RE: PEAP Woes

2003-10-29 Thread Matt Sapp 
We're keeping passwords in OpenLDAP in ntPassword hashes.  Currently only those of us 
working on and testing the system have the ntPassword attributes set correctly in 
OpenLDAP.  The plan (which is maybe 80% done here) is to disable changing passwords in 
windows and have all our account functions (such as password changing) on our website.

-Matt
MNU Network Administrator



--- Original Message Below ---

From: "Ron Wahler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: RE: PEAP Woes
Date: Wed, 29 Oct 2003 17:41:33 -0700



Matt,

How did you synchronize the Active Directory with OpenLDAP. Are you
Keeping passwords in the clear on OpenLDAP or in NTpassword form?




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re[2]: ippool issue

2003-10-29 Thread Paul Hampson 
> From: Alexander Lunyov
> Sent: Thursday, 30 October 2003 12:14 PM

>  What do you mean? NAS in the same logical network or radius server in the
>  same logical network?

>  For example, i want this ippool working with NAS.
> 
> ippool main_pool {
> range-start = 192.168.253.1
> range-stop = 192.168.253.254
> netmask = 255.255.0.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> } 
> 
>  NAS is a FreeBSD box with 3 multiport cards and 2 network
>  interfaces. First iface is 192.168.33.127/24, second is
>  x.x.x.2/24 ('white' network). So when authentification of ppp session is done 
> and
>  it's time to receive IP address for this session, radiusd cannot
>  find range for this NAS. It says
> 
> rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
> Thread 1 assigned request 0
> --- Walking the entire request list ---
> Threads: total/active/spare threads = 5/1/4
> Waking up in 5 seconds...
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "lan"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
> CHAP-Challenge = 0x38328232349865433746313036313635
> NAS-Identifier = "zeus.domain.ru"
> NAS-Port-Type = Ethernet
> NAS-Port = 61
> 
> [authentification and other skip]
> 
> rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
>   modcall[post-auth]: module "main_pool" returns noop for request 0

The only NOOP between these two lines is the one that checks if you've
already got a Framed-IP-Address. As the below output indicates, you do
already have one, so the rlm_ippool module NOOPs instead. If you set
override=yes instead of override=no, the existing Framed-IP-Address in
the response will be _replaced_ with one from the IP pool.

I guess a debug output at that point would be useful... Hmm.

Alternatively, work out where the value 255.255.255.254 is coming from.
It _might_ be a hint from the NAS, or there may be another module adding
it (probably incorrectly).

This is completely unrelated to the network configuration of the NAS,
I think the confusion was caused by asking the (wrong) question, rather
than describing the problem, leading to a whole lot of unuseful answers,
and the confusion expressed at the top of this email.

> modcall: group post-auth returns noop for request 0
> Sending Access-Accept of id 239 to x.x.x.2:2740
> Framed-Compression = Van-Jacobson-TCP-IP
> Idle-Timeout = 10
> Framed-MTU = 576
> Framed-IP-Address = 255.255.255.254
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Finished request 0

--
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

On a sidewalk near Portland State
University someone wrote `Trust Jesus', and
someone else wrote `But Cut the Cards'.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP types and TTLS..

2003-10-29 Thread Jack J 

Hi,

Looking at FreeRadius0.9.2 version, also
checked the mail archives, I could not find
this information, so hoping someone can share
some information.

a) For TTLS -Client Authentication (inner tunnel
realm): 
   what are the EAP types
   that can be used/configured ?  If so, any
   configuration document/example ?

b) where can I find list of EAP methods supported, in
general ?

c)  Can PEAP use any EAP methods too ?

No flames, please.
Knowledge sharing helps...

Thanks in advance,



__
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re[2]: ippool issue

2003-10-29 Thread Gustavo A. Lozano 
You need an address in the RAS to act as a gateway...

You can configure any pool in whatever RAS but for example if the RAS is
a cisco you will need to do something like:

interface eth0 ip add xxx.xxx.xxx.1 secondary
interface eth0 ip add yyy.yyy.yyy.1 secondary 
..
...


and now you can assign address within the blocks xxx.xxx.xxx.xxx and
yyy.yyy.yyy.yyy

The thing is you need to RAS as gateway for the  dialin users

On Wed, 2003-10-29 at 20:14, Alexander Lunyov wrote:
> Hello Gustavo,
> 
> Wednesday, October 29, 2003, 8:42:51 AM, you wrote:
> 
> 
> 
> GAL> Sure you can.
> GAL> But if you do that you cant get routed to any place.
> 
> GAL> You need a gateway address within the same logical network.
> 
>  What do you mean? NAS in the same logical network or radius server in the
>  same logical network?
> 
>  For example, i want this ippool working with NAS.
> 
> ippool main_pool {
> range-start = 192.168.253.1
> range-stop = 192.168.253.254
> netmask = 255.255.0.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> } 
> 
>  NAS is a FreeBSD box with 3 multiport cards and 2 network
>  interfaces. First iface is 192.168.33.127/24, second is
>  x.x.x.2/24 ('white' network). So when authentification of ppp session is done 
> and
>  it's time to receive IP address for this session, radiusd cannot
>  find range for this NAS. It says
> 
> rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
> Thread 1 assigned request 0
> --- Walking the entire request list ---
> Threads: total/active/spare threads = 5/1/4
> Waking up in 5 seconds...
> Thread 1 handling request 0, (1 handled so far)
> User-Name = "lan"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
> CHAP-Challenge = 0x38328232349865433746313036313635
> NAS-Identifier = "zeus.domain.ru"
> NAS-Port-Type = Ethernet
> NAS-Port = 61
> 
> [authentification and other skip]
> 
> rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
>   modcall[post-auth]: module "main_pool" returns noop for request 0
> modcall: group post-auth returns noop for request 0
> Sending Access-Accept of id 239 to x.x.x.2:2740
> Framed-Compression = Van-Jacobson-TCP-IP
> Idle-Timeout = 10
> Framed-MTU = 576
> Framed-IP-Address = 255.255.255.254
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Finished request 0
> 
>   What should i do? Is there any 'magic word'? :)
> 
> 
> 
> GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
> >> Hello freeradius-users,
> >> 
> >>   Is there a possibility to pool range of IP addresses for NAS
> >>   while NAS is not in that range? For example, if i try to pool
> >>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
> >>   says that nas/port not found for that NAS address (192.168.3.3).
> >>   is it possible to assign to NAS client IP address not from NAS
> >>   network?
> 
> 
> GAL> - 
> GAL> List info/subscribe/unsubscribe? See
> GAL> http://www.freeradius.org/list/users.html
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: ippool issue

2003-10-29 Thread Alexander Lunyov 
Hello Gustavo,

Wednesday, October 29, 2003, 8:42:51 AM, you wrote:



GAL> Sure you can.
GAL> But if you do that you cant get routed to any place.

GAL> You need a gateway address within the same logical network.

 What do you mean? NAS in the same logical network or radius server in the
 same logical network?

 For example, i want this ippool working with NAS.

ippool main_pool {
range-start = 192.168.253.1
range-stop = 192.168.253.254
netmask = 255.255.0.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
} 

 NAS is a FreeBSD box with 3 multiport cards and 2 network
 interfaces. First iface is 192.168.33.127/24, second is
 x.x.x.2/24 ('white' network). So when authentification of ppp session is done and
 it's time to receive IP address for this session, radiusd cannot
 find range for this NAS. It says

rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
User-Name = "lan"
Service-Type = Framed-User
Framed-Protocol = PPP
CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead
CHAP-Challenge = 0x38328232349865433746313036313635
NAS-Identifier = "zeus.domain.ru"
NAS-Port-Type = Ethernet
NAS-Port = 61

[authentification and other skip]

rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61
  modcall[post-auth]: module "main_pool" returns noop for request 0
modcall: group post-auth returns noop for request 0
Sending Access-Accept of id 239 to x.x.x.2:2740
Framed-Compression = Van-Jacobson-TCP-IP
Idle-Timeout = 10
Framed-MTU = 576
Framed-IP-Address = 255.255.255.254
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 0

  What should i do? Is there any 'magic word'? :)



GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
>> Hello freeradius-users,
>> 
>>   Is there a possibility to pool range of IP addresses for NAS
>>   while NAS is not in that range? For example, if i try to pool
>>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
>>   says that nas/port not found for that NAS address (192.168.3.3).
>>   is it possible to assign to NAS client IP address not from NAS
>>   network?


