l:12
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 10
Type: Identity [RFC2284] (1)
Identity (5 bytes): kevin
t:Message Authenticator(80) l:18, Value:"ÃN»k~\147¦íÂÁ,c\144Èí\025"
Frame 15 (126 on wire, 126 captured)
Arrival Time: Nov 15, 2002 13:44:03.417986000
Time delta from previous packet: 0.002312000 seconds
Time relative to first packet: 19.408303000 seconds
Frame Number: 15
Packet Length: 126 bytes
Capture Length: 126 bytes
Ethernet II
Destination: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Source: 00:c0:9f:05:12:a6 (curve.esignx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: curve.esignx.com (66.135.138.207), Dst Addr:
ip204.aec-1.sfo.interquest.net
(66.135.138.204)
Version: 4
Header length
Re: Comments on the release of 0.8, ASAP
On Fri, Nov 15, 2002 at 11:18:20AM -0500, Alan DeKok wrote: > The release of 0.8 has been "real soon now" for a week or so. That > gave us time to add in a few last-minute fixes. > I downloaded the 0.8 snapshot and attempted to build it on MacOS X.2.1 and it didn't build cleanly, I've now got X.2.2, and there's some later snapshots, so I'll try them before posting anything. Should the configure script automatically build static libraries now? Matt. -- Matthew Wallis. Systems and Networks Engineer. Cybersource. Level 9, 140 Queen St, Melbourne, 3000. Ph: 03 9642 5997Mob: 0412 509 169 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to use hex attribute values in radclient
Hi, I mentioned in another thread that I need to send EAP-Message attributes from radclient, but Alan said it cant do that. I studied the libradius code, and it appears to have the capability to let some attributes have type PW_TYPE_OCTETS. EAP-Message seems to have the PW_TYPE_STRING type. Does anyone know how to make EAP-Message use the octet type? In that case, I can build my own EAP packets in hex. As it is, I can specify EAP-Message="0x0204..." but radclient builds the value with the ASCII representation of each character. I have also tried using single quotes or no quotes with the same result. If I use back-quotes, the value is not taken at all. Is this a hook for some other processing? Thanks, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Now I have full captured logs (ethereal(0.9.3), freeradius(snapshot10282002) and AP350(v.12T))regarding to the problem of: "rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: Invalid ACK received modcall[authenticate]: module "eap" returns invalid" Could you please take a look to see if there is any obvious blonder? Thanks. /Ethereal (0.9.3) capture: ***/ Frame 14 (191 on wire, 191 captured) Arrival Time: Nov 15, 2002 13:44:03.415674000 Time delta from previous packet: 1.267728000 seconds Time relative to first packet: 19.405991000 seconds Frame Number: 14 Packet Length: 191 bytes Capture Length: 191 bytes Ethernet II Destination: 00:c0:9f:05:12:a6 (curve.esignx.com) Source: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net) Type: IP (0x0800) Internet Protocol, Src Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204), Dst Addr: curve.esignx.com (66.135.138.207) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 177 Identification: 0x3981 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 63 Protocol: UDP (0x11) Header checksum: 0xa711 (correct) Source: ip204.aec-1.sfo.interquest.net (66.135.138.204) Destination: curve.esignx.com (66.135.138.207) User Datagram Protocol, Src Port: 22563 (22563), Dst Port: radius (1812) Source port: 22563 (22563) Destination port: radius (1812) Length: 157 Checksum: 0x50c2 (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x4d (77) Length: 149 Authenticator Attribute value pairs t:User Name(1) l:7, Value:"kevin" t:Vendor Specific(26) l:20, Vendor:Cisco, Type:Cisco AV Pair, Len:12 Value:"ssid=tsunami" t:NAS IP Address(4) l:6, Value:192.168.0.8 t:Called Station Id(30) l:14, Value:"004096495de0" t:Calling Station Id(31) l:14, Value:"0006250baad2" t:NAS identifier(32) l:14, Value:"AP350-495de0" t:NAS Port(5) l:6, Value:37 t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11 t:Service Type(6) l:6, Value:Login t:EAP-Message(79) l:12 Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 10 Type: Identity [RFC2284] (1) Identity (5 bytes): kevin t:Message Authenticator(80) l:18, Value:"ÃN»k~\147¦íÂÁ,c\144Èí\025" Frame 15 (126 on wire, 126 captured) Arrival Time: Nov 15, 2002 13:44:03.417986000 Time delta from previous packet: 0.002312000 seconds Time relative to first packet: 19.408303000 seconds Frame Number: 15 Packet Length: 126 bytes Capture Length: 126 bytes Ethernet II Destination: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net) Source: 00:c0:9f:05:12:a6 (curve.esignx.com) Type: IP (0x0800) Internet Protocol, Src Addr: curve.esignx.com (66.135.138.207), Dst Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 112 Identification: 0x Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x9fd3 (correct) Source: curve.esignx.com (66.135.138.207) Destination: ip204.aec-1.sfo.interquest.net (66.135.138.204) User Datagram Protocol, Src Port: radius (1812), Dst Port: 22563 (22563) Source port: radius (1812) Destination port: 22563 (22563) Length: 92 Checksum: 0x0f31 (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x4d (77) Length: 84 Authenticator Attribute value pairs t:EAP-Message(79) l:8 Extensible Authentication Protocol Code: Request (1) Id: 3 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x20): Start t:Message Authenticator(80) l:18, Value:"ÈÂt\001ç\143¡G¥¶\148\128âJ/?" t:State(24) l:38, Value:"\005\023\017b\019\013jy\145\153îx1P'£jÕ=ºZ^#\013´ýMõÚkFF\007Ró" Frame 17 (299 on wire, 299 captured) Arrival Time: Nov 15, 2002 13:44:03.789273000 Time delta from previous packet: 0.106425000 seconds Time relative to first packet: 19.77959 seconds Frame Number: 17 Packet Length: 299 bytes Capture Length: 299 byt
Re: customized attribute to be returned in radius reponse
At 04:02 PM 11/15/2002 -0500, Gloria Chung wrote: Hi all, I need to add some additional, customized attributes to my radius response from the server. What do I need to do? Here's what I've tried: 1) add my attribute in the dictionary under the Non-Protocol Attributes section of the 'dictionary' file. (also tried the section labelled "These attributes CAN go in the reply item list." where Fall-Through and Exec-Program are). The Non-Protocol Attributes cannot be sent over the wire ( IE, in a packet to another Radius server/client ). They are used only internally by the server in determining how to handle a request. If you need it to be sent over the wire, you will want to add this as a Vendor-Specific Attribute. Adding it to the 'dictionary.freeradius' is probably your best bet. Note that wherever you are sending the attribute to will need to have a similar entry in it's dictionary configuration. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd no run
At 03:33 PM 11/15/2002 -0500, maximo wrote:
I install binutils on /usr/local, because is more difficult donwload and
compile ggc-3.2 that binutils
you know if that is correct.
