Re: Fed up with messenger spam? l nvej6z1jl9q
hi, > *Warning - your PC is vulnerable to Messenger Spam* > > Ever have a window pop up on your screen, offering to sell you some garbage you > don't need? This is a cruel invasion of your privacy and should > not be allowed to continue. Here are some facts about unsolicited Messenger > advertising: > > - ISPs and governments are powerless to stop it. There are no laws governing these > types of messages yet. > - Messenger Spam is the fastest growing type of unsolicited advertising on the > Internet today, and has been recorded growing as much as 1500% a > month. > - You are not protected! If you haven't received a pop up message through Messenger, > you are guaranteed to any day now. It is next to impossible > to trace the senders of such messages > > Stop unwanted messenger > popups forever! yes, by installing WASTE and using encrypted and verified friends only. unfortunately the site is down, so no URL right now alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
Oliver Graf <[EMAIL PROTECTED]> wrote: > Is this a good place for the mutex? Or is it better to have some init > function for the mutex which is called from threads.c? The best thing to do, as I said before, is to delete the calls to crypt() (and ALL authentication checks) from src/main/auth.c, and fix the code so that the PAP module works. That will allow the mutex to be in a logical place: the PAP module's data structure. ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - DLINK DWL-900+ - 802.1.X
Pascal PELONI <[EMAIL PROTECTED]> wrote: > The problem is that when I try to authenticate with my AP & W2K, it doesn't > work : > > # less /var/log/radius.log > Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/ attribute>] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Read the FAQ and the README's. Did I mention I *really* meant that you should read the FAQ and the README's? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fed up with messenger spam? l nvej6z1jl9q
*Warning - your PC is vulnerable to Messenger Spam* Ever have a window pop up on your screen, offering to sell you some garbage you don't need? This is a cruel invasion of your privacy and should not be allowed to continue. Here are some facts about unsolicited Messenger advertising: - ISPs and governments are powerless to stop it. There are no laws governing these types of messages yet. - Messenger Spam is the fastest growing type of unsolicited advertising on the Internet today, and has been recorded growing as much as 1500% a month. - You are not protected! If you haven't received a pop up message through Messenger, you are guaranteed to any day now. It is next to impossible to trace the senders of such messages Stop unwanted messenger popups forever! Cease future mailings please - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radtest help
Title: Message have you tried:- http://www.mastersoft-group.com/products/dialways_std.asp as a test client for windows? It proper does the job! cheers Rob. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carugati Paul-APC050Sent: 29 May 2003 20:12To: [EMAIL PROTECTED]Subject: radtest help Is anyone very knowledgeable about the radtest program? I am trying to use it to test auth to radius server and when a pass "Domain/username" it always strips out the "/" character in the packet. Please help! Thanks, Paul Carugati
Re: Question about Password_Attribute
On Fri, 30 May 2003 [EMAIL PROTECTED] wrote:
> Hi
>
>
> > >I really don't understand why you need the password_attribute to not
> be
> > >userpassword.
> >
> >> An user will have
> >>-> a Cisco Password for authentification with Router Cisco
> >>-> a VPN Password for authentification to access VPN
> >>etc
> >> I would want indicate to Radius the specific attribute that he must
> use
>
> >OK.
> >So what do you mean by password_attribute = sn does not work? From what
> I >can
> >see it should work just fine. Please move this to the freeradius-users
> list >and
> >post a debug log of the server handling an access-request with
> >password_attribute set to sn.
>
> If you have an answer about the fact that I receive an ACCESS-REJECT,
> I take it with joy
>
> Philippe
>
>
>
> Here is the log for an access request of user Philippe
>
> Module: Loaded LDAP
> ldap: server = "192.168.1.53"
> ldap: port = 389
> ldap: net_timeout = 1
> ldap: timeout = 4
> ldap: timelimit = 3
> ldap: ldap_cache_timeout = 0
> ldap: ldap_cache_size = 0
> ldap: identity = "cn=Root,dc=e-qual,dc=fr"
> ldap: start_tls = no
> ldap: tls_mode = no
> ldap: password = "poiuyt"
> ldap: basedn = "ou=Users,dc=e-qual,dc=fr"
> ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> ldap: default_profile = "(null)"
> ldap: profile_attribute = "(null)"
> ldap: password_header = "{MD5}"
^^
This is wrong. password_header should not be set
> ldap: password_attribute = "sn"
>
>
> rad_recv: Access-Request packet from host 192.168.2.92:1222, id=1,
> length=48
> User-Name = "philippe"
> User-Password = "philippe"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
> modcall[authorize]: module "chap" returns noop
> modcall[authorize]: module "mschap" returns notfound
> rlm_realm: No '@' in User-Name = "philippe", looking up realm NULL
> rlm_realm: No such realm NULL
> modcall[authorize]: module "suffix" returns noop
> users: Matched DEFAULT at 152
> users: Matched philippe at 218
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
You don't have the ldap module in the authorize section.