GAL> - 
GAL> List info/subscribe/unsubscribe? See
GAL> http://www.freeradius.org/list/users.html



-- 
Best regards,
 Alexandermailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ippool issue

2003-10-29 Thread Gustavo A. Lozano 
Sure you can.
But if you do that you cant get routed to any place.

You need a gateway address within the same logical network.


On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote:
> Hello freeradius-users,
> 
>   Is there a possibility to pool range of IP addresses for NAS
>   while NAS is not in that range? For example, if i try to pool
>   192.168.253.0/24 network for NAS with address 192.168.3.3 - it
>   says that nas/port not found for that NAS address (192.168.3.3).
>   is it possible to assign to NAS client IP address not from NAS
>   network?


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP Woes

2003-10-29 Thread Ron Wahler 


Matt,

How did you synchronize the Active Directory with OpenLDAP. Are you
Keeping passwords in the clear on OpenLDAP or in NTpassword form?




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ippool issue

2003-10-29 Thread Alexander Lunyov 
Hello freeradius-users,

  Is there a possibility to pool range of IP addresses for NAS
  while NAS is not in that range? For example, if i try to pool
  192.168.253.0/24 network for NAS with address 192.168.3.3 - it
  says that nas/port not found for that NAS address (192.168.3.3).
  is it possible to assign to NAS client IP address not from NAS
  network?

-- 
Best regards,
 Alexander  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Messages "warning: junk pointer, too high to make sense" after upgrade 0.8.1 -> 0.9.2.

2003-10-29 Thread Alexander Lunyov 
Hello.

  I have FreeBSD 4.8R-p13 with freeradius.
  
  After upgrade to 0.9.2 i have noticed warnings on radiusd start,
  when starting from /usr/local/etc/rc.d/radiusd.sh as usual, e.g.
  without flags, there is couple of messages "radiusd in free():
  warning: junk pointer, too high to make sense" getting out to
  console. Everything is working fine, but why is those messages
  coming out?

  This is start with 'xx' flags:

 ldap: ldap_cache_timeout = 0
 ldap: ldap_cache_size = 0
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: identity = "cn=admin,dc=domain,dc=ru"
 ldap: start_tls = no
 ldap: tls_mode = no
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: password = "password"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: basedn = "ou=users,dc=domain,dc=ru"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: filter = "(uid=%u)"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: default_profile = "cn=radprofile,dc=domain,dc=ru"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: profile_attribute = "(null)"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: password_header = "(null)"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: password_attribute = "userPassword"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: access_attr = "dialupAccess"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: groupname_attribute = "cn"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-Us
erDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
radiusd in free(): warning: junk pointer, too high to make sense
 ldap: groupmembership_attribute = "(null)"
radiusd in free(): warning: junk pointer, too high to make sense

Any suggestions?

 
-- 
Best regards,
 Alexander  mailto:[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP Woes [fixed]

2003-10-29 Thread Matt Sapp 
Alan,

Your pointer to the MS-CHAP issue with usernames got me thinking.  I looked closely at 
the logs and one machine was sending usernames in lowercase, and the other was sending 
them partially upper-cased (which, after some research, i found they were in our 
Active Directory with some characters capitalized for some reason =/ ).  After 
changing the user in AD to have an all-lowercase name just as they are in our 
OpenLDAP, the problem laptop is able to login.

This doesn't explain why one laptop would lowercase the username before 
authenticating, but I don't think that is anything I'll ever understand.

Thanks for the help.

-Matt
MNU Network Administrator



--- Original Message Below ---

From: "Matt Sapp" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: PEAP Woes
Date: Wed, 29 Oct 2003 16:03:21 -0500

Alan,

Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be 
found in ldap, so the systems that did work before do not now:

radius_xlat:  '(uid=MNU.EDU\\Matt)'
radius_xlat:  'dc=mnu,dc=edu'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 25

It looks to me like the domain is not used in the calculation of ms-chap, otherwise it 
would not work at all when using with_ntdomain_hack, or am I missing something?


I'll do a packet dump and come back with the results.

-Matt
MNU Network Administrator



--- Original Message Below ---
 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: PEAP Woes 
Date: Wed, 29 Oct 2003 16:44:33 -0500

"Matt Sapp" <[EMAIL PROTECTED]> wrote:
> On the Centrino laptop, logging into the domain, wireless also comes up.
> 
> However, the laptop with the Atheros card in it, when logging into
> the domain rather than locally to the laptop, I get this when running
> with -X:

  If one works and the other doesn't, then the ONLY difference is in
the RADIUS requests.  Compare the RADIUS requests from the two laptop
authentications, and see what's different.  The differences are
breaking authentication.

> I am using "with_ntdomain_hack = yes" in my configuration. 

  See a post earlier today on the list.  MS-CHAP depends on
usernames.  "with_ntdomain_hack = yes" means that the user name is
changed, so MS-CHAP authentication will NOT work.

  Try setting "with_ntdomain_hack = no"

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WPA

2003-10-29 Thread Mike Paneth 
I am trying to set up a wireless network with WPA security, using a SMC 2804
AP and a SMC 2835 card with a XP laptop and MS WPA patch.

Does anyone have details on how to set up the freeradius environment for WPA
(including generating the certificates)?

I have tried to follow the EAPTLS document from Ken Roser, but it is old (FR
April 15 2002) and the openssl scripts doesn't appear to work on RH9.

Mike Paneth
Melbourne, Australia



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP Woes

2003-10-29 Thread Matt Sapp 
Alan,

Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be 
found in ldap, so the systems that did work before do not now:

radius_xlat:  '(uid=MNU.EDU\\Matt)'
radius_xlat:  'dc=mnu,dc=edu'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 25

It looks to me like the domain is not used in the calculation of ms-chap, otherwise it 
would not work at all when using with_ntdomain_hack, or am I missing something?


I'll do a packet dump and come back with the results.

-Matt
MNU Network Administrator



--- Original Message Below ---
 
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: PEAP Woes 
Date: Wed, 29 Oct 2003 16:44:33 -0500

"Matt Sapp" <[EMAIL PROTECTED]> wrote:
> On the Centrino laptop, logging into the domain, wireless also comes up.
> 
> However, the laptop with the Atheros card in it, when logging into
> the domain rather than locally to the laptop, I get this when running
> with -X:

  If one works and the other doesn't, then the ONLY difference is in
the RADIUS requests.  Compare the RADIUS requests from the two laptop
authentications, and see what's different.  The differences are
breaking authentication.

> I am using "with_ntdomain_hack = yes" in my configuration. 

  See a post earlier today on the list.  MS-CHAP depends on
usernames.  "with_ntdomain_hack = yes" means that the user name is
changed, so MS-CHAP authentication will NOT work.

  Try setting "with_ntdomain_hack = no"

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP Woes

2003-10-29 Thread Alan DeKok 
"Matt Sapp" <[EMAIL PROTECTED]> wrote:
> On the Centrino laptop, logging into the domain, wireless also comes up.
> 
> However, the laptop with the Atheros card in it, when logging into
> the domain rather than locally to the laptop, I get this when running
> with -X:

  If one works and the other doesn't, then the ONLY difference is in
the RADIUS requests.  Compare the RADIUS requests from the two laptop
authentications, and see what's different.  The differences are
breaking authentication.

