Re: TLS and TTLS
Of course they do: whether they SUPPORT (act as a pass-through device for) these auth schemes or not. I KNOW they have nothing to do with the actual auth beside that fact, but you can't use EAP-TLS or TTLS with just any old AP, now can you? Such nitpicking. Quoting Artur Hecker <[EMAIL PROTECTED]>: > hardly ever. > > the APs have NOTHING to do with neither TTLS nor TLS. > > > ciao > artur > > > Michael Brown wrote: > > > I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link > > product that does TTLS. That is most likely your problem. > > > > Michael Brown > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Michael Brown <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radutmp missing user IP address
Anyone know why my radutmp file is missing the users IP address for some of the logins. Is this because the user wasn't authenticated? Or perhaps the nas didn't send it? Any way to know for sure? schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeside - Radius session Monitor
"Kevin D. Alford" <[EMAIL PROTECTED]> wrote: > Configure your RADIUS server's login and logout callbacks to use the > command-line freeside-login and freeside-logout utilites. See 'raddb/acct_users' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple attributes (Kostas Kalevras)
Kostas Kaleveras wrote an email on this list a few months ago to help someone with returning multiple attributes in an LDAP authenticated radius installation. http://www.mail-archive.com/[EMAIL PROTECTED]/msg15855.html I am in this same spot, but do not userstand where I should be changing to the += operator. Can anyone help me understand where this change should be made? -JST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timekeeping (Was: PAP and CHAP)
> From: Alan DeKok > Sent: Thursday, 25 September 2003 9:13 PM Alan, I think your clock's 4 hours behind again. That made this little show slightly less fun to read (I kept getting the back-and-forth out of sync. And anything that interferes with my entertainment on this list must be bad! ;-) > John Luker <[EMAIL PROTECTED]> wrote: > > Be that as it may there are an abundance of RADIUS packages out > > there that have wonderful technical support from the company you BUY > > IT FROM. > Heck, for $500 U.S. a month retainer, I'll answer up to 10 problems > by email or by phone, and will be oh-so-polite. Or, for $100 U.S. per > support call/email, I'll do the same. > So far, only a few people have taken me up on any offer of paid tech > support ($200 so far). I guess most people either find my free > (i.e. blunt) style adequate, or they're unwilling to fork over the > additional money to bribe me into being endlessly polite. > Oh well. If I gave you money to fix RADIUS problems for me, I'd probably expect the blunt Alan. An endlessly polite Alan would leave me thinking I'd been palmed off to your less idiot-abused brother or something. "That's not Alan. He doesn't talk like that." :-) -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS / ucd-snmp-4.2.3 snmp errors in config.log
> From: [EMAIL PROTECTED] > Sent: Friday, 26 September 2003 8:03 AM > > $ LIBS=-lssl -lcrypto > > $ export LIBS > > $ ./configure > > that may help. > Thanks, it's getting better! I did as you suggested and now > I am only getting: > > /usr/lib/libsnmp.so: undefined reference to `des_cbc_encrypt' > /usr/lib/libsnmp.so: undefined reference to `des_key_sched' Your libsnmp.so is compiled against OpenSSL 0.9.6. In OpenSSL 0.9.7, these becamse DES_cbc_encrypt etc. So you'll have to build FreeRADIUS against OpenSSL 0.9.6 instead. This means installing the 0.9.6 devel package, the name of which I can't tell you. It should have 0.9.6 and devel in it though, and force you to remove openssl-devel-0.9.7a-5. :-) And while you're at it, can you look in your config.log (without the LIBS line above) and see why it didn't try -lcrypto for you automatically? It's the test around configure:7940. It doesn't link in -lssl but from your function list before I don't think it should need to. (The test before it is 7918, the results of that test are probably relevant to 7940) -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication / simultenious-use
On Thu, 25 Sep 2003, Ossama Suleiman wrote: > many many thanks, it is very useful > > but there is one thing left, i would be very grateful if you can help me > with it > > i have to different isdn types isdn 64k (simultenous-use=1) and isdn 128k > (simultenious-use=2) > > if i define it by nas-port-type in the users file, i won't be able to > differntiate between user: isdn64 and isdn128 > > beside i in the rare case that a user wants to use the same username and > password pair with say 30 connections (simultenous-use=30) how will i be > able to define a SPECIAL case like that?? should i create him too a new > group?? and how should i define that group in the users file?? > > Thank you so much for your help > best regards > > ossama I've never used simultenous-use, but I'll give it a shot. In the schema file you will find attributetype ( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousUse' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) So, then you could add this to the ldap entry dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com objectclass: radiusprofile uid: test radiusgroupname: isdn radiussimultaneoususe: 2 Make sure you've got this in ldap.attrmap checkItem Simultaneous-UseradiusSimultaneousUse > - Original Message - > From: "Dustin Doris" <[EMAIL PROTECTED]> > To: "freeradius-users" <[EMAIL PROTECTED]> > Sent: Thursday, September 25, 2003 7:02 PM > Subject: Re: ldap authentication / simultenious-use > > > > > > > > On Thu, 25 Sep 2003, Ossama Suleiman wrote: > > > > > dear all, > > > > > > while authenticationg against ldap i enabled the compare_check_items > > > = yes, cause i wanted to use nas-port-type based authentication, because > > > i have to kinds of users, analog and ISDN, in order to prevent analog > > > users from using ISDN services > > > which is working fine now > > > > > > but the problem i faced is in simultenous-use, as it is a check item > > > too, if the radius don't receive it while authenticating the user, the > > > user get's rejected > > > > > > beside i want to use simultenous-use to differentiate between > > > isdn64K and isdn 128K > > > > > > any help?? > > > > > > thanks and best regards > > > > > > ossama > > > > > > > You could try using Groups instead. > > > > in your ldap directory, say you have a user named test that has async > > access and test1 that has isdn access > > > > dn: uid=test,ou=users,ou=radius,dc=mydomain,dc=com > > objectclass: radiusprofile > > uid: test > > radiusgroupname: dial > > > > dn: uid=test1,ou=users,ou=radius,dc=mydomain,dc=com > > objectclass: radiusprofile > > uid: test > > radiusgroupname: isdn > > > > Then in your users file you have > > > > DEFAULT NAS-Port-Type == ISDN, Ldap-Group == isdn > >Fall-Through = no > > > > DEFAULT NAS-Port-TYpe == Async, Ldap-Group == dial > >Fall-Through = no > > > > DEFAULT Auth-Type := Reject > >Reply-Message = "Please call " > > > > Then in radiusd.conf in your ldap section, you define the attribute that > > corresponds to ldap-group. > > > > groupmembership_attribute = radiusGroupName > > > > Here is what happens. > > > > User dials in and hits radius server with NAS-Port-Type = Async. Radius > > will lookup the user in the ldap directory and look for the attribute > > radiusGroupName = dial. If the user has that particular attribute set, it > > will authorize the user. If not, then it will fall through to Reject. > > The same with the isdn users when they connect. > > > > If the users are able to have access to both, then include both > > radiusGroupName entries. > > > > ie. > > > > dn: uid=test2,ou=users,ou=radius,dc=mydomain,dc=com > > objectclass: radiusprofile > > uid: test > > radiusgroupname: isdn > > radiusgroupname: dial > > > > > > Hope that is helpful. > > > > Dustin Doris > > > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius not calling checkrad.pl but still denying login.