> rad_check_password: Found Auth-Type USERS
> auth: type "USERS"
> modcall: entering group authtype
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "philippe" with password "philippe"
> radius_xlat: '(uid=philippe)'
> radius_xlat: 'ou=Users,dc=e-qual,dc=fr'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 192.168.1.53:389, authentication 0
> rlm_ldap: bind as cn=Root,dc=e-qual,dc=fr/poiuyt to 192.168.1.53:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in ou=Users,dc=e-qual,dc=fr, with filter
> (uid=philippe)
> ldap_release_conn: Release Id: 0
> rlm_ldap: user DN: uid=philippe,ou=Users,dc=e-qual,dc=fr
> rlm_ldap: (re)connect to 192.168.1.53:389, authentication 1
> rlm_ldap: bind as uid=philippe,ou=Users,dc=e-qual,dc=fr/philippe to
> 192.168.1.53:389
> rlm_ldap: waiting for bind result ...
> modcall[authenticate]: module "ldap1" returns reject
> modcall: group authtype returns reject
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed): [philippe/philippe]
> (from client testing port 0)
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius - DLINK DWL-900+ - 802.1.X
Hello all, got a small problem with 802.1X authentication. Here is my config : - RedHat 7.3 - FreeRADIUS Version 0.8.1 - DLINK DWL-900+ Firmware v2.52 4x - W2K Client with 802.1X auth http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp Radius config seems to be ok : # echo "User-Name = aa, User-Password = pp" | radclient 192.168.1.2 auth test # less /var/log/radius.log Fri May 30 10:39:30 2003 : Auth: Login OK: [aa/pp] (from client test port 0) The problem is that when I try to authenticate with my AP & W2K, it doesn't work : # less /var/log/radius.log Thu May 29 18:17:07 2003 : Auth: Login incorrect: [aa/] (from client ap-wlan port 0 cli 00-40-05-CB-AD-7C) This field seems strange ? Could you pelase help ? Thanks, PP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
On Thu, May 29, 2003 at 03:34:30PM +0200, Oliver Graf wrote:
> On Thu, May 29, 2003 at 03:19:59PM +0300, Kostas Kalevras wrote:
> > > It now locks while using crypt. This is only good, if this is the only
> > > use of crypt. If pap (for example) is also used, it should use the
> > > same mutex to lock while doing an crypt (as should do any other
> > > freeradius code using crypt).
> > >
> > > The server seems running und is responsive :) the next hours will show
> > > if the problem is fixed with this.
> >
> > OK, then declare a new function radius_crypt() with a mutex in it, put it
> > somewhere in src/lib and change all calls to crypt() to call radius_crypt()
> > instead.
>
> Yep, I had something like this in mind. But now I will fetch me some
> beer, fire the barbecue and have a nice Vatertag :)
>
> I'll write the clean version tomorrow.
Ok, here it is. I have now one radiusd with the old version, and one with
this version running (both production systems :) ).
The function lrad_crypt_check does crypt and check in one, cause the
return value of crypt might be a reused string buffer...
Is this a good place for the mutex? Or is it better to have some init
function for the mutex which is called from threads.c?
Oliver.
--- src/lib/crypt.c.orig2003-05-30 09:40:29.0 +0200
+++ src/lib/crypt.c 2003-05-30 09:29:16.0 +0200
@@ -0,0 +1,61 @@
+/*
+ * a thread-safe crypt wrapper
+ */
+
+#include "libradius.h"
+#include
+#include
+#include
+
+#if HAVE_PTHREAD_H
+#include
+#endif
+
+static int lrad_crypt_init=0;
+static pthread_mutex_t lrad_crypt_mutex;
+
+/*
+ * initializes authcrypt_mutex
+ */
+
+
+/*
+ * performs a crypt password check in an thread-safe way.