> I am using "with_ntdomain_hack = yes" in my configuration. 

  See a post earlier today on the list.  MS-CHAP depends on
usernames.  "with_ntdomain_hack = yes" means that the user name is
changed, so MS-CHAP authentication will NOT work.

  Try setting "with_ntdomain_hack = no"

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different SQL backend for different realms

2003-10-29 Thread Alan DeKok 
Leon Li <[EMAIL PROTECTED]> wrote:
> I tried according to doc/Autz-Type, still no luck. What it mentions 
> seems to be clear and easy.
> I added something like
> 
> DEFAULT
>Realm == "companyA.com",
> Autz-Type := sql_a

  Which won't do what you want.  Please use the examples as posted,
and do NOT edit them to add whitespace, unless you know what you're
doing.

  Read the 'man' page for the 'users' file.

> Debug shows "No atuhentication method (Auth-Type) configuration
> found ... "

  Yes.  You didn't follow the instructions, and didn't use the correct
format for the 'users' file.  There are many examples in the default
'users' file to explain how to do it correctly.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius snap version doesn't compile..any help?

2003-10-29 Thread Alan DeKok 
hulusi onder <[EMAIL PROTECTED]> wrote:
> i ma trying to follow the guide EAP/TLS HOWTO guide
> (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm)
> .througout this guide i made the first changes to the
> src/modules/rlm_eap/types/rlm_eap_tls/Makefile.

  Don't do that.  Those instructions are for an older version of the
software.  The Makefile doesn't need editing.

> mppe_keys.c: In function `P_hash':
> mppe_keys.c:61: too many arguments to function
> `HMAC_Init_ex'

OpenSSL version 0.9.7b works for me.  If the OpenSSL people
have changed the function prototype, then they shouldn't have done
that...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Different SQL backend for different realms

2003-10-29 Thread Leon Li 
Thanks for the help.

I tried according to doc/Autz-Type, still no luck. What it mentions 
seems to be clear and easy.
I added something like

DEFAULT
  Realm == "companyA.com",
   Autz-Type := sql_a
into users file and

Autz-Type sql_a {
  sql2
}
into "authorize" block. Anything else needs to be done? Debug shows "No 
atuhentication method (Auth-Type)
configuration found ... ", seems like the request "[EMAIL PROTECTED]" 
didn't fall into the "sql_a" group.

I have also one block like

realm companyA.com {
  type ...
   authhost ...
  
}
in proxy.conf, I don't know if it has anything to do with the problem. 
According to the radiusd.conf doc,
proxy.conf (suffix) is processed before the user file, does "strip" or 
"nostrip" matter here?

Appreciate more help.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP Woes

2003-10-29 Thread Matt Sapp 
Alrighty, I've been hitting my head on the wall because of this for a couple days, and 
I still havn't figured anything out, so maybe someone else has some information.  I 
apologize for this long message ahead of time ;)

The setup:  We have a Win2k domain (MNU.EDU) with all of our users.  Windows Clients 
(laptops in this case) use Win2K DC's for login to the domain.  We also have an 
OpenLDAP server that has the same user accounts in it, and usernames and passwords are 
syncronized between the two.

Now, on top of all this, I've got a bunch of Cisco AP's, and a freeradius server.  
LEAP and PEAP are our preferred methods of authenticating at this point.  Freeradius 
is setup to authenticate wireless users against the OpenLDAP server.

On to the problem: I have a couple laptops here.  One with Intel Centrino wireless, 
one with Atheros a/b miniPCI (both builtin to laptop).  Both laptops have a user 
account "matt" on them, with the same password as is in our AD controllers and in 
OpenLDAP.  Both laptops are patched with the same patches from MS (SP1 + Criticals) 
and have the same configuration for wireless and basically everything else.

On the both laptops, if I login locally, everything is fine, peap goes off, and 
they're authenticated to the network.

On the Centrino laptop, logging into the domain, wireless also comes up.

However, the laptop with the Atheros card in it, when logging into the domain rather 
than locally to the laptop, I get this when running with -X:

rad_recv: Access-Request packet from host 10.194.210.255:2046, id=64, length=261
User-Name = "MNU.EDU\\matt"
Cisco-AVPair = "ssid=mnu.edu"
NAS-IP-Address = 10.194.210.255
Called-Station-Id = "00409658876f"
Calling-Station-Id = "00022d59f0fd"
NAS-Identifier = "Cisco-AP350-255"
NAS-Port = 37
Framed-MTU = 1400
State = 0x5f59aa6719deb2ced82c8ed183351946
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0233005...blah
Message-Authenticator = 0xbd39fb...blah
...

rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=matt)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 0x480A0..blah & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 0xC0793..blah & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 101
modcall: group authorize returns updated for request 101
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 101
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Proceeding to decode tunneled attributes.

  rlm_eap_peap: EAP type 26
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
EAP-Message = 0x023300...blah
  PEAP: Adding old state with 5f bb
  PEAP: Sending tunneled request
EAP-Message = 0x023300...blah
Freeradius-Proxied-To = 127.0.0.1
User-Name = "MNU.EDU\\matt"
State = 0x5fbb...blah
modcall: entering group authorize for request 101

...

(same LDAP as above)

...

modcall: group authorize returns updated for request 101
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 101
  rlm_eap: Request found, released from the list
  rlm_eap: EAP_TYPE - mschapv2
  rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 101
  rlm_mschap: Found LM-Password
  rlm_mschap: Found NT-Password
  rlm_mschap: doing MS-CHAPv2 with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 101
modcall: group Auth-Type returns reject for request 101
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 101
modcall: group authenticate returns reject for request 101
auth: Failed to validate the user.
Login incorrect: [matt/] (from client localhost port 0)

...


I am using "with_ntdomain_hack = yes" in my configuration.  This is really confusing 
me as it works on one machine but not another.  I'm 99.9% sure this isn't a freeradius 
issue per-se, but I'm hoping someone can at least point me in the right direction 
(maybe radius needs different configuration from what I have for domain logins ?)

Thanks for any light you can shed on this.

-Matt
MNU Network Administrator


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3Com 4400 dict/EAP problem

2003-10-29 Thread Alan DeKok 
Jonathan Richard Brockmeier <[EMAIL PROTECTED]> wrote:
> If I need to do the following, how do I setup the dictionary to be correct?

  Read the other dictionary files, and 'man dictionary', it should be
pretty straightforward.

> Also when I am trying to get 802.1x working against mysql data (since that is
> how we have it setup) I get the following error:

  I'm not sure what you mean by "working against mysql data"

> rad_check_password: Found Auth-Type EAP
> auth: No User-Password or CHAP-Password attribute in the request
> auth: Failed to validate the user.
> Login incorrect: [brockj/] (from client ss4400

  It looks like you're taking a crypt'd password out of the MySQL
database.  That won't work with EAP.  EAP requires plain-text
passwords.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius snap version doesn't compile..any help?