I ran into a problem last night where there was a user in radutmp while Simultaneous-Use was set to 1 and the server didn't call checkrad. I put like in checkrad that logged every time it was called with the username and this user was never checked. Anyone know of a circumstance where this might happen? I seem to get a lot of these messages, perhaps that might be a clue: Fri Sep 26 08:25:42 2003 : Info: rlm_radutmp: Login entry for NAS X port 770 duplicate Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: The exec module
> From: Alex Chen > Sent: Friday, 26 September 2003 8:34 AM > > From: Paul Hampson > > Sent: Thursday, September 25, 2003 3:03 PM > > > 2. If the server is a proxy server, and I want the exec to > > be called when > > > the authentication > > >is successful, i.e. the master server reply with > > Access-Accept, do I > > > still put the exec in > > >'post-auth' section, i.e. the same place when the server > > is a master > > > server itself? > > >What should the input_pairs and output_pairs be using? > > 'proxy-request' > > > and 'proxy-reply'? > > >Will it be OK if I still use 'request' and 'reply' even > > if the server is > > > running as a proxy? > > > > Umm, you could (probably) put it in the post-proxy section. > > > > As for which pairs to use, do you want to operate on the > > pairs you sent the > > proxy, the pairs the proxy sent back, or the pairs you're > > sending to the client, > > or the pairs the client sent to you? > > > > That should determine which of request, reply, proxy-request > > or proxy-reply you > > want. (Not in that order, mind you.) > If I understand correctly it would look like this: > > input_pairs = request > NAS ---> Server > <--- > output_pairs = reply > > If the exec runs on Server, it only has 'request' and 'reply' to work on. > > input_pairs = request input_pairs = proxy-request > NAS ---> Proxy ---> Server > <--- <- > output_pairs = replyoutput_pairs = proxy-reply > > If the exec runs on Proxy and it wants to operate on the attributes sent > from > NAS or attributes sent to NAS, it would use 'request' and 'reply', > respectively. > If it wants to operate on the attributes sent by the proxy to the server, > and the > attributes sent from the server back to the proxy, it would use > 'proxy-request' and > 'proxy-reply'. > > Is this correct? That's how I understand it too, yes. :-) Although the input_pairs and output_pairs in the diagrams above could be either either input_pairs or output_pairs although there are some combinations with limited usefulness, of course. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing Freeradius on Debian
> From: Nick Davis > Sent: Friday, 26 September 2003 7:57 AM > I have been using freeradius since 0.3 installed from source and I wanted to > give the debian package a try. I did not see a freeradius package in unstable > nor testing. Is freeradius still changing too fast for debian? Not anymore, I feel. The prospective Debian packaging of 0.9.1 is with the prospective sponsor, so hopefully in time for Sarge's release... > I am building the debian package on a debian Woody stable system and am going > to copy it over to a debian Sarge testing system. Wild. Any reason you're not building it on a testing system? I'd offer to do so, but my testing machine is also PowerPC, and so the packages probably aren't a lot of use to you. :-) > The freeradius I downloaded is: freeradius-snapshot-20030925 > > I found the instructions Paul H. wrote below along with his other post that > has the patch to take iodbc out of the main freeradius package. I applied > that patch with little trouble, and am now to the instructions in the email > below. I'm still fielding good reasons to include that patch in the main package. :-) There're concerns about package-list-bloat, and I've yet to come up with a convincing argument that overrides that. > When I run the command: > dpkg-buildpackage -us -uc -b -rfakeroot > > I get a list of missing build dependencies like I am supposed to. > > Here is the list I get: > dpkg-checkbuilddeps: Unmet build dependencies: libltdl3-dev, libpam0g-dev, > postgresql-dev, libgdbm-dev | libgdbmg1-dev, libldap2-dev, libsasl2-dev, > libiodbc2-dev, libkrb5-dev > > I do not plan to use kerberos, ldap,nor postgres and I'm not so sure that I > need libgdmg1 either. I use mysql for everything except the dictionaries. > > My question is: how can I remove some of the build dependencies for packages > that I do not intent to use? libpam0g-dev is used by rlm_pam libgbmg1 is used by rlm_counter, rlm_gdbm and rlm_ippool postgresql-dev is for rlm_sql_postgresql libldap2-dev and libsasl2-dev are for rlm_ldap libiodbc2-dev is for rlm_sql_iodbc libkrb5-dev is for rlm_krb5 None of these build-dependancies are for the core daemon. The way I'd do it is remove those modules from the 'stable' file in src/modules or src/modules/rlm_sql/ depending on which modules they are. This step is basically optional, since it should skip that which it can't build. Then remove the entries for those things from debian/rules in the various 'for each' clauses. And remove the entries from the debian/control file. (ie. the opposite of the freeradius-iodbc patch you've already got. :-) Then remove the build-dependancies that trouble you so. You'll need that libltdl3-dev, however. No way around it except building statically, and I dunno what that does to the build-dependancies, or the rlm_sql and rlm_eap modules. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeside - Radius session Monitor
Please, Does anyone know how to setup this feature. My company is using FreeRadius 0.8.1 on slackware 9. with freeside 1.4.1rc6. Freeside is going to manage the radius accounting (session monitoring), and the following link establishes how freeside does this. http://www.sisd.com/freeside/docs/session.html The part I need help with is: Configure your RADIUS server's login and logout callbacks to use the command-line freeside-login and freeside-logout utilites. Does anyone know how to setup this? Your asssistance in this matter is greatly appreciated. Kevin D. Alford Sr. UNIX Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-0.9.0-ora.i386.rpm build trouble
Hello, I was try to build my own RPM-package of freeradius-0.9.0 with rlm_sql_oracle- module support to deploy to Suse 8.2 servers. Oracle version is 8.1.7.4. The strange trouble was discovered. If I take default suse freeradius.spec file, then I build a buggy binary. The error seems to in libclntsh.so.8.0 because 'gdb radiusd core' show me nothing # gdb radiusd core Core was generated by `/usr/sbin/radiusd -X'. Program terminated with signal 11, Segmentation fault. #0 0x in ?? () (gdb) bt #0 0x in ?? () (gdb) Then I make strace dump of crash of /usr/sbin/radiusd write(1, "Ready to process requests.