+ *
+ * returns: 0 -- check succeeded
+ * -1 -- failed to crypt
+ * 1 -- check failed
+ */
+int lrad_crypt_check(const char *key, const char *crypted) {
+ char *libc_crypted=NULL, *our_crypted=NULL;
+ int result=0;
+
+#if HAVE_PTHREAD_H
+ if (!lrad_crypt_init == 0) {
+ pthread_mutex_init(&lrad_crypt_mutex, NULL);
+ lrad_crypt_init=1;
+ }
+
+ pthread_mutex_lock(&lrad_crypt_mutex);
+#endif
+
+ libc_crypted=crypt(key,crypted);
+ if (libc_crypted)
+ our_crypted=strdup(libc_crypted);
+
+#if HAVE_PTHREAD_H
+ pthread_mutex_unlock(&lrad_crypt_mutex);
+#endif
+
+ if (our_crypted == NULL)
+ return -1;
+
+ if (strcmp(crypted, our_crypted) == 0)
+ result = 0;
+ else
+ result = 1;
+
+ free(our_crypted);
+
+ return result;
+}
Index: src/lib/Makefile
===
RCS file: /source/radiusd/src/lib/Makefile,v
retrieving revision 1.14
diff -u -r1.14 Makefile
--- src/lib/Makefile3 Mar 2003 19:48:06 - 1.14
+++ src/lib/Makefile30 May 2003 08:03:54 -
@@ -3,7 +3,7 @@
SRCS = dict.c print.c radius.c valuepair.c token.c misc.c \
log.c filters.c missing.c md4.c md5.c sha1.c hmac.c \
- snprintf.c isaac.c smbdes.c
+ snprintf.c isaac.c smbdes.c crypt.c
INCLUDES = ../include/radius.h ../include/libradius.h \
../include/missing.h ../include/autoconf.h
Index: src/include/libradius.h
===
RCS file: /source/radiusd/src/include/libradius.h,v
retrieving revision 1.58
diff -u -r1.58 libradius.h
--- src/include/libradius.h 21 Apr 2003 20:39:57 - 1.58
+++ src/include/libradius.h 30 May 2003 08:03:54 -
@@ -298,4 +298,7 @@
const unsigned char *challenge, unsigned char *response);
+/* crypt wrapper from crypt.c */
+int lrad_crypt_check(const char *key, const char *crypted);
+
#endif /*LIBRADIUS_H*/
Index: src/main/auth.c
===
RCS file: /source/radiusd/src/main/auth.c,v
retrieving revision 1.125
diff -u -r1.125 auth.c
--- src/main/auth.c 10 Apr 2003 18:09:03 - 1.125
+++ src/main/auth.c 30 May 2003 08:03:55 -
@@ -31,10 +31,6 @@
#include
#include
-#if HAVE_CRYPT_H
-# include
-#endif
-
#if HAVE_NETINET_IN_H
# include
#endif
@@ -190,7 +186,6 @@
VALUE_PAIR *password_pair;
VALUE_PAIR *auth_item;
char string[MAX_STRING_LEN];
- const char *crypted_password;
int auth_type = -1;
int result;
int auth_type_count = 0;
@@ -276,16 +271,13 @@
return -1;
}
- crypted_password = crypt((char *)auth_item->strvalue,
-(char *)password_pair->strvalue);
- if (!crypted_password) {
- rad_authlog("Login incorrect "
- "(system failed to supply an encrypted
password for comparison)", request, 0);
- return -1;
-
Question about Password_Attribute
Hi
> >I really don't understand why you need the password_attribute to not
be
> >userpassword.
>
>> An user will have
>> -> a Cisco Password for authentification with Router Cisco
>> -> a VPN Password for authentification to access VPN
>> etc
>> I would want indicate to Radius the specific attribute that he must
use
>OK.
>So what do you mean by password_attribute = sn does not work? From what
I >can
>see it should work just fine. Please move this to the freeradius-users
list >and
>post a debug log of the server handling an access-request with
>password_attribute set to sn.