2003-10-29 Thread hulusi onder 
hi everybody ;
i ma trying to follow the guide EAP/TLS HOWTO guide
(http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm)
.througout this guide i made the first changes to the
src/modules/rlm_eap/types/rlm_eap_tls/Makefile.

however the make command didn't work as expected, it
is giving two errors and quit. could you please give
an hand to me about this problem. here is the log of
the error. 
the openssl is the snapshot version. i had once beat
this problem by skipping the mppe_keys.c in the
preceding make file.  but that might be the reason of
the next problems that i had encountered. 
...
...
/usr/local/openssl/include/openssl/ssl.h:349: warning:
function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:350: warning:
function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:351: warning:
function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:610: warning:
function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:758: warning:
function declaration isn't a prototype
In file included from rlm_eap_tls.h:61,
 from eap_tls.h:26,
 from mppe_keys.c:25:
/usr/local/openssl/include/openssl/ssl.h:1235:
warning: function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:1271:
warning: function declaration isn't a prototype
/usr/local/openssl/include/openssl/ssl.h:1273:
warning: function declaration isn't a prototype
mppe_keys.c: In function `P_hash':
mppe_keys.c:61: too many arguments to function
`HMAC_Init_ex'
mppe_keys.c:62: too many arguments to function
`HMAC_Init_ex'
mppe_keys.c:84: too many arguments to function
`HMAC_Init_ex'
mppe_keys.c:89: too many arguments to function
`HMAC_Init_ex'
gmake[10]: *** [mppe_keys.o] Error 1
gmake[10]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types/rlm_eap_tls'
gmake[9]: *** [common] Error 1
gmake[9]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types'
gmake[8]: *** [static] Error 2
gmake[8]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types'
gmake[7]: *** [common] Error 1
gmake[7]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap'
gmake[6]: *** [static] Error 2
gmake[6]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap'
gmake[5]: *** [common] Error 1
gmake[5]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src/modules'
gmake[3]: *** [common] Error 1
gmake[3]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory
`/root/download/freeradius-snapshot-20031029/src'
gmake[1]: *** [common] Error 1
gmake[1]: Leaving directory
`/root/download/freeradius-snapshot-20031029'
make: *** [all] Error 2


__
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3Com 4400 dict/EAP problem

2003-10-29 Thread Jonathan Richard Brockmeier 
If I need to do the following, how do I setup the dictionary to be correct?

3Com Vendor Specific Attribute
The default user levels on the Switch (monitor, manager, admin) are
supported by a 3Com Vendor Specific Attribute (VSA). The Vendor-ID for
3Com is 43. You must configure the RADIUS server to send this attribute
in the Access-Accept message in order to specify the access level required
for each user account. The configurable attribute values are:
 Monitor (1) — the user can view all manageable parameters, except
special/security features, but cannot change any manageable
parameters.
 Manager (2) — the user can access and change the operational
parameters but not special/security features.
 Administrator (3) — the user can access and change all manageable
parameters.
The attribute body consists of a 3Com Vendor type (1), Vendor data
length (6) and the Vendor data (4 octet integer containing the access
level value), as shown in Figure 25.

Also when I am trying to get 802.1x working against mysql data (since that is
how we have it setup) I get the following error:

rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module "daily" returns noop
rlm_eap: EAP packet type notification id 0 length 11
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [brockj/] (from client ss4400
port 119 cli 00-00-39-CA-99-AF)

Any ideas on what I can try?

Jon


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Modems can login but ISDN users cannot?

2003-10-29 Thread Gustavo A. Lozano 
First of all Try a debug with radiusd -x

then check configuration may be the user is trying to use the second
ISDN channel and your radius doesnt let him use it..

May be there is some issue with the NAS and nothing with the radius
itself..


On Wed, 2003-10-29 at 14:43, James Green wrote:
> Hi all,
> 
> Got a FreeRadius installation working fine for analog modem users. A 
> client is now trying to send through loads of ISDN traffic, and he's 
> getting the following:
> 
> 691: username/password declined (windows errors message)
> 
> radius.log shows his test username as Login: ok. Yet Radius isn't 
> logging him in the details logs at all.
> 
> Any ideas?
> 
> Thanks,
> 
> James
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Modems can login but ISDN users cannot?

2003-10-29 Thread James Green 
Hi all,

Got a FreeRadius installation working fine for analog modem users. A 
client is now trying to send through loads of ISDN traffic, and he's 
getting the following:

691: username/password declined (windows errors message)

radius.log shows his test username as Login: ok. Yet Radius isn't 
logging him in the details logs at all.

Any ideas?

Thanks,

James



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating directly from NT domain controller

2003-10-29 Thread Alan DeKok 
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> What does it use for the authentication method? PAP to what?
> 
> Does it bind to a database?

  PAP to SMB, similar to what any client would do when mounting
network shares.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Ron Wahler 
What does it use for the authentication method? PAP to what? 

Does it bind to a database?


> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 29, 2003 12:27 PM
> To: [EMAIL PROTECTED]
> Subject: Re: authenticating directly from NT domain controller
> 
> "Ron Wahler" <[EMAIL PROTECTED]> wrote:
> > Is there any doc on rlm_smb ?
> 
>   raddb/experimental.conf
> 
>   The SMB module is so simple & stupid, that there's little to
> configure, and little to get right (or wrong).
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: etc_smbpasswd !!

2003-10-29 Thread Alan DeKok 
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> Ok Alan. You are always right.

I don't want you to be nice to me.  I want you to READ the
available documentation, and to DESCRIBE what you're doing when you
post to the list.  So far, you've done poorly on both.

> Let's say that I need to authenticate wireless users from Open1x
> through freeradius. These users are not in a local file (for example
> users) but in an Active Directory Server (my PDC). What methods
> should I use? I've spent over 3 days to do that.

  EAP-TTLS + PAP.  You have pretty much no other alternatives.

  If you were using a real LDAP server, you could use any wireless
authentication method, and it would work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating directly from NT domain controller

2003-10-29 Thread Alan DeKok 
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> Is there any doc on rlm_smb ?

  raddb/experimental.conf

  The SMB module is so simple & stupid, that there's little to
configure, and little to get right (or wrong).

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: etc_smbpasswd !!

2003-10-29 Thread Marios Karagiannopoulos 
Ok Alan. You are always right. Let's say that I need to authenticate
wireless users from
Open1x through freeradius. These users are not in a local file (for
example users) but
in an Active Directory Server (my PDC). What methods should I use? I've
spent over 3 days to do that.

Thanks again,
Marios


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 9:08 PM
To: [EMAIL PROTECTED]
Subject: Re: etc_smbpasswd !! 


"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> Alternatively, I'm trying to wireless authenticate through MS-CHAPV2

  MS-CHAPv2 is not a wireless authentication protocol.

> auth: type "MS-CHAP"
> modcall: entering group Auth-Type for request 1
>   rlm_mschap: Found LM-Password
>   rlm_mschap: Found NT-Password
>   rlm_mschap: No MS-CHAP-Challenge in the request

  Exactly.  Now read the rest of the debugging output (which you didn't
post), in order to discover what the client is trying to do.

  Read 'radiusd.conf', in the 'eap' section to discover what you're
doing wrong.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

acct packets

2003-10-29 Thread Jefferson Dümes 
Alan

I send some usefull information (I think).

Could you help me (when you have time)???

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Ron Wahler 
Is there any doc on rlm_smb ?

> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 29, 2003 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: Re: authenticating directly from NT domain controller
> 
> "Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> > Is it possible to have freeRADIUS communicate directly to an NT
domain
> > controller for the purpose of authenticating and/or authorizing
users?
> 
>   See rlm_smb.  It's experimental, so you'll have to do some minor
> work to build it, but it works for me.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: etc_smbpasswd !!

2003-10-29 Thread Alan DeKok 
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> Alternatively, I'm trying to wireless authenticate through MS-CHAPV2 

  MS-CHAPv2 is not a wireless authentication protocol.

> auth: type "MS-CHAP"
> modcall: entering group Auth-Type for request 1
>   rlm_mschap: Found LM-Password
>   rlm_mschap: Found NT-Password
>   rlm_mschap: No MS-CHAP-Challenge in the request

  Exactly.  Now read the rest of the debugging output (which you
didn't post), in order to discover what the client is trying to do.

  Read 'radiusd.conf', in the 'eap' section to discover what you're
doing wrong.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Marios Karagiannopoulos 
-> MSCHAPv2

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 8:58 PM
To: [EMAIL PROTECTED]
Subject: Re: authenticating directly from NT domain controller 


"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> Right. So, there is no way of wireless auth through rlm_smb?

  It would help to actually say which wireless authentication method
you're using.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

etc_smbpasswd !!