\n", 27) = 27 time(NULL) = 1064587304 select(13, [10 11 12], NULL, NULL, NULL) = 1 (in [10]) recvfrom(10, "\1\0\0Z 1064587317\1\6serg\2\22\211\1\f\243"..., 4096, 0, {sa_family=AF_INET, sin_port=htons(3660), sin_addr=inet_addr("192.168.0.11")}, [16]) = 90 write(1, "rad_recv: Access-Request packet "..., 77) = 77 time(NULL) = 1064587317 write(1, "\tUser-Name = \"serg\"\n", 20) = 20 write(1, "\tUser-Password = \"2007811\"\n", 27) = 27 write(1, "\tNAS-IP-Address = 192.168.0.11\n", 31) = 31 write(1, "\tNAS-Port-Id = \"100\"\n", 21) = 21 write(1, "\tCalled-Station-Id = \"2892992\"\n", 31) = 31 write(1, "\tCalling-Station-Id = \"017291760"..., 35) = 35 write(1, "\tNAS-Port-Type = Async\n", 23) = 23 write(1, "\tConnect-Info = \"wsghgh\"\n", 25) = 25 time(NULL) = 1064587317 write(1, "modcall: entering group authoriz"..., 34) = 34 time(NULL) = 1064587317 write(1, " modcall[authorize]: module \"pr"..., 53) = 53 time(NULL) = 1064587317 write(1, " modcall[authorize]: module \"ch"..., 49) = 49 time(NULL) = 1064587317 write(1, " rlm_eap: No EAP-Message, not d"..., 41) = 41 time(NULL) = 1064587317 write(1, " modcall[authorize]: module \"ea"..., 48) = 48 time(NULL) = 1064587317 write(1, "rlm_realm: No \'@\' in User-Na"..., 67) = 67 time(NULL) = 1064587317 time(NULL) = 1064587317 write(1, "rlm_realm: No such realm \"NU"..., 36) = 36 time(NULL) = 1064587317 write(1, " modcall[authorize]: module \"su"..., 51) = 51 time(NULL) = 1064587317 write(1, "radius_xlat: \'serg\'\n", 21) = 21 time(NULL) = 1064587317 write(1, "rlm_sql (sql): sql_set_user esca"..., 52) = 52 time(NULL) = 1064587317 write(1, "radius_xlat: \'SELECT 1 id,\'serg"..., 186) = 186 time(NULL) = 1064587317 write(1, "rlm_sql (sql): Reserving sql soc"..., 42) = 42 time(NULL) = 1064587317 write(1, "SELECT 1 id,\'serg\' UserName,\'Use"..., 170) = 170 write(9, "\0015\0\0\6\0\0\0\0\0\21k\4\26\0\0\0U\0\0\0\1\0\0\0\3^"..., 309) = 309 read(9, "\3R\0\0\6\0\0\0\0\0\20\31\v\234\342\25\210W\342P\0\0xg"..., 2064) = 850 brk(0) = 0x8174000 brk(0x8175000) = 0x8175000 brk(0) = 0x8175000 brk(0x8177000) = 0x8177000 brk(0) = 0x8177000 brk(0x8178000) = 0x8178000 brk(0) = 0x8178000 brk(0x8179000) = 0x8179000 brk(0) = 0x8179000 brk(0x817b000) = 0x817b000 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ The current %build section of freeradius.spec look like %build CFLAGS="$RPM_OPT_FLAGS" ./configure \ --prefix=%{_prefix} \ --sysconfdir=%{_sysconfdir} \ --infodir=%{_infodir} \ --mandir=%{_mandir} \ --libdir=%{_libdir} \ --localstatedir=/var \ --enable-developer make But the main problem what I can make the right binary just by typing ./configure make make install This is a strace-log of same place of /usr/local/sbin/radiusd. It's works fine! write(1, "Ready to process requests.\n", 27) = 27 time(NULL) = 1064587919 select(10, [7 8 9], NULL, NULL, NULL) = 1 (in [7]) recvfrom(7, "\1\10\0Z 1064587941\1\6serg\2\22\\\236w\203"..., 4096, 0, {sa_family=AF_INET, sin_port=htons(3711), s in_addr=inet_addr("192.168.0.11")}, [16]) = 90 write(1, "rad_recv: Access-Request packet "..., 77) = 77 time(NULL) = 1064587941 write(1, "\tUser-Name = \"serg\"\n", 20) = 20 write(1, "\tUser-Password = \"2007811\"\n", 27) = 27 write(1, "\tNA
Re: threads hanging around
On Fri, 26 Sep 2003 07:35:22 -0400 "Alan DeKok" <[EMAIL PROTECTED]> wrote: > Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > > I haven't needed to check the log dump yet as the problem hasn't > > duplicated with this new code. > > That's good, but I would like to know what was broken, and what got > fixed. don't ask me I just type make :) > > One thing I did notice was that the eap module wouldn't compile from > > the CVS version of the code (I am not using it so was able to simply > > remove the module from the source), just thought I would let you > > know. > > Hmm... it appears to work for me. What errors are you seeing? code not found in directory errors.. -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Issue
"Ivan Meic" <[EMAIL PROTECTED]> wrote: > Also I'm using proxy features to be able to send the accounting data > to one more server, just to have another copy. Ok.. > realm NULL { >type= radius >authhost= 80.253.170.52:1812 >accthost= 80.253.170.52:1813 >secret = rad213bmf > } > realm NULL { >type= radius >authhost= LOCAL >accthost= LOCAL > } Huh? You have *two* NULL realms, and two DEFAULT realms? I don't expect that to work at all. In fact, it's intendend to NOT work. > In this case it works fine, but if I want to proxy it > to one additional server it doesn't work. > The proxy only sends the accounting data to the first server on the list > and leaves one copy for itself. See 'radrelay'. It's designed to copy requests to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure Vendor-Id by NAS-IP-Address??? (only one client, but 3 types of NASes)
[EMAIL PROTECTED] wrote: > In the past we had configured the Vendor-Id in the clients.conf file > per Client-IP, but this will no more work for us, because all > Radius-Servers have now only one Client entry, the Proxy itself. The 'clients.conf' file has never had a 'Vendor-Id' entry. It has had a 'nastype' entry, but that's a little different. > How is it possible to define the Vendor-Id by NAS-IP-Address instead > for the whole client??? Is it possible to add Vendor-Id in the hints > file by adding some DEFAULT entries??? Or should the Proxy add a > Attribute, which contains the Vendor-Id, to each request before > proxying it to the Radius-Server??? I'm really not sure what you're trying to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Cisco C2950G (http server problem)
Just goes to show that paid support isn't all that it's cracked up to be. I opened a Cisco TAC case on this kind of issue over a year ago, and had Cisco TAC swear up and DOWN it wasn't possible to authenticate to the http server w/o using TACACS. I didn't believe them at the time,but I didn't really give a flying flip (I was just messing around and don't use http configuration interfaces if I can avoid them), and had wasted enough time so I let the issue drop. Good to know I was right in suspecting the TAC guy was full of s**t. Vincent Giovannone Network Infrastructure Group Information Services Division Rush University Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington "Ville Leinonen" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09/26/2003 12:18 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Freeradius and Cisco C2950G (http server problem) Hi! I have a little problem with my Cisco switch. I can log in with telnet and freeradius says ok you can log in. But when i try to log in via http freeradius says ok, but cisco would not let me in. I have configure ip http authentication aaa. Here is freeradius log when i try to get in vie http. rad_recv: Access-Request packet from host xx.xx.xx.xx:1812, id=117, length=81 NAS-IP-Address = xx.xx.xx.xx NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "zz" Calling-Station-Id = "xx.xx.xx.xx" User-Password = "" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop radius_xlat: '' rlm_sql (sql): sql_set_user escaped user --> '' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [/] (from client radtest port 2 cli xx.xx.xx.xx) Sending Access-Accept of id 117 to xx.xx.xx.xx:1812 Service-Type := NAS-Prompt-User Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 117 with timestamp 3f73cb8e Nothing to do. Sleeping until we see a request. Any suggestion what i do wrong? Best regards, Ville Leinonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: threads hanging around
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > I haven't needed to check the log dump yet as the problem hasn't > duplicated with this new code. That's good, but I would like to know what was broken, and what got fixed. > One thing I did notice was that the eap module wouldn't compile from > the CVS version of the code (I am not using it so was able to simply > remove the module from the source), just thought I would let you > know. Hmm... it appears to work for me. What errors are you seeing? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Peabird's AP(Earthcom-network)
=?iso-8859-1?b?RulsaXg=?= Dewaleyne <[EMAIL PROTECTED]> wrote: > As i don't want to use MS software but linux I choosed to use > freeradius, but I need to configure the radius server to be Win 2000 > IAS compatible. Huh? WHat do you mean by that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sizelimit on user record?