That will let you compile it, which it appears has worked for you now.
The problem is that when 'radiusd' starts, it needs to link together
the various rlm_foobar.so files which contain the compiled code for
each module.
The server is smart enough to only link together the modules that you
specify in your 'radiusd.conf' file. If a module is named in any of
the
authorize{}, authenticate{}, accounting{}, etc. blocks at the end of
the 'radiusd.conf' file then the server will attemp to link them. If
you remove or comment out those entries, then the server will not
attempt to link them.
Short answer, remove the 'rlm_pap' entry from the authenticate and
authorize sections of your 'radiusd.conf', if you do not want to use
the module.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless!\ Director, Engineering
| @ @ |\ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\--
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radutmp
> The accounting messages get logged in radutmp, > The debug output you posted showed that you were only getting logout >accounting messages. So there will ALWAYS be nothing in radutmp, as >you never got login messages! > Alan DeKok. thanks. i said i'm very newbie... now it's work fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
customized attribute to be returned in radius reponse
Hi all, I need to add some additional, customized attributes to my radius response from the server. What do I need to do? Here's what I've tried: 1) add my attribute in the dictionary under the Non-Protocol Attributes section of the 'dictionary' file. (also tried the section labelled "These attributes CAN go in the reply item list." where Fall-Through and Exec-Program are). 2) add the attribute and a value with op '=' in the radgroupreply table. (also tried radreply) Any help will be appreciated. Thanks in advance, Gloria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd no run
I install binutils on /usr/local, because is more difficult donwload and compile ggc-3.2 that binutils you know if that is correct. Chris Parker wrote: At 02:34 PM 11/15/2002 -0500, maximo wrote: radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[1046] Failed to link to module 'rlm_pap': file not found I need authenticate and authorizate whit ldap only See the previous answers which tell you how to solve your problem. Posting it again without following that advice won't solve anything. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS
Oops, please ignore the previous email. (I click the SEND key before I finished...,
sorry)
>just look in the Ken Roser FAQ, you have the complete exchange logs
>their, in ethereal, in cisco diag and freeradius debug formats
Below is what I captured from Cisco AP350. It looks like after the server seding the
certificate to client and server
somehow rejected the response from the client as you can see at the end...
2002/11/15 10:51:58 (Info): Station 0006250baad2 Authenticated
2002/11/15 10:51:58 (Info): Station 0006250baad2 Associated
RADIUS: Sending EAP-Request/Identity(id=195) packet to client 0006250baad2
00bad9e0:01 00 00 33 01 c3 00 33 01 00 6e 65 74 77 * ..3...3..netw*
00bad9f0: 6f 72 6b 69 64 3d 74 73 75 6e 61 6d 69 2c 6e 61 *orkid=tsunami,na*
00bada00: 73 69 64 3d 41 50 33 35 30 2d 34 39 35 64 65 30 *sid=AP350-495de0*
00bada10: 2c 70 6f 72 74 69 64 3d 30*,portid=0...*
EAP: Received EAPOL-Start from client 0006250baad2
RADIUS: Sending EAP-Request/Identity(id=196) packet to client 0006250baad2
00bab510:01 00 00 33 01 c4 00 33 01 00 6e 65 74 77 * ..3...3..netw*
00bab520: 6f 72 6b 69 64 3d 74 73 75 6e 61 6d 69 2c 6e 61 *orkid=tsunami,na*
00bab530: 73 69 64 3d 41 50 33 35 30 2d 34 39 35 64 65 30 *sid=AP350-495de0*
00bab540: 2c 70 6f 72 74 69 64 3d 30*,portid=0...*