2003-10-29 Thread Marios Karagiannopoulos 
Title: Message



Alan,
 
Alternatively, I'm 
trying to wireless authenticate through MS-CHAPV2 and etc_smbpasswd. I dumped 
the
password from Domain 
Controller to a file /etc/smbpasswd but unfortunately I'm getting rejected 
!!
 
auth: type "MS-CHAP"modcall: entering group 
Auth-Type for request 1  rlm_mschap: Found LM-Password  
rlm_mschap: Found NT-Password  rlm_mschap: No MS-CHAP-Challenge in the 
request  modcall[authenticate]: module "mschap" returns reject for 
request 1modcall: group Auth-Type returns reject for request 1auth: 
Failed to validate the user.
Thanks,
Marios

Re: authenticating directly from NT domain controller

2003-10-29 Thread Alan DeKok 
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> Right. So, there is no way of wireless auth through rlm_smb?

  It would help to actually say which wireless authentication method
you're using.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Marios Karagiannopoulos 
Right. So, there is no way of wireless auth through rlm_smb?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 8:33 PM
To: [EMAIL PROTECTED]
Subject: Re: authenticating directly from NT domain controller 


"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> I just tried to be authenticated from open1x client.
> I got the following:
> 
> rlm_smb: Attribute "User-Password" is required for authentication.

  rlm_smb can only do PAP.  I don't think you said you were doing
wireless authentication...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating directly from NT domain controller

2003-10-29 Thread Alan DeKok 
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote:
> I just tried to be authenticated from open1x client. 
> I got the following:
> 
> rlm_smb: Attribute "User-Password" is required for authentication.

  rlm_smb can only do PAP.  I don't think you said you were doing
wireless authentication...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Marios Karagiannopoulos 
I just tried to be authenticated from open1x client. 
I got the following:

rlm_smb: Attribute "User-Password" is required for authentication.

What's next modification of radiusd.conf?

Thanks,
Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marios
Karagiannopoulos
Sent: Wednesday, October 29, 2003 7:58 PM
To: [EMAIL PROTECTED]
Subject: RE: authenticating directly from NT domain controller 


Sorry Alan,

I found one after the build --with-experimental-modules=yes.

Thanks,
Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marios
Karagiannopoulos
Sent: Wednesday, October 29, 2003 7:37 PM
To: [EMAIL PROTECTED]
Subject: RE: authenticating directly from NT domain controller 


Alan,

Could you please give us a starting point? I just compiled the rlm_smb.
Is there any radiusd.conf file? Thanks,

Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 7:20 PM
To: [EMAIL PROTECTED]
Subject: Re: authenticating directly from NT domain controller 


"Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> Is it possible to have freeRADIUS communicate directly to an NT domain

> controller for the purpose of authenticating and/or authorizing users?

  See rlm_smb.  It's experimental, so you'll have to do some minor work
to build it, but it works for me.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authenticating directly from NT domain controller

2003-10-29 Thread Marios Karagiannopoulos 
Sorry Alan,

I found one after the build --with-experimental-modules=yes.

Thanks,
Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marios
Karagiannopoulos
Sent: Wednesday, October 29, 2003 7:37 PM
To: [EMAIL PROTECTED]
Subject: RE: authenticating directly from NT domain controller 


Alan,

Could you please give us a starting point? I just compiled the rlm_smb.
Is there any radiusd.conf file? Thanks,

Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 7:20 PM
To: [EMAIL PROTECTED]
Subject: Re: authenticating directly from NT domain controller 


"Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> Is it possible to have freeRADIUS communicate directly to an NT domain

> controller for the purpose of authenticating and/or authorizing users?

  See rlm_smb.  It's experimental, so you'll have to do some minor work
to build it, but it works for me.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to know configure parameters with bin file ???

2003-10-29 Thread Jefferson Dümes 
Hi

Many time ago I compiled freeradius with some configure parameter but, I 
forgot what.

I'vo got binary files and I wonder if there's a way to know parameters I 
used on compile time with this binary.

Is there a way to know what parameters I used ??? just like php do with 
phpinfo().



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius set up help needed

2003-10-29 Thread Ravi Kiran 
Hello Gurus,
   Iam a Research Assistant at George Mason University trying to set up freeradius server for cisco aironet 1200 APs (MAC based auth). Though I have been googling for almost 3 days I dont get the big picture. Its been hard to find documentation or configuration steps. Iam to install freeradius on RedHat Linux 9.0 that authenticates clients coming through cisco aironet 1200 APs. I have no clue what is to be done(totally confused). I would appreciate if anybody could run me through the process of getting this working/any extensive doc will be an added benifit.
 
Thanking you all in anticipation,
 
Ravi Kiran Bhaskar
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears

RE: authenticating directly from NT domain controller

2003-10-29 Thread Marios Karagiannopoulos 
Alan,

Could you please give us a starting point? I just compiled the rlm_smb.
Is there any radiusd.conf file?
Thanks,

Marios

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, October 29, 2003 7:20 PM
To: [EMAIL PROTECTED]
Subject: Re: authenticating directly from NT domain controller 


"Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> Is it possible to have freeRADIUS communicate directly to an NT domain

> controller for the purpose of authenticating and/or authorizing users?

  See rlm_smb.  It's experimental, so you'll have to do some minor work
to build it, but it works for me.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Different SQL backend for different realms

2003-10-29 Thread Ulrich Walcher 
Am Mit, 2003-10-29 um 17.37 schrieb Leon Li:
> Hi all:
> 
> Sorry if this question has been asked million times. I'm new to 
> FreeRadius and now working on a project
> migrating Radiator to Freeradius. I've been using Radiator for years and 
> the first thing that concerns me
> about the migration is the realms.
> 
> I now have about over 10 realms in Radiator each of which gets 
> authentication from different user tables
> in one oracle database. I digged the Freeradius for couple of days and 
> found something about proxy and
> Autz-Type, etc. But still not clear. cause in this case, proxy is not 
> what I want, user requests from different
> realms will not be proxied to another radius server, they just need to 
> go different sql backends.
> 

[...]
>From what I see in doc/Autz-Type, it will work...

---snip---
DEFAULT Realm == "other.company.com", Autz-Type := SQL{1|2|3...}
---snip---

You'll have to add different oraclesql{1|2|3...}.conf files to fit your
needs...



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating directly from NT domain controller

2003-10-29 Thread Alan DeKok 
"Woods, Bryan" <[EMAIL PROTECTED]> wrote:
> Is it possible to have freeRADIUS communicate directly to an NT domain
> controller for the purpose of authenticating and/or authorizing users?

  See rlm_smb.  It's experimental, so you'll have to do some minor
work to build it, but it works for me.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apple Airport Extreme

2003-10-29 Thread Alan DeKok 
Jan van Rensburg <[EMAIL PROTECTED]> wrote:
> I see the Airport supports Cisco's LEAP, do I 
> need to configure freeradius with LEAP support, or is this not 
> necessary if Cisco equipment aren't used?

  Configuring FreeRADIUS to use LEAP is required if you are going to
authenticate users via LEAP.

> If I later want to configure user auth in addition to MAC auth, can 
> this be done via PAM smb? We usually use pam_smb to authenticate things 
> like ssh sessions against our NT4 domain controllers. Will this work 
> with freeradius/apple's airport? How do users authenticate before they 
> can use the WLAN? Is extra client software required for Windows/Mac OS 
> X?

  They will have to use a wireless authentication method.  This means
LEAP, TTLS, or PEAP.  Of them, TTLS is recommended.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: lower_user with MS-CHAPv2...