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > We're observing segfaults of freeradius 0.9.1 on Solaris 8 > immediatly after delivering large user records (that means > many reply items per user) to the client. That's bad. > Is there any kind of limit on the maximum number of reply > items, expressed in bytes or no of items? Nope. Are you using Ascend "data filter" attributes? There's a patch pending to fix some issues with them. That may help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls pap can't work with aegis client
"george" <[EMAIL PROTECTED]> wrote: > I have tested eap-ttls with freeradius and client is aegis, the > ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap > isn't work, here is the message from radiusd(using eap-ttls-pap), > thanks ! PAP & CHAP work fine with the Aegis client. You've broken your local configuration, to disable PAP & CHAP. > modcall[authorize]: module "suffix" returns noop > users: Matched test at 114 You've set 'Auth-Type := EAP' here, for this user. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: defaulting a user's Realm
There were 2 places you must change to get NULL realms to work. The first was in the users file. A default user realm must be added With the Autz-Type set on the required line. DEFAULT Realm == "NULL", Autz-Type:=sql And the proxy.conf must have a NULL realm defined. Realm NULL { type= radius authhost= Local secret = yoursec } Ron Wahler > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 24, 2003 7:51 AM > To: [EMAIL PROTECTED] > Subject: Re: defaulting a user's Realm > > "Ron Wahler" <[EMAIL PROTECTED]> wrote: > > With this syntax as the default user it seems to get further but still > > fails. > ... > > Mon Sep 22 11:55:26 2003 : Debug: auth: No authenticate method > > (Auth-Type) configuration found for the request: Rejecting the user > > ? Fix that, and the problem should be resolved. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap --without-threads
On Thu, 25 Sep 2003, Rohaizam Abu Bakar wrote: > still the same... error.. no other indication from debug log.. > for the time being... i'm using freeradius 0.9.0 with my FreeBSD 4.8... > > ldap: access_attr = "dialupAccess" > ldap: groupname_attribute = "cn" > ldap: groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO > fUniqueNames)(uniquemember=%{Ldap-UserDn})))" > ldap: groupmembership_attribute = "(null)" > ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" > ldap: ldap_debug = 0 > ldap: ldap_connections_number = 256 > ldap: compare_check_items = no > ldap: access_attr_used_for_allow = yes > conns: 0x0 > /usr/libexec/ld-elf.so.1: /usr/local/lib/rlm_ldap-0.9.1.so: Undefined symbol > "pthread_mutex_init" Do a cvs update on the ldap module. It should now compile even without pthread functions. > > > > > - Original Message - > From: "Timm " <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, September 25, 2003 10:06 AM > Subject: RE: rlm_ldap --without-threads > > > > did you try runnin in dubug mode? is the -X flag and it may provide you a > cooler err message. > > > > Tim > > > > > > > > -Original Message- > > From: Rohaizam Abu Bakar [mailto:[EMAIL PROTECTED] > > Sent: Wed 9/24/2003 9:35 PM > > To: [EMAIL PROTECTED] > > Cc: > > Subject: rlm_ldap --without-threads > > > > > > Installing 0.9.1 on FreeBSD 4.8 but cannot start radiusd > > Is it because of i'm configure using --without threads??? > > > > bash-2.05b# /usr/local/etc/rc.d/radiusd.sh start > > Starting FreeRADIUS:Thu Sep 25 09:30:28 2003 : Info: Starting - reading > configuration files ... > > /usr/libexec/ld-elf.so.1: /usr/local/lib/rlm_ldap-0.9.1.so: Undefined > symbol "pthread_mutex_init" > > > > --haizam > > > > IƧ[ ф1V*'wi 0 6x& > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication / simultenious-use
On Thu, 25 Sep 2003, Ossama Suleiman wrote: > dear all, > > while authenticationg against ldap i enabled the compare_check_items > = yes, cause i wanted to use nas-port-type based authentication, because > i have to kinds of users, analog and ISDN, in order to prevent analog > users from using ISDN services > which is working fine now > > but the problem i faced is in simultenous-use, as it is a check item > too, if the radius don't receive it while authenticating the user, the > user get's rejected > > beside i want to use simultenous-use to differentiate between > isdn64K and isdn 128K > > any help?? compare_check_items does not work great with check items like simultaneous-use You could disable it and use rlm_checkval for the nas-port-type based authentication. > > thanks and best regards > > ossama > > > > > -- > Ossama Suleiman > Systems Engineer > TE Data S.A.E > Email: [EMAIL PROTECTED] > Web: www.tedata.net > Phone: +(202)-416-6600, EXT: 1105 > > "Learn from yesterday, live for today, hope for tomorrow." > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mppe and cisco problem
I want use a cisco 7100 for vpn with mschap. If 7100 have mppe passive mode all fill good and mscap-mppe work fine.The user is aunthenticated and the connection is encypt 128 bit. If 7100 il in mppe auto the user login was ok but in one second the 7100 send access accounting stop segnal foe mppe error. What' the matter?(radius with ldap;) Thanks Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Issue
Hi, I'm using FreeRADIUS v0.8.1 on RedHat 7.1. I'm using it strictly for accounting purposes with MySQL running in the background. Also I'm using proxy features to be able to send the accounting data to one more server, just to have another copy. --- proxy.conf --- proxy server { synchronous = no retry_delay = 5 retry_count = 10 dead_time = 120 servers_per_realm = 15 default_fallback = yes } realm NULL { type= radius authhost= 80.253.170.52:1812 accthost= 80.253.170.52:1813 secret = rad213bmf } realm NULL { type= radius authhost= LOCAL accthost= LOCAL } realm DEFAULT { type= radius authhost= 80.253.170.52:1812 accthost= 80.253.170.52:1813 secret = rad213bmf } realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } In this case it works fine, but if I want to proxy it to one additional server it doesn't work. The proxy only sends the accounting data to the first server on the list and leaves one copy for itself. Why is this happening ? What can I do regarding this issue ? Thanks in advance. Regards, Ivan Meic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Mysql Optimize Table without losing accounting-data???