If you have an answer about the fact that I receive an ACCESS-REJECT,
I take it with joy
Philippe
Here is the log for an access request of user Philippe
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/freeradius-0.8.1/etc/raddb/proxy.conf
Config: including file: /opt/freeradius-0.8.1/etc/raddb/clients.conf
Config: including file: /opt/freeradius-0.8.1/etc/raddb/snmp.conf
Config: including file: /opt/freeradius-0.8.1/etc/raddb/sql.conf
main: prefix = "/opt/freeradius-0.8.1"
main: localstatedir = "/opt/freeradius-0.8.1/var"
main: logdir = "/opt/freeradius-0.8.1/var/log/radius"
main: libdir = "/opt/freeradius-0.8.1/lib"
main: radacctdir = "/opt/freeradius-0.8.1/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/opt/freeradius-0.8.1/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/opt/freeradius-0.8.1/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/opt/freeradius-0.8.1/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/freeradius-0.8.1/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/opt/freeradius-0.8.1/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "192.168.1.53"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: ldap_cache_timeout = 0
ldap: ldap_cache_size = 0
ldap: identity = "cn=Root,dc=e-qual,dc=fr"
ldap: start_tls = no
ldap: tls_mode = no
ldap: password = "poiuyt"
ldap: basedn = "ou=Users,dc=e-qual,dc=fr"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "{MD5}"
ldap: password_attribute = "sn"
ldap: access_attr = "dialupAccess"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr
oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping =
"/opt/freeradius-0.8.1/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file
/opt/freeradius-0.8.1/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapp
Possible logic error in Strip-User-Name and groups
Hi. I've found a possible logic error in freeradius-0.8.1 in that the Group check in the users file doesn't seem to check for the Strip-User-Name function. # users file DEFAULT Group == ISDN2, Auth-Type := System, Hint == ISDN2 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Routing = None, Port-Limit = 2, Ascend-Maximum-Channels = 2, Reply-Message = "ISDN2 w/ group and hint" # ISDN Bonded Channel DEFAULT Group == ISDN2, Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Routing = None, Port-Limit = 2, Ascend-Maximum-Channels = 2, Reply-Message = "ISDN2 w/ group -- no Strip-User-Name" # end users file # hints file DEFAULT Suffix = *I2, Strip-User-Name = Yes Hint = "ISDN2" # end hints file Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. rad_recv: Access-Request packet from host 66.181.128.12:2441, id=148, length=55 User-Name = "chains*I2" User-Password = "***" NAS-Port-Type = ISDN modcall: entering group authorize hints: Matched DEFAULT at 3 modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "files" returns notfound modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [chains*I2/***] (from client gateway port 0) rad_lowerpair: Stripped-User-Name now 'chains' rad_rmspace_pair: Stripped-User-Name now 'chains' modcall: entering group authorize hints: Matched DEFAULT at 3 modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "files" returns notfound modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [chains*I2/***] (from client gateway port 0) Sending Access-Reject of id 148 to 66.181.128.12:2441 Finished request 0 Going to the next request ---8<---8<--- However... user chains is in the ISDN2 group... Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. rad_recv: Access-Request packet from host 66.181.128.12:2450, id=151, length=52 User-Name = "chains" User-Password = "***" NAS-Port-Type = ISDN modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok HASH: user chains found in hashtable bucket 26250 HASH: matched user chains in group ISDN2 HASH: user chains found in hashtable bucket 26250 HASH: matched user chains in group ISDN2 users: Matched DEFAULT at 14 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate HASH: user chains found in hashtable bucket 26250 modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok radius_xlat: 'ISDN2 w/ group -- no Strip-User-Name' Login OK: [chains] (from client gateway port 0) Sending Access-Accept of id 151 to 66.181.128.12:2450 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Routing = None Port-Limit = 2 Ascend-Maximum-Channels = 2 Reply-Message = "ISDN2 w/ group -- no Strip-User-Name" Finished request 0 Going to the next request ---8<---8<--- And if I add the following to my passwd and group files; /etc/passwd: chains*I2:!!:5:100:test:/dev/null:/bin/false /etc/group: ISDN2::519:chains,chains*I2 ... I get the following (please note that the passwd supplied is the one for user "chains"); Listening on IP address *, ports 1645/udp and 1646/udp. Ready to process requests. rad_recv: Access-Request packet from host 66.181.128.12:2448, id=149, length=55 