2003-10-29 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: 29 October 2003 17:11
> To: [EMAIL PROTECTED]
> Subject: Re: lower_user with MS-CHAPv2... 
> 
> 
> Guy Davies <[EMAIL PROTECTED]> wrote:
> > I've been using FreeRADIUS 0.9.2 to authenticate users 
> using MS-CHAPv2 and,
> > up to now, everything has been working fine.  However, I 
> have several users
> > who use a username in Uppercase so I thought I'd use the "lower_user
> > after" function to make everything lowercase if uppercase 
> fails.  However,
> > as soon as I do this, I have the following problem.  
> 
>   The user name is part of the MS-CHAP challenge/response scheme.  So
> changing the username means that the MS-CHAP response from the user
> will be invalid, as it was for the *original* username, not the
> modified one.
> 
>   Alan DeKok.

Ah, br!  Thanks for explaining that Alan.  That puts an end to that then
;-)

Regards,

Guy

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP5/11o3dwu/Ss2PCEQI7GQCgvTkBL+yDINZeXrdfl1iq0nNqbeMAn0rY
YAJDpGJ3+r0QVWyK78oQUXAe
=frIw
-END PGP SIGNATURE-


>>> 
30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authenticating directly from NT domain controller

2003-10-29 Thread Woods, Bryan 
I have to believe that this topic has come up so frequently that most
members of this list are sick of hearing about it...  Unfortunately, my
search of the archives did not result in a definitive answer for me - so I
am compelled to bring up this question once again.  Please forgive me.

Is it possible to have freeRADIUS communicate directly to an NT domain
controller for the purpose of authenticating and/or authorizing users?

Would migrating the NT domain to Active Directory open any additional
options?

This posting leads me to beleive that A.D. doesn't like to play nicely with
anything that isn't licensed by micro$oft:

---
http://www.mail-archive.com/[EMAIL PROTECTED]/msg19912.html

>  I looked briefly pam_smb, but as best as I could determine, it will 
> not work with AD. AFAIK, IAS is the only means to authenticate users to
AD.

  I wonder why...

  Microsoft does supply an LDAP interface to AD, and it is possible to
use it to do *some* kinds of authentication.  But it's impossible to
do anything other than PAP against AD, unless your name is "IAS".
That's rude.
---

I'd love to hear from others who have been faced with a similar challenge.


Bryan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: lower_user with MS-CHAPv2...

2003-10-29 Thread Alan DeKok 
Guy Davies <[EMAIL PROTECTED]> wrote:
> I've been using FreeRADIUS 0.9.2 to authenticate users using MS-CHAPv2 and,
> up to now, everything has been working fine.  However, I have several users
> who use a username in Uppercase so I thought I'd use the "lower_user
> after" function to make everything lowercase if uppercase fails.  However,
> as soon as I do this, I have the following problem.  

  The user name is part of the MS-CHAP challenge/response scheme.  So
changing the username means that the MS-CHAP response from the user
will be invalid, as it was for the *original* username, not the
modified one.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)

2003-10-29 Thread Artur Hecker 
ok

looking at your radiusd.conf file, i wonder if you have to add a preacct 
section with a suffix module in it in order to look up the realms. 
otherwise it seems ok to me.

ciao
artur


I made a mistake editing that mail last night.

realm dimapel.com.br {
type= radius
authhost= 200.180.55.65:1812
accthost= 200.180.55.65:1813
secret  = teste


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Apple Airport Extreme

2003-10-29 Thread Andreas Wolf 
On Oct 29, 2003, at 6:21 AM, Jan van Rensburg wrote:

Hi,

I'm new to radius in general, and wonder if anyone can provide me with 
good a nod in the right direction. I installed freeradius 0.9.2 from 
source on RedHat advance server 2.1. Initial testing as described in 
INSTALL went fine.

We will be getting Apple Airport Extreme base stations ( 
http://www.apple.com/airport/) for company WiFi access, and I want to 
manage the allowed MAC list for all the base stations centrally on the 
radius server. What exactly do I need to configure on the freeradius 
side? Do I have to configure users as well, or can you just put up a 
list of MACs somewhere? I see the Airport supports Cisco's LEAP, do I 
need to configure freeradius with LEAP support, or is this not 
necessary if Cisco equipment aren't used?
As usually, you'll need to create entries in clients.conf file for the 
AirPort Extreme Base Stations (accepted IPs, shared secret).
In the user's file you'll need to create entries for each client MAC 
(an external database could be used instead, I suppose).
The AirPort Admin Utility gives a choice of how to format the MAC 
addresses ('001122-334455' or  '001122334455').

If I later want to configure user auth in addition to MAC auth, can 
this be done via PAM smb? We usually use pam_smb to authenticate 
things like ssh sessions against our NT4 domain controllers. Will this 
work with freeradius/apple's airport? How do users authenticate before 
they can use the WLAN? Is extra client software required for 
Windows/Mac OS X?
I don't know about that. AFAIK, as of AiPort Extreme 3.1 you can't do 
user auth. The AirPort client supports LEAP but not the Apple Base 
Stations.
-Andreas

Thanks,
Jan
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Different SQL backend for different realms

2003-10-29 Thread Leon Li 
Hi all:

Sorry if this question has been asked million times. I'm new to 
FreeRadius and now working on a project
migrating Radiator to Freeradius. I've been using Radiator for years and 
the first thing that concerns me
about the migration is the realms.

I now have about over 10 realms in Radiator each of which gets 
authentication from different user tables
in one oracle database. I digged the Freeradius for couple of days and 
found something about proxy and
Autz-Type, etc. But still not clear. cause in this case, proxy is not 
what I want, user requests from different
realms will not be proxied to another radius server, they just need to 
go different sql backends.

I hope this is just a configuration issue for me because of my shortage 
in Freeradius. Anyone can shed some lights
on it will be highly appreciated.

Best regards,

Jason

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ignoring unknown host

2003-10-29 Thread Bragi Baldursson 
I have a problem where I continue to get unknown host
rad_recv: Access-Request packet from host 10.64.254.8:40001, id=25,
length=89
Ignoring request from unknown client 10.64.254.8:40001

I have defined the host in my clients.conf and I have set up my naslist
correctly.Any pointers?

I am running Redhat 9.0  and freeradius 0.9.2



Með kveðju/Best Regards
Bragi Baldursson
GPRS Kerfisverkfræðingur/GPRS Systems Engineer
Sími/Tel.:  +354 550 63 08mailto:[EMAIL PROTECTED]
Fax:  +354 550 62 39www:http://www.siminn.is
Gsm:   +354 892 63 08

- Síminn auðveldar samskipti -

___
Þessi tölvupóstur og viðhengi hans gætu innihaldið trúnaðarupplýsingar
eingöngu ætlaðar þeim sem hann er stílaður á. Efni tölvupóstsins og
viðhengi er á ábyrgð sendanda ef það tengist ekki starfsemi Símans.
Sjá nánar: http://www.siminn.is/control/index?pid=6164

This e-mail and its attachments may contain confidential and privileged
information only intended for the person or entity to which it is
addressed.
Further information: http://www.siminn.is/control/index?pid=6772
___



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)

2003-10-29 Thread Jefferson Dümes 
Artur

I made a mistake editing that mail last night.

200.193.87.129 has no relation to problem related. It's another server 
for tests.

my problem is: the proxy server doesn't send acct (accounting) packets 
to 200.180.55.65 server.