Alan wrote: >Huh? Logging to the 'detail' file takes nearly zero time. > >Let me guess: You're running MySQL on the same machine as FreeRADIUS. > >The solution is simple: Don't do that. Hi Alan, thanks for replying. Yes, we're running mysqld on the same machine as radiusd, but we're not able to change this :( I have now set up a Radius-Proxy with sends requests to an other Radius-Server, when the first is in maintainance. But now i don't know how to tell radiusd that different Vendor-Ids for each request are needed ... well, that's configurable in clients.conf file, but it contains only one client, our Proxy-Server. Please see thread named "Configure Vendor-Id by NAS-IP-Address??? (only one client, but 3 types of NASes)" ... Thanks a lot! Marc Prenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WPA w/ EAP-TLS against 0.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Artur is right. This was a problem previously seen by one AP vendor with whom I talk, which affected both Microsoft's IAS and Funk's Steel Belted RADIUS servers. The session-timeout returned by default by those was very low and caused repeated authentication which dramatically reduced the perceived throughput. I found that explicitly setting the session-timeout value for MAC authenticated users dramatically improved things. It is possible that such an explicit session-timeout is required for users authenticating using TLS? As Artur said, nothing to do with the supplicant (those bring their own problems ;-). Apologies for the confusion. Regards, Guy > -Original Message- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 13:50 > To: [EMAIL PROTECTED] > Subject: Re: WPA w/ EAP-TLS against 0.8.1 > > > that is the response i kind of feared. sorry, that's nonsense. > > in that case the whole story has nothing to do with the respective > supplicant, since it simply NEVER gets in touch with Radius > attributes. > that would be the problem of the AP and NOT of the supplicant as > you pointed out. > > > ciao > artur > > > Guy Davies wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Hi Artur, > > > > You don't :-) You set the session-timeout in the RADIUS reply. > > > > Regards, > > > > Guy > > > > > >>-Original Message- > >>From: Artur Hecker [mailto:[EMAIL PROTECTED] > >>Sent: 26 September 2003 12:56 > >>To: [EMAIL PROTECTED] > >>Subject: Re: WPA w/ EAP-TLS against 0.8.1 > >> > >> > >>hi Guy! > >> > >> > >>how can you change the session time in windows? > >> > >>thanks, > >>artur > >> > >> > >> > >> > >>Guy Davies wrote: > >> > >> > >>> > >>>-BEGIN PGP SIGNED MESSAGE- > >>>Hash: SHA1 > >>> > >>>Hi Ian, > >>> > >>>I've seen something like this when doing MAC > authentication. It was > >>>actually a "feature" of the WinXP/Win2k supplicant which > >> > >>defaults the > >> > >>>session time to about 6 seconds! If I explicitly set the > >> > >>session time to be > >> > >>>something more useful (1800 seconds is good) then > >> > >>everything was happy. > >> > >>>Sorry if this is totally unrelated but I thought it might help. > >>> > >>>Regards, > >>> > >>>Guy > >>> > >>> > >>> > -Original Message- > From: Ian Pritchard [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 11:42 > To: [EMAIL PROTECTED] > Subject: WPA w/ EAP-TLS against 0.8.1 > > > > Hi, > > We're running FreeRADIUS version 0.8.1, and have been trying out > authentication using a couple of "WPA-capable" 802.11 APs and > PCMCIA cards > on laptops, with EAP-TLS and certs. > > We've tried a matrix of the following: > > Laptops > - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client > - WinXP > - EAP-TLS certs installed > > PCMCIA cards > - Linksys WPC54G > - SMC2635W > > APs > - Linksys WRT54G > - SMC2804WBR > - Cisco AP340 > > All devices running latest possible drivers. > > Before testing WPA we were running the Cisco AP340 and the > Win2K 802.1x auth > patch, plus XP. > > Running either of the two PCMCIA cards, on either the Win2K > or WinXP laptop, > via the Linksys WRT54G AP, we see behaviour where the AP > initiates access > request to the FreeRADIUS server, the process runs through as > normal, the > access accept is sent to the AP, but it then immediately starts > authentication again, and you run through the whole process > repeatedly, > starting again immediately after the accept is sent. Nothing > seems abnormal > if running FreeRADIUS in debug mode. With the Funk Odyssey > client running on > Win2K the behaviour is the same. > > Using the SMC AP, things are more interesting. The SMC AP's > >> > >>web-based > >> > control interface has a "security" main menu, with 802.1x as > a sub-menu. If > you turn the main security to "WPA/TKIP w/ RADIUS", then the > behaviour is as > with the Linksys above. However, if you turn it to "No > Encryption" (so not > even WEP enabled according to its interface), but leave the > "enable 802.1x" > turned on in the sub-menu, authentication takes place as > normal. The SMC > client card has client manager software, and if you turn on > WPA on the AP, > then the client manager shows a "key" symbol (presumably > denoting some kind > of security) next to the AP, but if you turn off encryption > and leave 802.1x > turned on, the key goes away. > > The Cisco AP doesn't have WPA but will do 802.1x as before. > > We're having trouble reaching a conclusion here (partly > >> > >>because it's > >> > difficult to tell w
Re: Is it allowed to describe several check items in single checkval module section?