User-Name = "chains*I2" User-Password = "***" NAS-Port-Type = ISDN modcall: entering group authorize hints: Matched DEFAULT at 3 modcall[authorize]: module "preprocess" returns ok HASH: user chains*I2 found in hashtable bucket 78517 HASH: matched user chains*I2 in group ISDN2 users: Matched DEFAULT at 3 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate HASH: user chains found in hashtable bucket 26250 modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok radius_xlat: 'ISDN2 w/ group and hint' Login OK: [chains*I2] (from client gateway port 0) Sending Access-Accept of id 149 to 66.181.128.12:2448 Service-Type = Framed-User Framed-Protocol = PPP Framed-MTU = 1500 Framed-Routing = None Port-Limit = 2 Ascend-Maximum-Channels = 2 Rep
Re: Re: EAP-TTLS
Alan DeKok, Thanks Alan. Jeson [EMAIL PROTECTED] 2003-05-30 === 2003-05-29 09:02:00 您在来信中写道:=== >"=?GB2312?Q?=CD=F5=D6=BE=D0=C0?=" <[EMAIL PROTECTED]> wrote: >> Does FreeRADIUS supprot EAP-TTLS and PEAP? > > It's not in the list of features on the web site, so my guess would >be "no". > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subscribe freeradius-users
subscribe freeradius-users -- ThiNK <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
subscribe
subscribe -- ThiNK <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XP supplicant requirement
I am using freeradius with xp supplicants. the AP is hostapd. My
wireless connection will be successfully authenicated, with EAPOL key
packets accepted and verified. However, the connection will stay on for
only 2 minutes, and the EAPOL log on XP logged the following,
[576] 16:40:03: ElTimeoutCallbackRoutine entered
[576] 16:40:03: EAPOL-Key for transmit key received within 5 seconds in
AUTHENTICATED state
[576] 16:40:03: ElTimeoutCallbackRoutine completed
[1392] 16:42:00: ElMediaEventsHandler entered
[1392] 16:42:00: ElMediaEventsHandler: Calling ElMediaSenseCallback
[1392] 16:42:00: ElMediaSenseCallback: Entered
[1392] 16:42:00: ElMediaSenseCallbackWorker: For interface (ORiNOCO
Wireless LAN PC Card (5 volt)), GUID ({72E13706-B2
D6-4F76-AA2B-D7A8E7A3D871}), length of block = 74
[1392] 16:42:00: ElMediaSenseCallbackWorker: Callback for sense disconnect
[1392] 16:42:00: FSMDisconnected entered for port ORiNOCO Wireless LAN PC
Card (5 volt) - Packet Scheduler Miniport
[1392] 16:42:00: Setting state DISCONNECTED for port ORiNOCO Wireless LAN
PC Card (5 volt) - Packet Scheduler Miniport
[1392] 16:42:00: FSMDisconnected completed for port ORiNOCO Wireless LAN
PC Card (5 volt) - Packet Scheduler Miniport
[1392] 16:42:00: ElMediaSenseCallbackWorker: Port marked disconnected
ORiNOCO Wireless LAN PC Card (5 volt)
[1392] 16:42:00: ElMediaSenseCallbackWorker: processed, RetCode = 0
does anyone know what causes the ORiNOCO card to disconnect?
-bin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: baystack question
"Kowal, Michael" <[EMAIL PROTECTED]> wrote: > I run radiusd with debugging and I get the request which has: > Request IP address > Request User name > Request Password > Service-Type = Administrative-User > > Then it says "rlm_chap: Could not find proper Chap-Password attribute in > request" So? It also says a lot more than that. > "Sending Access-Accept id of 17 to Ip-address" And the rest of the debugging messages will say WHY it's sending an Access-Accept. > on the switch, it says "Access Denied from Radius" Then the switch is doing things it's not supposed to. > I don't think the switch is supposed to use chap. The radius server sees all > the right attributes, but what is this chap stuff all about? Read the debugging messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Guillermo Schimmel <[EMAIL PROTECTED]> wrote: > What we would like (this one is for the developers), is that the server > don't start rejecting the users. So... what do you propose the server does? For authentication, if the SQL database is down, the server can do NOTHING but reject the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
We generally get the same effect when our SQL server gets slow for some reason. Ussually we discover that it has too much load from some queries. It can be a network overload/error issue, check your connectivity. Of course, have your database optimized (indexes, vacuums, etc) What we would like (this one is for the developers), is that the server don't start rejecting the users. In the case of that events happening, we can recover the logs later from detail files. Regards Guillermo Michael Brininstool wrote: Several people have reported this error and one received two responses. Both responses said to increase the number of sockets. I tried that over 4 months ago, and we still get this error. Also, once we start getting the error on one radius server, the NAS's switch to using the other radius server and then it will start failing the same way. They never seem to recover until the radius server is killed and restarted. I also cannot seem to set the number of sql "threads" high enough to prevent it. Any idea what is really happening? We are running radiusd (don't remember how to determine the version) on FreeBSD 4.7 and 5.0. Also, we are using mysql on a third machine. I suspected the mysql for a while, but we cannot find anything wrong with it. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