Justo know:
200.180.22.15 is the RAS that consult only 200.180.22.9 (the proxy).
The correct proxy.conf is:

$ cat proxy.conf | grep -v "#" $$$
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
servers_per_realm = 15
default_fallback = yes
}
realm dimapel.com.br {
type= radius
authhost= 200.180.55.65:1812
accthost= 200.180.55.65:1813
secret  = teste
}



Artur Hecker em 29-10-2003 07:11 disse:
hi

looking at your proxy.conf file:

realm dimapel.com.br {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}


now looking at the proxied Access Request out of your debug output:

modcall: group authorize returns updated
Sending Access-Request of id 3 to 200.180.55.65:1812
User-Name = "dumes"
User-Password = 
"D\277\255\261\350~V\037\005\240\331\360^\330\206u"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 200.180.22.15
NAS-Port = 108
Calling-Station-Id = "475211600"
Called-Station-Id = "12110482815300"
Connect-Info = "34000/28800_K56_/LAPM/V42BIS"
Proxy-State = "73"
--- Walking the entire request list ---


i strongly doubt that the proxy.conf file you are editing is relevant to 
this server. (it should proxy to 200.193.87.129:1812 but it does to 
200.180.55.65:1812). unless of course you have a WEIRD host file

ciao
artur
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_counter question

2003-10-29 Thread apellido jr., wilfredo p 
Hello Mr. Kalevras, i already look @ rad_counter.pl
and i understand the flow of this script. It open the
database as READONLY, print the information where u
can specify the db filename, user, how the counter
will be shown, second (default), minutes, hours and
match. My problem is i dont have any hint in command
or syntax. Just like how do i open the database as
read/write? What is cmd to update, delete, add or
edit. I know this is not related in Freeeradius but i
dont have any choice, im spending days try to search
this web but i dont see any documentation. thanks very
much ... 

=
wilfredo pahilanga apellido jr.
technical support
mactan online
bacolod city, philippines
+63 34 4348311

If you can't hear me, it's because i'm in parentheses.

__
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: lower_user with MS-CHAPv2...

2003-10-29 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sorry for the self reply but there's a bit more info...

I'm using the same user entries for PAP authentication using System and
MS-CHAPv2 authentication with a locally defined User-Password.  The
lower_user = after appears to work fine for PAP but fails dismally with
MS-CHAPv2.

Regards,

Guy

> -Original Message-
> From: Guy Davies [mailto:[EMAIL PROTECTED]
> Sent: 29 October 2003 12:55
> To: '[EMAIL PROTECTED]'
> Subject: lower_user with MS-CHAPv2...
> 
> Hi,
> 
> Sorry if this is a dumb question or if it has been answered 
> before but I've
> looked through the RADIUS book and back through the emails I 
> have received
> from the list and found nothing relevant.

[deleted the rest, which you've probably read already :-)]

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBP5/Vlo3dwu/Ss2PCEQKlSQCbBssh1H37eZ7NzyvJwwfwieXXlGoAoK4g
Y11sBnzbwzvxBTY2pDoGYp3V
=/4Wf
-END PGP SIGNATURE-


>>> 
30th Telindus International Symposium 
Thursday, October 30, 2003 - Brussels Expo, Belgium 

Check out the complete conference programme, exhibition, 
workshops and register now for this high value'must attend' event! 

http://www.telindussymposium.com 
<<<



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Apple Airport Extreme

2003-10-29 Thread Jan van Rensburg 
Hi,

I'm new to radius in general, and wonder if anyone can provide me with 
good a nod in the right direction. I installed freeradius 0.9.2 from 
source on RedHat advance server 2.1. Initial testing as described in 
INSTALL went fine.

We will be getting Apple Airport Extreme base stations ( 
http://www.apple.com/airport/) for company WiFi access, and I want to 
manage the allowed MAC list for all the base stations centrally on the 
radius server. What exactly do I need to configure on the freeradius 
side? Do I have to configure users as well, or can you just put up a 
list of MACs somewhere? I see the Airport supports Cisco's LEAP, do I 
need to configure freeradius with LEAP support, or is this not 
necessary if Cisco equipment aren't used?

If I later want to configure user auth in addition to MAC auth, can 
this be done via PAM smb? We usually use pam_smb to authenticate things 
like ssh sessions against our NT4 domain controllers. Will this work 
with freeradius/apple's airport? How do users authenticate before they 
can use the WLAN? Is extra client software required for Windows/Mac OS 
X?

Thanks,
Jan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TTLS authentication against LDAP

2003-10-29 Thread silvio . arcangeli 

Hi everybody,
we finally did it in having all the stuff work.
The server is running fine with our TTLS client, and performs authentication against a RadiantOne virtual LDAP running over a couple of different sources (quite a long tour to authenticate a user).
Thank you very much for your help and kindness.

When are you planning to have the stable version featuring TTLS be released?

Silvio Arcangeli

Re: rlm_counter question

2003-10-29 Thread Kostas Kalevras 
On Tue, 28 Oct 2003, apellido jr., wilfredo p wrote:

> hello , after searching for any documents and tutorial
> regarding GDBM and perl got no luck. i want to write a
> script that would reset the counter in GDBM database
> using perl. Anyone know documentation or maybe
> tutorial, books... thanks very much

Look in src/modules/rlm_counter for rad_counter.pl
Take that script and extend it to also change counter values and you should be
ok

>
> =
> wilfredo pahilanga apellido jr.
> technical support
> mactan online
> bacolod city, philippines
> +63 34 4348311
>
> If you can't hear me, it's because i'm in parentheses.
>
> __
> Do you Yahoo!?
> Exclusive Video Premiere - Britney Spears
> http://launch.yahoo.com/promos/britneyspears/
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

lower_user with MS-CHAPv2...

2003-10-29 Thread Guy Davies 
 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Sorry if this is a dumb question or if it has been answered before but I've
looked through the RADIUS book and back through the emails I have received
from the list and found nothing relevant.

I've been using FreeRADIUS 0.9.2 to authenticate users using MS-CHAPv2 and,
up to now, everything has been working fine.  However, I have several users
who use a username in Uppercase so I thought I'd use the "lower_user =
after" function to make everything lowercase if uppercase fails.  However,
as soon as I do this, I have the following problem.  

If the username is in lowercase in the users file and the user uses
lowercase in their request, everything works fine (as expected).  

If the username is in uppercase in the users file and the user sends
uppercase in their request, everything works fine (as expected).

If the username is in lowercase in the users file and the user sends
uppercase in their request, the request fails (not as expected).

If the username is in uppercase in the users file and the user sends
lowercase in their request, the request fails (as expected).

In the logfile, I was seeing errors like this...

Wed Oct 29 11:40:48 2003 : Auth: Login incorrect: [GUYD/] (from client MX-20-Tech-Eng-PM port 0 cli 00-2
0-A6-4C-F7-1C)
Wed Oct 29 11:40:48 2003 : Error: rlm_eap: EAP-Message not found
Wed Oct 29 11:40:48 2003 : Auth: Login incorrect: [guyd/] (from client MX-20-Tech-Eng-PM port 0 cli 00-2
0-A6-4C-F7-1C)

I was running radiusd with -X and got the following, which relates directly
to the messages above...

rad_recv: Access-Request packet from host 10.24.0.200:20007, id=208,
length=157
NAS-Port-Id = "1/2"
Calling-Station-Id = "00-20-A6-4C-F7-1C"
Called-Station-Id = "00-0B-0E-00-0A-44"
User-Name = "GUYD"
MS-CHAP-Challenge = 0xdad9af6fac7c8ba98a460cd911841fd8
MS-CHAP2-Response =
0x45f4b3128611804c99e54c88527004a518afea36077a13bd6e105d
941cc1711b30a53423bde826d7
NAS-IP-Address = 10.24.0.200
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "GUYD", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 154
users: Matched DEFAULT at 160
  modcall[authorize]: module "files" returns ok
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type := MS-CHAP'
  modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: No LM-Password or NT-Password attribute found.  Cannot perform
MS-CHAP authentication.
  modcall[authenticate]: module "mschap" returns fail
modcall: group Auth-Type returns fail
auth: Failed to validate the user.
Login incorrect: [GUYD/] (from client
MX-20-Tech-Eng-PM port 0 cli 00-20-A6-4C-F7-1C)
rad_lowerpair:  User-Name now 'guyd'
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "chap" returns noop
rlm_eap: EAP-Message not found
  modcall[authorize]: module "eap" returns noop
rlm_realm: No '@' in User-Name = "guyd", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop
users: Matched guyd at 39
users: Matched DEFAULT at 154
users: Matched DEFAULT at 160
  modcall[authorize]: module "files" returns ok
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type := MS-CHAP'
  modcall[authorize]: module "mschap" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type
  rlm_mschap: doing MS-CHAPv2 with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject
modcall: group Auth-Type returns reject
auth: Failed to validate the user.
Login incorrect: [guyd/] (from client
MX-20-Tech-Eng-PM port 0 cli 00-20-A6-4C-F7-1C)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request