On Thu, 25 Sep 2003, Roman M. Bibikov wrote: > Hi all! > Is it allowed to describe several check items in checkval module? > I setted up Calling-Station-Id and Called-Station-Id checking by adding > new checkval section in radiusd.conf, so each of them instantiates. See > below... > > >checkval CALLINGID { > item-name = Calling-Station-Id > check-name = Calling-Station-Id > data-type = string > notfound-reject = yes > } > > checkval CALLEDID { > item-name = Called-Station-Id > check-name = Called-Station-Id > data-type = string > notfound-reject = yes > } > > May be it is allowed to do the same like this (see below) for a smaller > memory usage, not for several checkval modules? No it is not allowed. Anyway, a smaller memory usage is not an issue with a module so small as checkval. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure Vendor-Id by NAS-IP-Address??? (only one client, but 3 types of NASes)
Dear ML, we have to setup a Radius-Proxy which will proxy auth/acct packets to an individual Radius-Server by NAS-IP-Address. The Proxy works quiet probally, we are using the hints file in combination with DEFAULT entries to setup the Proxy-to-Realm attribute. Now our Problem: In the past we had configured the Vendor-Id in the clients.conf file per Client-IP, but this will no more work for us, because all Radius-Servers have now only one Client entry, the Proxy itself. How is it possible to define the Vendor-Id by NAS-IP-Address instead for the whole client??? Is it possible to add Vendor-Id in the hints file by adding some DEFAULT entries??? Or should the Proxy add a Attribute, which contains the Vendor-Id, to each request before proxying it to the Radius-Server??? I have added a quick and dirty layout of our actual configuration: -- -- -- |NAS1| |NAS2| |NAS3| (3 different NASes, Vendor-Ids) -- -- -- \ | / \ | / \ |/ \|---/ - | Proxy | (unique machine, the one and only Client of Radius-Servers) - | | | /|\ / | \ / | \ / | \ --- --- --- |Rad 1| |Rad 2| |Rad 3| (different machines) --- --- --- Thanks for reading!! Best regards, Marc Prenger (thankfull to each reply of this thread) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ EAP-TLS against 0.8.1
that is the response i kind of feared. sorry, that's nonsense. in that case the whole story has nothing to do with the respective supplicant, since it simply NEVER gets in touch with Radius attributes. that would be the problem of the AP and NOT of the supplicant as you pointed out. ciao artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Artur, You don't :-) You set the session-timeout in the RADIUS reply. Regards, Guy -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 12:56 To: [EMAIL PROTECTED] Subject: Re: WPA w/ EAP-TLS against 0.8.1 hi Guy! how can you change the session time in windows? thanks, artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ian, I've seen something like this when doing MAC authentication. It was actually a "feature" of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy -Original Message- From: Ian Pritchard [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 11:42 To: [EMAIL PROTECTED] Subject: WPA w/ EAP-TLS against 0.8.1 Hi, We're running FreeRADIUS version 0.8.1, and have been trying out authentication using a couple of "WPA-capable" 802.11 APs and PCMCIA cards on laptops, with EAP-TLS and certs. We've tried a matrix of the following: Laptops - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client - WinXP - EAP-TLS certs installed PCMCIA cards - Linksys WPC54G - SMC2635W APs - Linksys WRT54G - SMC2804WBR - Cisco AP340 All devices running latest possible drivers. Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth patch, plus XP. Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, via the Linksys WRT54G AP, we see behaviour where the AP initiates access request to the FreeRADIUS server, the process runs through as normal, the access accept is sent to the AP, but it then immediately starts authentication again, and you run through the whole process repeatedly, starting again immediately after the accept is sent. Nothing seems abnormal if running FreeRADIUS in debug mode. With the Funk Odyssey client running on Win2K the behaviour is the same. Using the SMC AP, things are more interesting. The SMC AP's web-based control interface has a "security" main menu, with 802.1x as a sub-menu. If you turn the main security to "WPA/TKIP w/ RADIUS", then the behaviour is as with the Linksys above. However, if you turn it to "No Encryption" (so not even WEP enabled according to its interface), but leave the "enable 802.1x" turned on in the sub-menu, authentication takes place as normal. The SMC client card has client manager software, and if you turn on WPA on the AP, then the client manager shows a "key" symbol (presumably denoting some kind of security) next to the AP, but if you turn off encryption and leave 802.1x turned on, the key goes away. The Cisco AP doesn't have WPA but will do 802.1x as before. We're having trouble reaching a conclusion here (partly because it's difficult to tell what's happening), and certainly don't think we've got any "WPA" AP/client combination working with WPA/Radius. We had thought that, from an authentication perspective, there was no difference between 802.1x and WPA. Has anyone else managed to get WPA APs and clients running against FreeRADIUS using EAP-TLS? Many thanks, Ian _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo GSmsMRRmN+Cj5MnwYPgSpJce =9E/H -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/
RE: WPA w/ EAP-TLS against 0.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Artur, You don't :-) You set the session-timeout in the RADIUS reply. Regards, Guy > -Original Message- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 12:56 > To: [EMAIL PROTECTED] > Subject: Re: WPA w/ EAP-TLS against 0.8.1 > > > hi Guy! > > > how can you change the session time in windows? > > thanks, > artur > > > > > Guy Davies wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Hi Ian, > > > > I've seen something like this when doing MAC authentication. It was > > actually a "feature" of the WinXP/Win2k supplicant which > defaults the > > session time to about 6 seconds! If I explicitly set the > session time to be > > something more useful (1800 seconds is good) then > everything was happy. > > > > Sorry if this is totally unrelated but I thought it might help. > > > > Regards, > > > > Guy > > > > > >>-Original Message- > >>From: Ian Pritchard [mailto:[EMAIL PROTECTED] > >>Sent: 26 September 2003 11:42 > >>To: [EMAIL PROTECTED] > >>Subject: WPA w/ EAP-TLS against 0.8.1 > >> > >> > >> > >>Hi, > >> > >>We're running FreeRADIUS version 0.8.1, and have been trying out > >>authentication using a couple of "WPA-capable" 802.11 APs and > >>PCMCIA cards > >>on laptops, with EAP-TLS and certs. > >> > >>We've tried a matrix of the following: > >> > >>Laptops > >>- Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client > >>- WinXP > >>- EAP-TLS certs installed > >> > >>PCMCIA cards > >>- Linksys WPC54G > >>- SMC2635W > >> > >>APs > >>- Linksys WRT54G > >>- SMC2804WBR > >>- Cisco AP340 > >> > >>All devices running latest possible drivers. > >> > >>Before testing WPA we were running the Cisco AP340 and the > >>Win2K 802.1x auth > >>patch, plus XP. > >> > >>Running either of the two PCMCIA cards, on either the Win2K > >>or WinXP laptop, > >>via the Linksys WRT54G AP, we see behaviour where the AP > >>initiates access > >>request to the FreeRADIUS server, the process runs through as > >>normal, the > >>access accept is sent to the AP, but it then immediately starts > >>authentication again, and you run through the whole process > >>repeatedly, > >>starting again immediately after the accept is sent. Nothing > >>seems abnormal > >>if running FreeRADIUS in debug mode. With the Funk Odyssey > >>client running on > >>Win2K the behaviour is the same. > >> > >>Using the SMC AP, things are more interesting. The SMC AP's > web-based > >>control interface has a "security" main menu, with 802.1x as > >>a sub-menu. If > >>you turn the main security to "WPA/TKIP w/ RADIUS", then the > >>behaviour is as > >>with the Linksys above. However, if