EAP: Received EAP-Response/Identity(id=196) packet from client 0006250baad2
00bad9c0: 01 00 00 0a 02 c4 00 0a * ...*
00bad9d0: 01 6b 65 76 69 6e *.kevin..*
EAP: Forwarding packet to RADIUS server
008a55b0: 01 c8 00 95 94 3f 37 50 08 71 aa f4 4d 7f 03 d3 *.?7P.q..M...*
008a55c0: cc 4a 4f 0a 01 07 6b 65 76 69 6e 1a 14 00 00 00 *.JO...kevin.*
008a55d0: 09 01 0e 73 73 69 64 3d 74 73 75 6e 61 6d 69 04 *...ssid=tsunami.*
008a55e0: 06 c0 a8 00 08 1e 0e 30 30 34 30 39 36 34 39 35 *...004096495*
008a55f0: 64 65 30 1f 0e 30 30 30 36 32 35 30 62 61 61 64 *de0..0006250baad*
008a5600: 32 20 0e 41 50 33 35 30 2d 34 39 35 64 65 30 05 *2 .AP350-495de0.*
008a5610: 06 00 00 00 25 0c 06 00 00 05 78 3d 06 00 00 00 *%.x=*
008a5620: 13 06 06 00 00 00 01 4f 0c 02 c4 00 0a 01 6b 65 *...O..ke*
008a5630: 76 69 6e 50 12 17 a8 56 27 ac 5e 6f d0 ef 42 ed *vinP...V'.^o..B.*
008a5640: ec 88 c6 22 cf*..."*
RADIUS: Received packet for client 0006250baad2
008a4da0: 0b c8 00 54 60 64 cb 84 * ..T`d..*
008a4db0: f7 23 82 e4 c1 c8 9d 86 a6 92 c6 72 4f 08 01 c5 *.#.rO...*
008a4dc0: 00 06 0d 20 50 12 9d 2f fb b7 ea 48 ca f3 2f 3a *... P../...H../:*
008a4dd0: 9f b7 20 78 ad 4b 18 26 ae b5 c5 77 4c 60 dc 20 *.. x.K.&...wL`. *
008a4de0: 2f 98 d3 48 9a 70 da e1 f6 41 d5 3d bc 21 b0 0f */..H.p...A.=.!..*
008a4df0: 47 26 cc ea 16 e0 d9 c2 e4 66 47 7b *G&...fG{*
RADIUS: Received Challenge Request
RADIUS: Server's state attribute was saved
RADIUS: Sending EAP-Request/EAP-TLS(id=197) packet to client 0006250baad2
00bad9e0:01 00 00 06 01 c5 00 06 0d 20 * *
EAP: Received EAP-Response/EAP-TLS(id=197) packet from client 0006250baad2
00bab4f0: 01 00 00 50 02 c5 00 50 * ..P...P*
00bab500: 0d 80 00 00 00 46 16 03 01 00 41 01 00 00 3d 03 *.FA...=.*
00bab510: 01 3d d5 42 65 a0 7c 0d ba f5 9e 9e a5 89 03 23 *.=.Be.|#*
00bab520: fd 3b c1 e7 be 52 05 dc c9 cb 51 30 8a e3 a1 f6 *.;...RQ0*
00bab530: 6d 00 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 *md.b*
00bab540: 00 03 00 06 00 13 00 12 00 63 01 00 *.c..*
EAP: Forwarding packet to RADIUS server
008a55b0: 01 c9 01 01 6d 24 17 ab da 7e 94 16 fa 0c d3 9f *m$...~..*
008a55c0: 12 31 6b 6a 01 07 6b 65 76 69 6e 1a 14 00 00 00 *.1kj..kevin.*
008a55d0: 09 01 0e 73 73 69 64 3d 74 73 75 6e 61 6d 69 04 *...ssid=tsunami.*
008a55e0: 06 c0 a8 00 08 1e 0e 30 30 34 30 39 36 34 39 35 *...004096495*
008a55f0: 64 65 30 1f 0e 30 30 30 36 32 35 30 62 61 61 64 *de0..0006250baad*
008a5600: 32 20 0e 41 50 33 35 30 2d 34 39 35 64 65 30 05 *2 .AP350-495de0.*
008a5610: 06 00 00 00 25 0c 06 00 00 05 78 18 26 ae b5 c5 *%.x.&...*
008a5620: 77 4c 60 dc 20 2f 98 d3 48 9a 70 da e1 f6 41 d5 *wL`. /..H.p...A.*
008a5630: 3d bc 21 b0 0f 47 26 cc ea 16 e0 d9 c2 e4 66 47 *=.!..G&...fG*
008a5640: 7b 3d 06 00 00 00 13 06 06 00 00 00 01 4f 52 02 *{=...OR.*
008a5650: c5 00 50 0d 80 00 00 00 46 16 03 01 00 41 01 00 *..P.FA..*
008a5660: 00 3d 03 01 3d d5 42 65 a0 7c 0d ba f5 9e 9e a5 *.=..=.Be.|..*
008a5670: 89 03 23 fd 3b c1 e7 be 52 05 dc c9 cb 51 30 8a *..#.;...RQ0.*
008a5680: e3 a1 f6 6d 00 00 16 00 04 00 05 00 0a 00 09 00 *...m*
008a5690: 64 00 62 00 03 00 06 00 13 00 12 00
Re: Comments on the release of 0.8, ASAP
Matt Garretson <[EMAIL PROTECTED]> wrote: > Thanks for the update. Speaking of trojaned source releases, > i was wondering if it might a good idea to start providing > signatures, or at least checksums, for freeradius packages. > Would that make sense? Ever since sendmail was trojaned, > i've been more paranoid about such things... I'll see if I can sign the later releases, and put my PGP key somewhere where people can find it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
>just look in the Ken Roser FAQ, you have the complete exchange logs
>their, in ethereal, in cisco diag and freeradius debug formats
Below is what I captured from Cisco AP350.