baystack question
Hi all, I'm trying to get a baystack BPS switch to authenticate with radiusd. I setup a user name and password and allowed the switch to connect in the clients.conf I run radiusd with debugging and I get the request which has: Request IP address Request User name Request Password Service-Type = Administrative-User Then it says "rlm_chap: Could not find proper Chap-Password attribute in request" "Sending Access-Accept id of 17 to Ip-address" on the switch, it says "Access Denied from Radius" I don't think the switch is supposed to use chap. The radius server sees all the right attributes, but what is this chap stuff all about? I'd appreciate your help. Thanks, mike
radtest help
Title: Message Is anyone very knowledgeable about the radtest program? I am trying to use it to test auth to radius server and when a pass "Domain/username" it always strips out the "/" character in the packet. Please help! Thanks, Paul Carugati
Re: Rlm_sql error
"Jeff Sullivan" <[EMAIL PROTECTED]> wrote: > This set of errors is showing up exactly every minute. > > Thu May 29 15:02:05 2003 : Error: rlm_sql (sql): failed after re-connect > Thu May 29 15:02:05 2003 : Error: rlm_sql (sql): Couldn't update SQL > accounting STOP record - ERROR: pg_atoi: zero-length string > > Any Help? The same question was asked and answered yesterday, I believe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rlm_sql error
This set of errors is showing up exactly every minute. Thu May 29 15:02:05 2003 : Error: rlm_sql (sql): failed after re-connect Thu May 29 15:02:05 2003 : Error: rlm_sql (sql): Couldn't update SQL accounting STOP record - ERROR: pg_atoi: zero-length string Any Help? Jeff _ How many firemen does it take to change a light bulb? Four. One to change the bulb and 3 to chop a hole in the roof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius for user authentication and VLAN assignment with Cisco switches
Andreas Oster <[EMAIL PROTECTED]> wrote: > It wasn´t a problem to configure EAP-TLS with freeradius and I already > use it for client authentication in a wireless system but i had no > success with switch/port based authentication at a Cisco switch. > > I have tried somthing like this: > > ClinetMachineName Auth-Type := EAP >cisco-avpair= "tunnel-type(#64)=VLAN(13)" >cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" >cisco-avpair= "tunnel-private-group-ID(#81)=Service" See 'man users' Use '+=' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius for user authentication and VLAN assignment withCisco switches
Hello, I am new to this list and would like to know if someone out there has been successfull in implementing eap-tls user authentication (win2000/XP) and VLAN assignment with freeradius and Cisco Catalyst switches ? It wasn´t a problem to configure EAP-TLS with freeradius and I already use it for client authentication in a wireless system but i had no success with switch/port based authentication at a Cisco switch. I have tried somthing like this: ClinetMachineName Auth-Type := EAP cisco-avpair= "tunnel-type(#64)=VLAN(13)" cisco-avpair= "tunnel-medium-type(#65)=802 media(6)" cisco-avpair= "tunnel-private-group-ID(#81)=Service" but with no success. Any tips ?? thank you in advance. best regards Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: did you get readhat 9.0 / PAM / Radius working?
I am hoping to have an update today. I will let you know. THanks, > > > > > > Nope, I am still banging away at it. I just haven't figured out all that > has changed in RH9.. > > Anyone else get this working? > > Nick > > > > > |-+--> > | | "Eric Ferguson"| > | | <[EMAIL PROTECTED]| > | | artech.com>| > | | | > | | 05/28/2003 08:36 PM| > | | | > |-+--> > > >--| > | > > | | To: <[EMAIL PROTECTED]> > > | | cc: > >| | Subject: did you get readhat 9.0 / PAM / Radius > working? >| > > >--| > > > > > > > Hi Nick, > > > > I hate to bother you, but I am banging my head against the wall trying > to get pam_auth_radius.so to work on redhat 9.0 also. Were you able to > get it working? If you would, could I get the .so file and an example > of your configuration file? > > > > Thanks, > > > > Eric Ferguson - NNCSE > > 4440 Embassy Drive > > Sykesville, Md. 21784 > > phone: 410-876-0585 > > cell: 443-677-6119 > > email: [EMAIL PROTECTED] > > > (See attached file: Eric V Ferguson ([EMAIL PROTECTED]).vcf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: did you get readhat 9.0 / PAM / Radius working?