you turn it to "No > >>Encryption" (so not > >>even WEP enabled according to its interface), but leave the > >>"enable 802.1x" > >>turned on in the sub-menu, authentication takes place as > >>normal. The SMC > >>client card has client manager software, and if you turn on > >>WPA on the AP, > >>then the client manager shows a "key" symbol (presumably > >>denoting some kind > >>of security) next to the AP, but if you turn off encryption > >>and leave 802.1x > >>turned on, the key goes away. > >> > >>The Cisco AP doesn't have WPA but will do 802.1x as before. > >> > >>We're having trouble reaching a conclusion here (partly > because it's > >>difficult to tell what's happening), and certainly don't > >>think we've got any > >>"WPA" AP/client combination working with WPA/Radius. We had > >>thought that, > >>from an authentication perspective, there was no difference > >>between 802.1x > >>and WPA. > >> > >>Has anyone else managed to get WPA APs and clients running against > >>FreeRADIUS using EAP-TLS? > >> > >> > >>Many thanks, > >> > >> > >>Ian > >> > >>_ > >>Help protect your PC. Get a FREE computer virus scan online > >>from McAfee. > >>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > -BEGIN PGP SIGNATURE- > > Version: PGP 8.0 > > > > iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N > > 1NaRCSe7TQUC9g9L4sj3gFhS > > =yiwB > > -END PGP SIGNATURE- > > > > > > > > 30th Telindus International Symposium > > Thursday, October 30, 2003 - Brussels Expo, Belgium > > > > Check out the complete conference programme, exhibition, > > workshops and register now for this high value'must attend' event! > > > > http://www.telindussymposium.com > > <<< > > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Q0pI3dwu/Ss2PCEQK/ZQCffwWnxmOll5CFxxDegAlDwNlaNjYAoNEo GSmsMRRmN+Cj5MnwYPgSpJce =9E/H --
Re: freeradius send only one Ascend-IP-Pool-Definition
At 07:30 AM 9/26/2003, you wrote: Hi, please help. I want to send more than one IP-Pool-Definition to my ascend box. Freeradius sends only one of them. users-file: "pools-Moritz" Auth-Type := Local, User-Password =="secret" Service-Type = Dialout-Framed-User, Ascend-IP-Pool-Definition = "1 111.111.100.129 70", Ascend-IP-Pool-Definition = "2 111.111.101.0 32" Use += for your operator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius send only one Ascend-IP-Pool-Definition
Hi, please help. I want to send more than one IP-Pool-Definition to my ascend box. Freeradius sends only one of them. users-file: "pools-Moritz" Auth-Type := Local, User-Password =="secret" Service-Type = Dialout-Framed-User, Ascend-IP-Pool-Definition = "1 111.111.100.129 70", Ascend-IP-Pool-Definition = "2 111.111.101.0 32" debug mode: auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 34 to 111.111.111.60:1541 Service-Type = Outbound-User Ascend-IP-Pool-Definition = "1 111.111.111.129 70" Finished request 0 Thanks -- Hans Bornemann Universtitaet Dortmund Hochschulrechenzentrum August Schmidt Str. 12 44227 Dortmund Tel. ++49 231 7552132 Fax. ++49 231 7552731 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ EAP-TLS against 0.8.1
hi Guy! how can you change the session time in windows? thanks, artur Guy Davies wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ian, I've seen something like this when doing MAC authentication. It was actually a "feature" of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy -Original Message- From: Ian Pritchard [mailto:[EMAIL PROTECTED] Sent: 26 September 2003 11:42 To: [EMAIL PROTECTED] Subject: WPA w/ EAP-TLS against 0.8.1 Hi, We're running FreeRADIUS version 0.8.1, and have been trying out authentication using a couple of "WPA-capable" 802.11 APs and PCMCIA cards on laptops, with EAP-TLS and certs. We've tried a matrix of the following: Laptops - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client - WinXP - EAP-TLS certs installed PCMCIA cards - Linksys WPC54G - SMC2635W APs - Linksys WRT54G - SMC2804WBR - Cisco AP340 All devices running latest possible drivers. Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth patch, plus XP. Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, via the Linksys WRT54G AP, we see behaviour where the AP initiates access request to the FreeRADIUS server, the process runs through as normal, the access accept is sent to the AP, but it then immediately starts authentication again, and you run through the whole process repeatedly, starting again immediately after the accept is sent. Nothing seems abnormal if running FreeRADIUS in debug mode. With the Funk Odyssey client running on Win2K the behaviour is the same. Using the SMC AP, things are more interesting. The SMC AP's web-based control interface has a "security" main menu, with 802.1x as a sub-menu. If you turn the main security to "WPA/TKIP w/ RADIUS", then the behaviour is as with the Linksys above. However, if you turn it to "No Encryption" (so not even WEP enabled according to its interface), but leave the "enable 802.1x" turned on in the sub-menu, authentication takes place as normal. The SMC client card has client manager software, and if you turn on WPA on the AP, then the client manager shows a "key" symbol (presumably denoting some kind of security) next to the AP, but if you turn off encryption and leave 802.1x turned on, the key goes away. The Cisco AP doesn't have WPA but will do 802.1x as before. We're having trouble reaching a conclusion here (partly because it's difficult to tell what's happening), and certainly don't think we've got any "WPA" AP/client combination working with WPA/Radius. We had thought that, from an authentication perspective, there was no difference between 802.1x and WPA. Has anyone else managed to get WPA APs and clients running against FreeRADIUS using EAP-TLS? Many thanks, Ian _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -END PGP SIGNATURE- 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: WPA w/ EAP-TLS against 0.8.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ian, I've seen something like this when doing MAC authentication. It was actually a "feature" of the WinXP/Win2k supplicant which defaults the session time to about 6 seconds! If I explicitly set the session time to be something more useful (1800 seconds is good) then everything was happy. Sorry if this is totally unrelated but I thought it might help. Regards, Guy > -Original Message- > From: Ian Pritchard [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 11:42 > To: [EMAIL PROTECTED] > Subject: WPA w/ EAP-TLS against 0.8.1 > > > > Hi, > > We're running FreeRADIUS version 0.8.1, and have been trying out > authentication using a couple of "WPA-capable" 802.11 APs and > PCMCIA cards > on laptops, with EAP-TLS and certs. > > We've tried a matrix of the following: > > Laptops > - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client > - WinXP > - EAP-TLS certs installed > > PCMCIA cards > - Linksys WPC54G > - SMC2635W > > APs > - Linksys WRT54G > - SMC2804WBR > - Cisco AP340 > > All devices running latest possible drivers. > > Before testing WPA we were running the Cisco AP340 and the > Win2K 802.1x auth > patch, plus XP. > > Running either of the two PCMCIA cards, on either the Win2K > or WinXP laptop, > via the Linksys WRT54G AP, we see behaviour where the AP > initiates access > request to the FreeRADIUS server, the process runs through as > normal, the > access accept is sent to the AP, but it then immediately starts > authentication again, and you run through the whole process > repeatedly, > starting again immediately after the accept is sent. Nothing > seems abnormal > if running FreeRADIUS in debug mode. With the Funk Odyssey > client running on > Win2K the behaviour is the same. > > Using the SMC AP, things are more interesting. The SMC AP's web-based > control interface has a "security" main menu, with 802.1x as > a sub-menu. If > you turn the main security to "WPA/TKIP w/ RADIUS", then the > behaviour is as > with the Linksys above. However, if you turn it to "No > Encryption" (so not > even WEP enabled according to its interface), but leave the > "enable 802.1x" > turned on in the sub-menu, authentication takes place as > normal. The SMC > client card has client manager software, and if you turn on > WPA on the AP, > then the client manager shows a "key" symbol (presumably > denoting some kind > of security) next to the AP, but if you turn off encryption > and leave 802.1x > turned on, the key goes away. > > The Cisco AP doesn't have WPA but will do 802.1x as before. > > We're having trouble reaching a conclusion here (partly because it's > difficult to tell what's happening), and certainly don't > think we've got any > "WPA" AP/client combination working with WPA/Radius. We had > thought that, > from an authentication perspective, there was no difference > between 802.1x > and WPA. > > Has anyone else managed to get WPA APs and clients running against > FreeRADIUS using EAP-TLS? > > > Many thanks, > > > Ian > > _ > Help protect your PC. Get a FREE computer virus scan online > from McAfee. > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP3Qlno3dwu/Ss2PCEQLQgwCg/vsD8wvFkhBEgcdhP0sJgmu2UzgAn11N 1NaRCSe7TQUC9g9L4sj3gFhS =yiwB -END PGP SIGNATURE- >>> 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA w/ EAP-TLS against 0.8.1