2002/11/15 10:51:58 (Info): Station 0006250baad2 Authenticated
2002/11/15 10:51:58 (Info): Station 0006250baad2 Associated
RADIUS: Sending EAP-Request/Identity(id=195) packet to client 0006250baad2
00bad9e0:01 00 00 33 01 c3 00 33 01 00 6e 65 74 77 * ..3...3..netw*
00bad9f0: 6f 72 6b 69 64 3d 74 73 75 6e 61 6d 69 2c 6e 61 *orkid=tsunami,na*
00bada00: 73 69 64 3d 41 50 33 35 30 2d 34 39 35 64 65 30 *sid=AP350-495de0*
00bada10: 2c 70 6f 72 74 69 64 3d 30*,portid=0...*
EAP: Received EAPOL-Start from client 0006250baad2
RADIUS: Sending EAP-Request/Identity(id=196) packet to client 0006250baad2
00bab510:01 00 00 33 01 c4 00 33 01 00 6e 65 74 77 * ..3...3..netw*
00bab520: 6f 72 6b 69 64 3d 74 73 75 6e 61 6d 69 2c 6e 61 *orkid=tsunami,na*
00bab530: 73 69 64 3d 41 50 33 35 30 2d 34 39 35 64 65 30 *sid=AP350-495de0*
00bab540: 2c 70 6f 72 74 69 64 3d 30*,portid=0...*
EAP: Received EAP-Response/Identity(id=196) packet from client 0006250baad2
00bad9c0: 01 00 00 0a 02 c4 00 0a * ...*
00bad9d0: 01 6b 65 76 69 6e *.kevin..*
EAP: Forwarding packet to RADIUS server
008a55b0: 01 c8 00 95 94 3f 37 50 08 71 aa f4 4d 7f 03 d3 *.?7P.q..M...*
008a55c0: cc 4a 4f 0a 01 07 6b 65 76 69 6e 1a 14 00 00 00 *.JO...kevin.*
008a55d0: 09 01 0e 73 73 69 64 3d 74 73 75 6e 61 6d 69 04 *...ssid=tsunami.*
008a55e0: 06 c0 a8 00 08 1e 0e 30 30 34 30 39 36 34 39 35 *...004096495*
008a55f0: 64 65 30 1f 0e 30 30 30 36 32 35 30 62 61 61 64 *de0..0006250baad*
008a5600: 32 20 0e 41 50 33 35 30 2d 34 39 35 64 65 30 05 *2 .AP350-495de0.*
008a5610: 06 00 00 00 25 0c 06 00 00 05 78 3d 06 00 00 00 *%.x=*
008a5620: 13 06 06 00 00 00 01 4f 0c 02 c4 00 0a 01 6b 65 *...O..ke*
008a5630: 76 69 6e 50 12 17 a8 56 27 ac 5e 6f d0 ef 42 ed *vinP...V'.^o..B.*
008a5640: ec 88 c6 22 cf*..."*
RADIUS: Received packet for client 0006250baad2
008a4da0: 0b c8 00 54 60 64 cb 84 * ..T`d..*
008a4db0: f7 23 82 e4 c1 c8 9d 86 a6 92 c6 72 4f 08 01 c5 *.#.rO...*
008a4dc0: 00 06 0d 20 50 12 9d 2f fb b7 ea 48 ca f3 2f 3a *... P../...H../:*
008a4dd0: 9f b7 20 78 ad 4b 18 26 ae b5 c5 77 4c 60 dc 20 *.. x.K.&...wL`. *
008a4de0: 2f 98 d3 48 9a 70 da e1 f6 41 d5 3d bc 21 b0 0f */..H.p...A.=.!..*
008a4df0: 47 26 cc ea 16 e0 d9 c2 e4 66 47 7b *G&...fG{*
RADIUS: Received Challenge Request
RADIUS: Server's state attribute was saved
RADIUS: Sending EAP-Request/EAP-TLS(id=197) packet to client 0006250baad2
00bad9e0:01 00 00 06 01 c5 00 06 0d 20 * *
EAP: Received EAP-Response/EAP-TLS(id=197) packet from client 0006250baad2
00bab4f0: 01 00 00 50 02 c5 00 50 * ..P...P*
00bab500: 0d 80 00 00 00 46 16 03 01 00 41 01 00 00 3d 03 *.FA...=.*
00bab510: 01 3d d5 42 65 a0 7c 0d ba f5 9e 9e a5 89 03 23 *.=.Be.|#*
00bab520: fd 3b c1 e7 be 52 05 dc c9 cb 51 30 8a e3 a1 f6 *.;...RQ0*
00bab530: 6d 00 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 *md.b*
00bab540: 00 03 00 06 00 13 00 12 00 63 01 00 *.c..*
EAP: Forwarding packet to RADIUS server
008a55b0: 01 c9 01 01 6d 24 17 ab da 7e 94 16 fa 0c d3 9f *m$...~..*
008a55c0: 12 31 6b 6a 01 07 6b 65 76 69 6e 1a 14 00 00 00 *.1kj..kevin.*
008a55d0: 09 01 0e 73 73 69 64 3d 74 73 75 6e 61 6d 69 04 *...ssid=tsunami.*
008a55e0: 06 c0 a8 00 08 1e 0e 30 30 34 30 39 36 34 39 35 *...004096495*
008a55f0: 64 65 30 1f 0e 30 30 30 36 32 35 30 62 61 61008a5690: 64 00 62 00 03 00 06
00 13 00 12 00 63 01 00 50
*d.b.c..P*
008a56a0: 12 cd bd 7a f8 a5 62 97 12 e3 18 d7 5e 30 95 b1 *...z..b.^0..*
008a56b0: 81**
RADIUS: Received packet for client 0006250baad2
008a4da0: 0b c9 04 4f 24 bb 9e 72 * ..O$..r*
008a4db0: 12 a2 80 2f 65 e8 8a a0 83 60 14 29 4f fe 01 c6 *.../e`.)O...*
008a4dc0: 03 f9 0d 80 00 00 03 ef 16 03 01 00 4a 02 00 00 *J...*
008a4dd0: 46 03 01 3d d5 41 f6 84 82 e6 94 6e f8 2b d3 73 *F..=.A.n.+.s*
008a4de0: 46 12 ae c1 59 a8 d0 3e 47 f0 58 bb bc 04 91 76 *F...Y..>G.Xv*
008a4df0: 00 cf 84 20 ce 4d 5e 0f da 8e 49 69 24 f5 15 42 *... .M^...Ii$..B*
008a4e00: 54 71 09 8a 35 fe 13 9d 1b 1b 3d 5f 2b c1 ee d2 *Tq..5.=_+...*
008a4e10: 76 97 1a 01 00 04 00 16 03 01 02 e1 0b 00 02 dd *v...*
008a4e20: 00 02 da 00 02 d7 30 82 02 d3 30 82 02 3c a0 03 *..0...0..<..*
008a4e30: 02 01 02 02 01 0
Re: Comments on the release of 0.8, ASAP
issues with tcpdump.org. The site was trojaned, Thanks for the update. Speaking of trojaned source releases, i was wondering if it might a good idea to start providing signatures, or at least checksums, for freeradius packages. Would that make sense? Ever since sendmail was trojaned, i've been more paranoid about such things... -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd no run
maximo <[EMAIL PROTECTED]> wrote: > radiusd: entering modules setup > Module: Library search path is /usr/local/freeradius/lib > radiusd.conf[1046] Failed to link to module 'rlm_pap': file not found > > I need authenticate and authorizate whit ldap only http://mail.gnu.org/pipermail/octal-dev/2000-May/000100.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with configuration on lib rlm_expr
At 01:32 PM 11/15/2002 -0500, you wrote: my rlm_* libraries are in /usr/local/freeradius/lib directory the variable LD_LIBRARY_PATH no defined but I define it, LD_LIBRARY_PATH=/usr/local/freeradius/lib, and problem continue. On LINUX and Solaris, if I have the correct library path specified in my environment and specify the incorrect path in radiusd.conf, my libraries are still found. Maybe your permissions are incorrect. Are all of the correct libraries in your libdir (i.e. .la, .a, and.so)? Make sure that none of them are in /usr/local/lib or some other directory that is not mentioned in your LD_LIBRARY_PATH Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd no run
At 02:34 PM 11/15/2002 -0500, maximo wrote: radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[1046] Failed to link to module 'rlm_pap': file not found I need authenticate and authorizate whit ldap only See the previous answers which tell you how to solve your problem. Posting it again without following that advice won't solve anything. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd no run
radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[1046] Failed to link to module 'rlm_pap': file not found I need authenticate and authorizate whit ldap only - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please Help debug this error
On Friday 15 November 2002 04:15, Gian-Carlo Baldarelli wrote: > | 1 | rexsitt | User-Password | hp3ehp3 | NULL | Have you searched the mailing list archives for people using NULL in the op field? Have you also looked at some of the responses those people received? The answer is there, but if you can't find it, ask yourself if you would put this in your users file: rexsitt User-Password NULL "hp3ehp3" [ ... Reply Items ... ] Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with configuration on lib rlm_expr
my rlm_* libraries are in /usr/local/freeradius/lib directory the variable LD_LIBRARY_PATH no defined but I define it, LD_LIBRARY_PATH=/usr/local/freeradius/lib, and problem continue. Chris Brotsos wrote: At 12:58 PM 11/15/2002 -0500, you wrote: I delete it but: radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[485] Failed to link to module 'rlm_pap': file not found the problem now is with pap, I need authenticate and authorizate whit ldap only I configure freeradius wihtout parameters (./configure ), is good? Exactly, it moved to the next module. It seems that you *told* FR to look in /usr/local/freeradius/lib for your libraries. I'm guessing that they are not there. Instead, they are probably in /usr/local/lib or a more standard library directory (because you configure freeradius w/out parameters). Have you checked your LD_LIBRARY_PATH? Find out where the libraries are installed, find out where you are telling FR to look, and correct that mistake. Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with configuration on lib rlm_expr
At 12:58 PM 11/15/2002 -0500, you wrote: I delete it but: radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[485] Failed to link to module 'rlm_pap': file not found the problem now is with pap, I need authenticate and authorizate whit ldap only I configure freeradius wihtout parameters (./configure ), is good? Exactly, it moved to the next module. It seems that you *told* FR to look in /usr/local/freeradius/lib for your libraries. I'm guessing that they are not there. Instead, they are probably in /usr/local/lib or a more standard library directory (because you configure freeradius w/out parameters). Have you checked your LD_LIBRARY_PATH? Find out where the libraries are installed, find out where you are telling FR to look, and correct that mistake. Regards, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with configuration on lib rlm_expr
I delete it but: radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[485] Failed to link to module 'rlm_pap': file not found the problem now is with pap, I need authenticate and authorizate whit ldap only I configure freeradius wihtout parameters (./configure ), is good? Brian Johnson wrote: Is the "rlm_expr" module located at the location "/usr/local/freeradius/lib/rlm_expr"? If not, and you do not need it, then remove it from your radiusd.conf file. Otherwise, find it and put it in the required lib directory. :) Brian J. -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of maximo Sent: Friday, November 15, 2002 11:32 AM To: [EMAIL PROTECTED] Subject: Problems with configuration on lib rlm_expr it's error radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[1046] Failed to link to module 'rlm_expr': file not found i don´t understand why configuring this module - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with configuration on lib rlm_expr
Is the "rlm_expr" module located at the location "/usr/local/freeradius/lib/rlm_expr"? If not, and you do not need it, then remove it from your radiusd.conf file. Otherwise, find it and put it in the required lib directory. :) Brian J. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users-admin@;lists.cistron.nl] On Behalf Of maximo > Sent: Friday, November 15, 2002 11:32 AM > To: [EMAIL PROTECTED] > Subject: Problems with configuration on lib rlm_expr > > > it's error > > radiusd: entering modules setup > Module: Library search path is /usr/local/freeradius/lib > radiusd.conf[1046] Failed to link to module 'rlm_expr': file not found > > i don´t understand why configuring this module > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with configuration on lib rlm_expr
it's error radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib radiusd.conf[1046] Failed to link to module 'rlm_expr': file not found i don´t understand why configuring this module - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Comments on the release of 0.8, ASAP
The release of 0.8 has been "real soon now" for a week or so. That gave us time to add in a few last-minute fixes. Unfortunately, I was side-tracked this week for a few days, due to a issues with tcpdump.org. The site was trojaned, the administrator was out of the country, and I was the only one with keys. So I spent some side-tracked from FreeRADIUS. I expect to have more time now. So for the developers: Please hold off adding any new features. For the users, please be patient, and 0.8 will be released as soon as the panic around me calms down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: implementing a new EAP type