I am hoping to have an update today. I will let you know. THanks, > > > > > > Nope, I am still banging away at it. I just haven't figured out all that > has changed in RH9.. > > Anyone else get this working? > > Nick > > > > > |-+--> > | | "Eric Ferguson"| > | | <[EMAIL PROTECTED]| > | | artech.com>| > | | | > | | 05/28/2003 08:36 PM| > | | | > |-+--> > > >--| > | > > | | To: <[EMAIL PROTECTED]> > > | | cc: > >| | Subject: did you get readhat 9.0 / PAM / Radius > working? >| > > >--| > > > > > > > Hi Nick, > > > > I hate to bother you, but I am banging my head against the wall trying > to get pam_auth_radius.so to work on redhat 9.0 also. Were you able to > get it working? If you would, could I get the .so file and an example > of your configuration file? > > > > Thanks, > > > > Eric Ferguson - NNCSE > > 4440 Embassy Drive > > Sykesville, Md. 21784 > > phone: 410-876-0585 > > cell: 443-677-6119 > > email: [EMAIL PROTECTED] > > > (See attached file: Eric V Ferguson ([EMAIL PROTECTED]).vcf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: did you get readhat 9.0 / PAM / Radius working?
I am hoping to have an update today. I will let you know. THanks, > > > > > > Nope, I am still banging away at it. I just haven't figured out all that > has changed in RH9.. > > Anyone else get this working? > > Nick > > > > > |-+--> > | | "Eric Ferguson"| > | | <[EMAIL PROTECTED]| > | | artech.com>| > | | | > | | 05/28/2003 08:36 PM| > | | | > |-+--> > > >--| > | > > | | To: <[EMAIL PROTECTED]> > > | | cc: > >| | Subject: did you get readhat 9.0 / PAM / Radius > working? >| > > >--| > > > > > > > Hi Nick, > > > > I hate to bother you, but I am banging my head against the wall trying > to get pam_auth_radius.so to work on redhat 9.0 also. Were you able to > get it working? If you would, could I get the .so file and an example > of your configuration file? > > > > Thanks, > > > > Eric Ferguson - NNCSE > > 4440 Embassy Drive > > Sykesville, Md. 21784 > > phone: 410-876-0585 > > cell: 443-677-6119 > > email: [EMAIL PROTECTED] > > > (See attached file: Eric V Ferguson ([EMAIL PROTECTED]).vcf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: did you get readhat 9.0 / PAM / Radius working?
I am hoping to have an update today. I will let you know. THanks, > > > > > > Nope, I am still banging away at it. I just haven't figured out all that > has changed in RH9.. > > Anyone else get this working? > > Nick > > > > > |-+--> > | | "Eric Ferguson"| > | | <[EMAIL PROTECTED]| > | | artech.com>| > | | | > | | 05/28/2003 08:36 PM| > | | | > |-+--> > > >--| > | > > | | To: <[EMAIL PROTECTED]> > > | | cc: > >| | Subject: did you get readhat 9.0 / PAM / Radius > working? >| > > >--| > > > > > > > Hi Nick, > > > > I hate to bother you, but I am banging my head against the wall trying > to get pam_auth_radius.so to work on redhat 9.0 also. Were you able to > get it working? If you would, could I get the .so file and an example > of your configuration file? > > > > Thanks, > > > > Eric Ferguson - NNCSE > > 4440 Embassy Drive > > Sykesville, Md. 21784 > > phone: 410-876-0585 > > cell: 443-677-6119 > > email: [EMAIL PROTECTED] > > > (See attached file: Eric V Ferguson ([EMAIL PROTECTED]).vcf) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS groups
Hi, I am new to RADIUS. Could someone please tell me if there is a standard way of representing groups of users in RADIUS? >From what I have seen, this is implemented with VSAs and they differ from one RADIUS server to another. I would need a way that is the same for all RADIUS servers. The requirements are that the am able to create groups and retrieve a list of groups that a user is a member of. Thanks, Josh Rosen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Question: I have a user who I want to redirect to proxy without his knowledge due to a investigation we are conducting. Is there any easy way to do that? Kevin Kevin Hoffer [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: All Sockets being used!