However, with exactly the same username (guyd) and the same client, I get
this when I login directly using lowercase (i.e. the lower_user function
isn't used).

rad_recv: Access-Request packet from host 10.24.0.200:20007, id=209,
length=157
NAS-Port-Id = "1/2"
Calling-Station-Id = "00-20-A6-4C-F7-1C"
Called-Station-Id = "00-0B-0E-00-0A-44"
User-Name = "guyd"
MS-CHAP-Challenge = 0xac9c8132067b24c328bb5d132892710a
MS-CHAP2-Response =
0x96b81f06b43769757e10228a321fe43600

Re: Dialup Admin

2003-10-29 Thread Ulrich Walcher 
Am Mit, 2003-10-29 um 12.57 schrieb Bruno Gianelli Braido:
> Thanks for your help Uli,
> 
> So my FR is working with Mysql, my problem is "configure the Dialup
> Admin", I used the help come with DialupAdmin but not work.
> Where I get a example to configure the Dialup Admin

[...]
Most important is to have php working properly.
apache with php4:
http://www.php.net/manual/en/install.apache.php

All attributes are well explained in conf/admin.conf

There you might have to change:
general_base_dir: /usr/local/dialup_admin
general_radiusd_base_dir: /usr/local/radiusd
general_test_account_login: test
general_test_account_password: testpass
general_radius_server: localhost [IP-Address_of_RADIUS_server]
general_radius_server_auth_proto: pap
general_encryption_method: crypt
sql_server: localhost [IP-Address_of_sql_server]
sql_username: dialup_admin
sql_database: radius
sql_accounting_table: radacct
sql_badusers_table: badusers
sql_check_table: radcheck
sql_reply_table: radreply
sql_user_info_table: userinfo
sql_groupcheck_table: radgroupcheck
sql_groupreply_table: radgroupreply
sql_usergroup_table: usergroup
sql_total_accounting_table: totacct

You'll have to change:
general_radius_server_secret: XX
sql_password: XX

The rest should work by default.
Little more information on what's not working is helpful. Otherwise the
answer will be be: You misconfigured something...

Uli




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dialup Admin

2003-10-29 Thread Bruno Gianelli Braido 
Thanks for your help Uli,

So my FR is working with Mysql, my problem is "configure the Dialup
Admin", I used the help come with DialupAdmin but not work.
Where I get a example to configure the Dialup Admin

[],
Bruno Gianelli Braido
Linux User# 32000
ICQ:71059588
[EMAIL PROTECTED]
- Original Message - 
From: "Ulrich Walcher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 29, 2003 5:46 AM
Subject: Re: Dialup Admin


> Am Die, 2003-10-28 um 17.59 schrieb Bruno Gianelli Braido:
> > Hello all,
> >
> > I'd like to use the "Dialup_Admin", I tried use the example from
> > http://kstadler.ch/index.php?topgroupid=1&subgroupid=14&groupid=11
> > but not success.
> > Who knows where I get a good example???
> > My equipament is a PM3, Freeradius with Auth Mysql.
> >
> > Thanks for your help.
> [...]
> Do you have FR with MySQL working?
> "No success" is not very precise. Give us a little more details and
> maybe someone con help you.
>
> Uli
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy doesn't send acct packets to other radius

2003-10-29 Thread Artur Hecker 
hi

looking at your proxy.conf file:

realm dimapel.com.br {
type= radius
authhost= 200.193.87.129:1812
accthost= 200.193.87.129:1813
secret  = teste
}
now looking at the proxied Access Request out of your debug output:

modcall: group authorize returns updated
Sending Access-Request of id 3 to 200.180.55.65:1812
User-Name = "dumes"
User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = 200.180.22.15
NAS-Port = 108
Calling-Station-Id = "475211600"
Called-Station-Id = "12110482815300"
Connect-Info = "34000/28800_K56_/LAPM/V42BIS"
Proxy-State = "73"
--- Walking the entire request list ---
i strongly doubt that the proxy.conf file you are editing is relevant to 
this server. (it should proxy to 200.193.87.129:1812 but it does to 
200.180.55.65:1812). unless of course you have a WEIRD host file

ciao
artur
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Authentication problem

2003-10-29 Thread Ulrich Walcher 
Am Mit, 2003-10-29 um 09.55 schrieb Remesh:
> hai ,
> 
> in my case when i am dialing  we can see the following entry when we run tcpdump udp
> 
> 16:29:59.071115 164.100.96.13.datametrics > mp9.radius:  rad-access-req 66 [id 1] 
> Attr[  NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} 
> [|radius]
> 
> 
> no entries in logs especially. 'Ready to process requests' is showing in radius.log.
> 
> please help me
> 
> Remesh

run radiusd -X
All logs will be shown on the screen...
Uli

> 
> On Wed, 29 Oct 2003 Ulrich Walcher wrote :
> >Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> > > hai friends,
> > >
> > > I have installed free radius and radtest commands working fine locally.
> > > The OS used is RedHat 8.0 . But When i am trying this command from other 
> > > servers, it is not responding. Also when i am dialing, i am getting 
> > > authentication failed message.
> > >
> >[...]
> >Please post the logs.
> >Uli
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> Remesh Babu. T


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Authentication problem

2003-10-29 Thread Remesh 
hai ,

in my case when i am dialing  we can see the following entry when we run tcpdump udp

16:29:59.071115 164.100.96.13.datametrics > mp9.radius:  rad-access-req 66 [id 1] 
Attr[  NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} 
[|radius]


no entries in logs especially. 'Ready to process requests' is showing in radius.log.

please help me

Remesh

On Wed, 29 Oct 2003 Ulrich Walcher wrote :
>Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> > hai friends,
> >
> > I have installed free radius and radtest commands working fine locally.
> > The OS used is RedHat 8.0 . But When i am trying this command from other servers, 
> > it is not responding. Also when i am dialing, i am getting authentication failed 
> > message.
> >
>[...]
>Please post the logs.
>Uli
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Remesh Babu. T

Re: Authentication problem

2003-10-29 Thread Ulrich Walcher 
Am Mit, 2003-10-29 um 07.57 schrieb Remesh:
> hai friends,
> 
> I have installed free radius and radtest commands working fine locally.
> The OS used is RedHat 8.0 . But When i am trying this command from other servers, it 
> is not responding. Also when i am dialing, i am getting authentication failed 
> message.
> 
[...]
Please post the logs.
Uli


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dialup Admin

2003-10-29 Thread Ulrich Walcher 
Am Die, 2003-10-28 um 17.59 schrieb Bruno Gianelli Braido:
> Hello all,
>  
> I'd like to use the "Dialup_Admin", I tried use the example from 
> http://kstadler.ch/index.php?topgroupid=1&subgroupid=14&groupid=11
> but not success.
> Who knows where I get a good example???
> My equipament is a PM3, Freeradius with Auth Mysql.
> 
> Thanks for your help.
[...]
Do you have FR with MySQL working?
"No success" is not very precise. Give us a little more details and
maybe someone con help you.

Uli


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Authentication problem

2003-10-29 Thread Remesh 

hai friends,

I have installed free radius and radtest commands working fine locally.
The OS used is RedHat 8.0 . But When i am trying this command from other servers, it 
is not responding. Also when i am dialing, i am getting authentication failed message.

The same configuration i have done in another redhat machine and got successfully 
authentication and connection.

Please help me to solve this.

Regards,
Remesh

Remesh Babu. T