Oops - My last reply was full of html. I meant to ask where you can get a Linux Radius client that can send EAP messages. (If there isnt one, I can study the rlm_eap code and see what I can do with radclient.c.) Also, I downloaded yesterday's 11/14 CVS snapshot, and will keep my eye out for new releases. Thanks, Dave Alan DeKok <[EMAIL PROTECTED]> wrote: Dave Mason <[EMAIL PROTECTED]> wrote: I have a couple of questions about adding a new EAP module to freeRadius. I have version 0.7.1. *Please* don't add new code to 0.7.1. Use the latest CVS head, instead. Why? No one is developing new things for 0.7.1. The latest CVS head has many bug fixes and new features, which will probably simplify your work in adding a new feature. 1. Easy one first: Does anybody know how to send the EAP-Message attribute with radclient? You can't. radclient doesn't understand EAP, so it doesn't know how to pack things into an EAP-Message attribute. You'll have to look at the source for rlm_eap, to discover how to do this. That code *may* be packaged into lib/radius.c, but I'm not sure it's a good idea. > 2. More specifically, I'm implementing EAP-SIM, which negotiates some challenges with the client. All I've seen about how to do this is the IMPLEMENTATION section in the doc/eap file, which is rather brief. Any details or pointers to info about how to do this will help a lot. In particular, how do you maintain the session state between challenges? That's up to the EAP module, which does some magic internally... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error when trying install Certificate on windowsXP for eap-tls
Hi Everyone, I've followed Raymond McKay EAP-TLS for FreeRadius step-by-step at http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm The documentation is excellent and highly recommended for anyone who would like to setup EAP-TLS with freeradius server. However, I've run into minor problem. When I tried install the Certificate that I created from the Linux machine onto the Windows XP (SP1) machine, I getting an error that my password is not correct. Here is the step that I use to create the certificate on the Linux server (by running the CA.root, CA.sver mail, CA.clt winXP) where mail is the name of the linux server and winXP is the name of the WindowsXP SP1: [root@mail ssl]# pwd /usr/local/openssl-certgen/ssl [root@mail ssl]# ls CA.clt CA.svr demoCA man openssl.cnf private CA.root certs lib misc openssl.cnf.orig xpextensions [root@mail ssl]# CA.root * Creating self-signed private key and certificate When prompted override the default value for the Common Name field * Generating a 1024 bit RSA private key ...++ ...++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [US]: State or Province Name (full name) [Virginia]: Locality Name (eg, city) [Herndon]: Organization Name (eg, company) [micronetsolution]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) [Micronetsolution Wireless Network]: Email Address [[EMAIL PROTECTED]]: * Creating a new CA hierarchy (used later by the ca command) with the certificate and private key created in the last step * * Creating ROOT CA * MAC verified OK [root@mail ssl]# CA.svr mail * Creating server private key and certificate When prompted enter the server name in the Common Name field. * Generating a 1024 bit RSA private key ++ .++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [US]: State or Province Name (full name) [Virginia]: Locality Name (eg, city) [Herndon]: Organization Name (eg, company) [micronetsolution]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) [Micronetsolution Wireless Network]:mail Email Address [[EMAIL PROTECTED]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: Using configuration from /usr/local/openssl-certgen/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 15 04:36:56 2002 GMT Not After : Nov 15 04:36:56 2003 GMT Subject: countryName = US stateOrProvinceName = Virginia localityName = Herndon organizationName = micronetsolution commonName= mail emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Nov 15 04:36:56 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated MAC verified OK [root@mail ssl]# CA.clt winXP * Creating client private key and certificate When prompted enter the client name in the Common Name field. This is the same used as the Username in FreeRADIUS ***
Re: CISCO LEAP
On Thursday 14 November 2002 01:04 am, Lars Viklund wrote: > On Wed, 2002-11-13 at 16:06, Jeremy Salch wrote: > > On Wednesday 13 November 2002 06:52 pm, Mike Paneth wrote: > > > We are about to setup a wireless network based on CISCO 1200 APs and > > > need to control access. > > > > > > Does anyone know how to get Freeradius working with CISCO LEAP? > > > > It can't. > > Not yet anyway. > > > LEAP is a Cisco Proprietary EAP type to cisco.. > > Yes. > > > you'll have to shell out the cash for this one. > > I don't think that's necessarily true. Someone just have to write a > FreeRADIUS module for it. There are public descriptions of the protocol > (http://www.missl.cs.umd.edu/wireless/ethereal/leap.txt) and it doesn't > seem hard to implement. > At the moment it is, but I would love to see it in FreeRadius :-) > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- http://tblx.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Telnet auth against Cisco Router
Looks like you're trying to bring over a users file from a different radius server. Here's what a working entry looks like: "someuser" Auth-Type := Local, Password == "userpassword", NAS-IP-Address==127.0.0.3 Reply-Message = "[myserver] Howdy!", cisco-avpair = "shell:priv-lvl=1" Obviously, that example also is good for ONLY nas 127.0.0.3, but it should give you a running start. (You should leave that cisco-avpair in there; if you don't have it, you can crash Catalyst 5000 series switches running radius on login.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around."-- Simon Travaglia Thomas Linden <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/15/2002 05:47 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Telnet auth against Cisco Router Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = "sack", Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = "scip" User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W" NAS-Port = 3 Cisco-AVPair = "interface=tty3" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.***.***" Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: Looking up realm NULL for User-Name = "scip" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask "Username: " 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask "Password: " 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 "scip" 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3" 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***" 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not compile freeradius-07 on solaris 7