Michael Brininstool <[EMAIL PROTECTED]> wrote: > Several people have reported this error and one received two responses. > Both responses said to increase the number of sockets. I tried that > over 4 months ago, and we still get this error. Also, once we start > getting the error on one radius server, the NAS's switch to using the other > radius server and then it will start failing the same way. They never seem > to recover until the radius server is killed and restarted. I also cannot > seem to set the number of sql "threads" high enough to prevent it. Any > idea what is really happening? First, check that your SQL server is responding within a reasonable time. See 'doc/rlm_sql'. Otherwise, upgrade to the CVS head. It has fixes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
All Sockets being used!
Several people have reported this error and one received two responses. Both responses said to increase the number of sockets. I tried that over 4 months ago, and we still get this error. Also, once we start getting the error on one radius server, the NAS's switch to using the other radius server and then it will start failing the same way. They never seem to recover until the radius server is killed and restarted. I also cannot seem to set the number of sql "threads" high enough to prevent it. Any idea what is really happening? We are running radiusd (don't remember how to determine the version) on FreeBSD 4.7 and 5.0. Also, we are using mysql on a third machine. I suspected the mysql for a while, but we cannot find anything wrong with it. Any ideas? -- Michael P. Brininstool [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Accounting: logout - message
I keep getting the following entries in my radius.log file and I can't seem
to figure out why:
Thu May 29 07:37:30 2003 : Error: Accounting: logout: login entry for NAS
67.2.0.19 port 7955 not found
I use a dialup aggregator that proxies the request to my radius server.
Here is my radius -X output along with the connect / disconnect log info.
Any help would be greatly appreciated. Thanks.
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: ignore_password = no
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 63.110.140.25:4799, id=34,
length=165
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
CHAP-Password = 0xfa65689fe6bc792c40f3bfc43003ed6567
Called-Station-Id = "5032190945"
Calling-Station-Id = "5038850150"
Cisco-NAS-Port = "Async3/63*Serial7/0:15:16"
NAS-Port = 7632
NAS-Port-Type = Async
Service-Type = Framed-User
NAS-IP-Address = 67.2.0.19
Acct-Session-Id = "04527AF6"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "mschap" returns notfound
rlm_realm: Looking up realm sterling.net for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm sterling.net
modcall[authorize]: module "suffix" returns noop
users: Matched [EMAIL PROTECTED] at 1
users: Matched
Re: did you get readhat 9.0 / PAM / Radius working?
Nope, I am still banging away at it. I just haven't figured out all that has changed in RH9.. Anyone else get this working? Nick |-+--> | | "Eric Ferguson"| | | <[EMAIL PROTECTED]| | | artech.com>| | | | | | 05/28/2003 08:36 PM| | | | |-+--> >--| | | | To: <[EMAIL PROTECTED]> | | cc: | | Subject: did you get readhat 9.0 / PAM / Radius working? | >--| Hi Nick, I hate to bother you, but I am banging my head against the wall trying to get pam_auth_radius.so to work on redhat 9.0 also. Were you able to get it working? If you would, could I get the .so file and an example of your configuration file? Thanks, Eric Ferguson - NNCSE 4440 Embassy Drive Sykesville, Md. 21784 phone: 410-876-0585 cell: 443-677-6119 email: [EMAIL PROTECTED] (See attached file: Eric V Ferguson ([EMAIL PROTECTED]).vcf) Eric V Ferguson ([EMAIL PROTECTED]).vcf Description: Binary data
dialup access support
Guys - I know the web front end is now part of the distro, so Ill ask here. For the last few weeks, when I click on the "Online Users" link, I am shown only 1 user online, (for over 360 hours no less). I manually check the ras device (A USRobotics Total Control, with 72 lines) and see 12 ppl (on average) online. I have check the configs, and see nothing wrong. No changes have been made to this system in over 6 months, other than a major user purge.. Any suggestions on what to look at? Also - What exactly is the "Check Server" link supposed to show me? I click on it and all i get is "(test user radius)" Thanks! Don Click IS Special Projects Manager Metrocall, Inc. Dallas, Texas 972-687-2074 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