Hi, We're running FreeRADIUS version 0.8.1, and have been trying out authentication using a couple of "WPA-capable" 802.11 APs and PCMCIA cards on laptops, with EAP-TLS and certs. We've tried a matrix of the following: Laptops - Win2K SP4 w/ MS 802.1x patch and with Funk Odyssey client - WinXP - EAP-TLS certs installed PCMCIA cards - Linksys WPC54G - SMC2635W APs - Linksys WRT54G - SMC2804WBR - Cisco AP340 All devices running latest possible drivers. Before testing WPA we were running the Cisco AP340 and the Win2K 802.1x auth patch, plus XP. Running either of the two PCMCIA cards, on either the Win2K or WinXP laptop, via the Linksys WRT54G AP, we see behaviour where the AP initiates access request to the FreeRADIUS server, the process runs through as normal, the access accept is sent to the AP, but it then immediately starts authentication again, and you run through the whole process repeatedly, starting again immediately after the accept is sent. Nothing seems abnormal if running FreeRADIUS in debug mode. With the Funk Odyssey client running on Win2K the behaviour is the same. Using the SMC AP, things are more interesting. The SMC AP's web-based control interface has a "security" main menu, with 802.1x as a sub-menu. If you turn the main security to "WPA/TKIP w/ RADIUS", then the behaviour is as with the Linksys above. However, if you turn it to "No Encryption" (so not even WEP enabled according to its interface), but leave the "enable 802.1x" turned on in the sub-menu, authentication takes place as normal. The SMC client card has client manager software, and if you turn on WPA on the AP, then the client manager shows a "key" symbol (presumably denoting some kind of security) next to the AP, but if you turn off encryption and leave 802.1x turned on, the key goes away. The Cisco AP doesn't have WPA but will do 802.1x as before. We're having trouble reaching a conclusion here (partly because it's difficult to tell what's happening), and certainly don't think we've got any "WPA" AP/client combination working with WPA/Radius. We had thought that, from an authentication perspective, there was no difference between 802.1x and WPA. Has anyone else managed to get WPA APs and clients running against FreeRADIUS using EAP-TLS? Many thanks, Ian _ Help protect your PC. Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: threads hanging around
> > There are a few references to Thread 6 which it is assigned to, but > > nothing in the log that lets me know what the request was or what > > happened to it... There appear to be dumps of requests in the log > > but I cannot see any relation to this info and a request number. > > That's a little difficult to track down. > > Grab the CVS snapshot tomorrow morning, and run it via: > > ./radiusd -xx > > You should see much more debug output. Look for 'modsingle', and > 'request ###' (whatever the number is). You should be able to track > down exactly which module is taking forever to respond. I haven't needed to check the log dump yet as the problem hasn't duplicated with this new code. I guess whatever it was has been fixed at some point. One thing I did notice was that the eap module wouldn't compile from the CVS version of the code (I am not using it so was able to simply remove the module from the source), just thought I would let you know. I will keep my eye on this version of the code and see if the problem starts up again. so far it seems a lot happier. -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Peabird's AP(Earthcom-network)
Hi, I am trying to build a wireless network based on time limited accounting which uses Peabird's Access Points (alias Earthcom-networks). These APs are built with a radius server that is *supposed* to be Windows 2000 adv serv compatible (I did not test them with it). As i don't want to use MS software but linux I choosed to use freeradius, but I need to configure the radius server to be Win 2000 IAS compatible. please help... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls pap can't work with aegis client
I have tested eap-ttls with freeradius and client is aegis, the ms-chap, ms-chap-v2 and eap-md5 is work, but it seems the pap and chap isn't work, here is the message from radiusd(using eap-ttls-pap), thanks ! rad_recv: Access-Request packet from host 192.168.102.1:1200, id=187, length=281 EAP-Message = 0x027b006c1580006217030100183a14f67f8fde6b4b1d02e5224ceccd80d3ab2425d32b17030100400fffe387d3edb5fc712b6e29492e410bbd8fb4457bf19a7bde6f4d8ebe40439da8871e1abaabf15e3783cb4ba34a97faf7fe2a8e69734e09ac105340d4a8bea6 User-Name = "test" NAS-Identifier = "IPONE_AG2000_KT" NAS-IP-Address = 192.168.102.1 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Service-Type = Framed-User Framed-MTU = 1400 Connect-Info = "CONNECT 11Mbps 802.11b" Calling-Station-Id = "00-60-b3-6a-38-7f" Called-Station-Id = "00-07-13-40-00-7c" State = 0x8675b25f15e3b78950a070be27e214c8 Message-Authenticator = 0xfe666e934d24293a78b6577a5bde650d modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type response id 123 length 108 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test at 114 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "test" User-Password = "test" Freeradius-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "test" User-Password = "test" Freeradius-Proxied-To = 127.0.0.1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched test at 114 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail modcall: group authenticate returns fail auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 Service-Type = Framed-User Idle-Timeout = 2000 Session-Timeout = 2 TTLS: Rejecting tunneled user rlm_eap: Handler failed in EAP type 21 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 187 to 192.168.102.1:1200 EAP-Message = 0x047b0004 Message-Authenticator = 0x -- Best Regard george 獠丕~?够?撖殪够??纭囤?0~??b菏+?b策畋觎?¥
How to configure freeradius to authenticate with window 2000
Hi, My current shiva box not allow to ause Window NT for authetication. I am thinking using freeradius to proxy the request to window NT for authetication. May I know how can I configure the radius proxy, Damien - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sizelimit on user record?
We're observing segfaults of freeradius 0.9.1 on Solaris 8 immediatly after delivering large user records (that means many reply items per user) to the client. Is there any kind of limit on the maximum number of reply items, expressed in bytes or no of items? nhk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl
On Thu, Sep 25, 2003 at 06:14:56PM +0200, Laurens Pit wrote: > Trying to compile rlm_perl module, but no luck. Missing perl.h file. Can > anyone give me a hint what I should do to get this compiling okay? > Hello, it seems that perl.h is missing. i suggest you to upgrade your perl to 5.6.1 or 5.8.x > > [freeradius-0.9.1]# ./configure > --with-rlm-perl-include-dir=/usr/lib/perl5/5.00503/i386-linux/CORE > --with-experimental-modules -- Best Regards, Boian Jordanov SNE Orbitel - the Internet Company tel. +359 2 937 07 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html