thank you very much, this error was corrected. Simon White wrote: 14-Nov-02 at 14:06, j p ([EMAIL PROTECTED]) wrote : It?s the error: /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: unknown opcode ".subsection" /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: statement syntax /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: unknown opcode ".previous" /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: statement syntax make[4]: *** [print.o] Error 1 Solaris as can be funny; I have seen evidence of this elsewhere. Have you tried gcc/gas in place of cc/as? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file cuases error
Copy and paste users files aroud line 154. Simon White wrote: > 15-Nov-02 at 12:01, Alex Zhang ([EMAIL PROTECTED]) wrote : > > Hi, > > FR 0.7.1 > > SuSE linux 7.3 > > Oracle DB 9i R2 > > > > When I use 'radiusd start', it reports: > > > > radiusd: Unexpected character `:' (0x3a) > > radiusd: /etc/raddb/users[154]: Parse error (check) for entry DEFAULT > > > > Why? > > It can't parse the users file, line 154. > > -- > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards: Marcin Groszek Http://www.hostplus.net Where we offer: Server Co-location, Web Site Hosting and Internet Access. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file cuases error
15-Nov-02 at 12:01, Alex Zhang ([EMAIL PROTECTED]) wrote : > Hi, > FR 0.7.1 > SuSE linux 7.3 > Oracle DB 9i R2 > > When I use 'radiusd start', it reports: > > radiusd: Unexpected character `:' (0x3a) > radiusd: /etc/raddb/users[154]: Parse error (check) for entry DEFAULT > > Why? It can't parse the users file, line 154. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: can not compile freeradius-07 on solaris 7
14-Nov-02 at 14:06, j p ([EMAIL PROTECTED]) wrote : > It?s the error: > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: unknown opcode ".subsection" > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 860: error: statement syntax > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: unknown opcode ".previous" > /usr/ccs/bin/as: "/var/tmp/ccFWncKj.s", line 869: error: statement syntax > make[4]: *** [print.o] Error 1 Solaris as can be funny; I have seen evidence of this elsewhere. Have you tried gcc/gas in place of cc/as? -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS config-Diffie-Hellman agreement
Hi: I'm trying to configure EAP/TLS between FreeRADIUS and a Linux client. I'm referring the HOWTO (by Adam Sulmicki : http://www.missl.cs.umd.edu/wireless/eaptls) The section of configuring FreeRADIUS talks about editing radiusd.conf to reflect the file used by Diffie-Hellman key agreement. If I understand it correctly, Diffie-Hellman agreement is a complete standard. What file is being referred to here? Thanks & Regards, Nikhil.Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site
Re: Telnet auth against Cisco Router
--- Thomas Linden <[EMAIL PROTECTED]> wrote: > Hello folks, > > I successfully installed the freeradius server > (version 0.7.1). > > I configured a cisco router for authenticating > telnet access against > the radius server. So far, I've got them talking > together, but > the radius rejects my auth request. > > here is the entry of my users file: > > DEFAULT Auth-Type := Local > Fall-Through = 1 > > scip > Auth-Type = Local, > User-Password = "sack", > Service-Type = Login-User, > Login-Service = Telnet > > (that means, I don't want to use /etc/passwd or the > like, > the password has to be in the users file). > > > Now if I telnet to the cisco, the radius server > (started > with -X) states: > > rad_recv: Access-Request packet from host > 192.168.yyy.yyy:1645, id=39, length=106 > User-Name = "scip" > User-Password = > "\313\336\337\231:\335$2\241_\242\252\326\333W" > NAS-Port = 3 > Cisco-AVPair = "interface=tty3" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.***.***" > Service-Type = Login-User > NAS-IP-Address = 192.168.yyy.yyy > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password > attribute in request > modcall[authorize]: module "chap" returns noop > rlm_realm: Looking up realm NULL for User-Name = > "scip" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 215 > users: Matched scip at 218 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No password configured for the user > Login incorrect (No password configured for the Ofcourse you do not have a password configured for the user. "User-Password is a radcheck item and should go on the same line as the username. > user): [scip/sack] (from client routers port 3 cli > 192.168.***.***) > auth: Failed to validate the user. > Login incorrect: [scip/sack] (from client routers > port 3 cli 192.168.***.***) > > > Here is, what I see on the cisco side: > > 20:54:06: RADIUS/ENCODE(0024): ask "Username: " > 20:54:06: RADIUS/ENCODE(0024): send packet; > GET_USER > bb03# > 20:54:08: RADIUS/ENCODE(0024): ask "Password: " > 20:54:08: RADIUS/ENCODE(0024): send packet; > GET_PASSWORD > 20:54:09: RADIUS/ENCODE(0024): acct_session_id: > 36 > 20:54:09: RADIUS(0024): sending > 20:54:09: RADIUS: Send to unknown id 40 > 192.168.xxx.xxx:1812, Access-Request, len 106 > 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF > 3B 96 - 39 73 88 10 E1 3A 5E 8D > 20:54:09: RADIUS: User-Name [1] 6 > "scip" > 20:54:09: RADIUS: User-Password [2] 18 * > 20:54:09: RADIUS: NAS-Port[5] 6 3 > > 20:54:09: RADIUS: Vendor, Cisco [26] 22 > 20:54:09: RADIUS: Cisco AVpair [1] 16 > "interface=tty3" > 20:54:09: RADIUS: NAS-Port-Type [61] 6 > Virtual [5] > bb03# > 20:54:09: RADIUS: Calling-Station-Id [31] 16 > "192.168.***.***" > 20:54:09: RADIUS: Service-Type[6] 6 > Login [1] > 20:54:09: RADIUS: NAS-IP-Address [4] 6 > 192.168.yyy.yyy > bb03# > 20:54:11: RADIUS: Received from id 40 > 192.168.xxx.xxx:1812, Access-Reject, len 20 > 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D > 00 B0 - DF BD 52 66 0A 08 C7 02 > 20:54:11: RADIUS: Received from id 24 > 20:54:11: RADIUS/DECODE: parse response short > packet; IGNORE > > > > my question: how can I get freeradius to let me > telnet into the > cisco router? why does it claim that there is no > password set, > although it's defined in the users file? > > > thanks in advance, > > Tom > > -- > Thomas Linden <[EMAIL PROTECTED]>, I Z B > Informatik-Zentrum > Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet > Service Providing > OE532 Tel:089/2171-27998, Fax:089/2171-27995, > http://www.izb.de > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS
hi Sorry, I am learning... Could you give me one message sample with ACK is valid? then I could dig it out what's happening. If you could, please show me how to capture the "message". Thanks. just look in the Ken Roser FAQ, you have the complete exchange logs their, in ethereal, in cisco diag and freeradius debug formats try ethereal... or before: are you using a cisco 350/340? do you have the newest firmware? try to update it. you should have anything newer than 11.21 should be just fine. try using those :eap_diag1_on, :eap_diag2_on flags i'm using 11.23T... hope that the 12.00T is stable then. just connect to your AP by telnet and try :eap_diag1_on ENTER and :eap_diag2_on ENTER... see Ken Rosner FAQ. > my ethereal version is: 0.9.3. Do I need later version? i have 0.9.4; i don't know if 0.9.3 has the complete EAP support. ciao artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Telnet auth against Cisco Router
Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = "sack", Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = "scip" User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W" NAS-Port = 3 Cisco-AVPair = "interface=tty3" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.***.***" Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: Looking up realm NULL for User-Name = "scip" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask "Username: " 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask "Password: " 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 "scip" 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3" 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***" 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quintum Tenor Users, Please help
Hi, I'm working on Quintum Tenor and FreeRadius with oracle 9i on SuSE linux 7.3 . I can't even compile the FR0.7.1, the errors are related to 9i oci.h. can anyone help? Thanks. Alex Zhang i1, Inc. Shanghai86-21-50475656-122
please Help debug this error
FreeRadius 071
Mysql
--
User are autenticated but I got this error in the log for each
authentications.
Fri Nov 15 10:01:56 2002 : Error: rlm_sql_authorize: no rows returned from
query (no such user)
Fri Nov 15 10:01:56 2002 : Auth: Login OK: [rexsitt] (from nas easy@1 port
17522 cli 143448807)
--
my config
---
mysql> select * from radcheck;
++---+---+--+--+
| id | UserName | Attribute | Value| op |
++---+---+--+--+
| 1 | rexsitt | User-Password | hp3ehp3 | NULL |
++---+---+--+--+
mysql> select * from radgroupcheck;
++---+---++--+
| id | GroupName | Attribute | Value | op |
++---+---++--+
| 1 | stop | Auth-Type | reject | := |
++---+---++--+
mysql> select * from radgroupreply;
++---+---+---+--+--+
| id | GroupName | Attribute | Value | op | prio |
++---+---+---+--+--+
| 1 | dialin| Auth-Type | PAP | NULL |0 |
++---+---+---+--+--+
1 row in set (0.00 sec)
mysql> select * from radreply;
Empty set (0.00 sec)
mysql> select * from usergroup;
++---+---+
| id | UserName | GroupName |
++---+---+
| 1 | ressitt | dialin|
++---+---+
2 rows in set (0.00 sec)
==
authorize {
preprocess
#chap
#counter
#attr_filter
#eap
suffix
sql
files
}
###
==
# Authentication.
#
authenticate {
# unix
# mschap
# authtype CHAP {
# chap
# }
# authtype PAP {
# pap
# }
#sql
#
}
#==
accounting {
detail
sql
radutmp
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unresponsive child
On Thu, 14 Nov 2002, Nathan Miller wrote: > I seem to be having the same issue.. seems to happen randomly about once a > week on a production server running a simple perl backend for authentication. > > snippet of log... > Thu Nov 14 15:26:38 2002 : Error: WARNING: Unresponsive child (id 65559) > for request 13464 > Thu Nov 14 15:26:38 2002 : Error: WARNING: Unresponsive child (id 66584) > for request 13465 > Thu Nov 14 15:26:39 2002 : Error: CHILD: exit on signal (11) > > Now this is a production server recently upgraded from v0.3 to > v0.7.1. v.0.3 did not crash like this. As soon as you get those errors > all instances of radius crash and burn. Let's just say if a external auth > process gets stuck, why is the entire radius server bombing and not just > that thread aborting? Seems goofy to me. This is a known bug which has been fixed in the cvs head. Use the latest cvs snapshots and you should be fine. > > At 10:13 AM 10/30/2002 -0500, you wrote: > >Igor Chen <[EMAIL PROTECTED]> wrote: > > > The main reason of core dumping was delay after sending request to > > > database. Trigger on UPDATE became too slow (UPDATE request was handled > > > ~40 - 60 sec.) > > > > This problem should be addressed in the documentation in flaming > >letters 10 feet high. If the back-end database takes more than 5 > >seconds to respond to a request, then the RADIUS server will not be > >able to authenticate people. > > > > Once the database is broken, the RADIUS server (which depends on the > >database) can't be any better. > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
