RE: PEAP Woes
We're keeping passwords in OpenLDAP in ntPassword hashes. Currently only those of us working on and testing the system have the ntPassword attributes set correctly in OpenLDAP. The plan (which is maybe 80% done here) is to disable changing passwords in windows and have all our account functions (such as password changing) on our website. -Matt MNU Network Administrator --- Original Message Below --- From: "Ron Wahler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: PEAP Woes Date: Wed, 29 Oct 2003 17:41:33 -0700 Matt, How did you synchronize the Active Directory with OpenLDAP. Are you Keeping passwords in the clear on OpenLDAP or in NTpassword form? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re[2]: ippool issue
> From: Alexander Lunyov > Sent: Thursday, 30 October 2003 12:14 PM > What do you mean? NAS in the same logical network or radius server in the > same logical network? > For example, i want this ippool working with NAS. > > ippool main_pool { > range-start = 192.168.253.1 > range-stop = 192.168.253.254 > netmask = 255.255.0.0 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > override = no > } > > NAS is a FreeBSD box with 3 multiport cards and 2 network > interfaces. First iface is 192.168.33.127/24, second is > x.x.x.2/24 ('white' network). So when authentification of ppp session is done > and > it's time to receive IP address for this session, radiusd cannot > find range for this NAS. It says > > rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105 > Thread 1 assigned request 0 > --- Walking the entire request list --- > Threads: total/active/spare threads = 5/1/4 > Waking up in 5 seconds... > Thread 1 handling request 0, (1 handled so far) > User-Name = "lan" > Service-Type = Framed-User > Framed-Protocol = PPP > CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead > CHAP-Challenge = 0x38328232349865433746313036313635 > NAS-Identifier = "zeus.domain.ru" > NAS-Port-Type = Ethernet > NAS-Port = 61 > > [authentification and other skip] > > rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61 > modcall[post-auth]: module "main_pool" returns noop for request 0 The only NOOP between these two lines is the one that checks if you've already got a Framed-IP-Address. As the below output indicates, you do already have one, so the rlm_ippool module NOOPs instead. If you set override=yes instead of override=no, the existing Framed-IP-Address in the response will be _replaced_ with one from the IP pool. I guess a debug output at that point would be useful... Hmm. Alternatively, work out where the value 255.255.255.254 is coming from. It _might_ be a hint from the NAS, or there may be another module adding it (probably incorrectly). This is completely unrelated to the network configuration of the NAS, I think the confusion was caused by asking the (wrong) question, rather than describing the problem, leading to a whole lot of unuseful answers, and the confusion expressed at the top of this email. > modcall: group post-auth returns noop for request 0 > Sending Access-Accept of id 239 to x.x.x.2:2740 > Framed-Compression = Van-Jacobson-TCP-IP > Idle-Timeout = 10 > Framed-MTU = 576 > Framed-IP-Address = 255.255.255.254 > Framed-Protocol = PPP > Service-Type = Framed-User > Finished request 0 -- Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] On a sidewalk near Portland State University someone wrote `Trust Jesus', and someone else wrote `But Cut the Cards'. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP types and TTLS..
Hi, Looking at FreeRadius0.9.2 version, also checked the mail archives, I could not find this information, so hoping someone can share some information. a) For TTLS -Client Authentication (inner tunnel realm): what are the EAP types that can be used/configured ? If so, any configuration document/example ? b) where can I find list of EAP methods supported, in general ? c) Can PEAP use any EAP methods too ? No flames, please. Knowledge sharing helps... Thanks in advance, __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: ippool issue
You need an address in the RAS to act as a gateway... You can configure any pool in whatever RAS but for example if the RAS is a cisco you will need to do something like: interface eth0 ip add xxx.xxx.xxx.1 secondary interface eth0 ip add yyy.yyy.yyy.1 secondary .. ... and now you can assign address within the blocks xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy The thing is you need to RAS as gateway for the dialin users On Wed, 2003-10-29 at 20:14, Alexander Lunyov wrote: > Hello Gustavo, > > Wednesday, October 29, 2003, 8:42:51 AM, you wrote: > > > > GAL> Sure you can. > GAL> But if you do that you cant get routed to any place. > > GAL> You need a gateway address within the same logical network. > > What do you mean? NAS in the same logical network or radius server in the > same logical network? > > For example, i want this ippool working with NAS. > > ippool main_pool { > range-start = 192.168.253.1 > range-stop = 192.168.253.254 > netmask = 255.255.0.0 > cache-size = 800 > session-db = ${raddbdir}/db.ippool > ip-index = ${raddbdir}/db.ipindex > override = no > } > > NAS is a FreeBSD box with 3 multiport cards and 2 network > interfaces. First iface is 192.168.33.127/24, second is > x.x.x.2/24 ('white' network). So when authentification of ppp session is done > and > it's time to receive IP address for this session, radiusd cannot > find range for this NAS. It says > > rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105 > Thread 1 assigned request 0 > --- Walking the entire request list --- > Threads: total/active/spare threads = 5/1/4 > Waking up in 5 seconds... > Thread 1 handling request 0, (1 handled so far) > User-Name = "lan" > Service-Type = Framed-User > Framed-Protocol = PPP > CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead > CHAP-Challenge = 0x38328232349865433746313036313635 > NAS-Identifier = "zeus.domain.ru" > NAS-Port-Type = Ethernet > NAS-Port = 61 > > [authentification and other skip] > > rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61 > modcall[post-auth]: module "main_pool" returns noop for request 0 > modcall: group post-auth returns noop for request 0 > Sending Access-Accept of id 239 to x.x.x.2:2740 > Framed-Compression = Van-Jacobson-TCP-IP > Idle-Timeout = 10 > Framed-MTU = 576 > Framed-IP-Address = 255.255.255.254 > Framed-Protocol = PPP > Service-Type = Framed-User > Finished request 0 > > What should i do? Is there any 'magic word'? :) > > > > GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: > >> Hello freeradius-users, > >> > >> Is there a possibility to pool range of IP addresses for NAS > >> while NAS is not in that range? For example, if i try to pool > >> 192.168.253.0/24 network for NAS with address 192.168.3.3 - it > >> says that nas/port not found for that NAS address (192.168.3.3). > >> is it possible to assign to NAS client IP address not from NAS > >> network? > > > GAL> - > GAL> List info/subscribe/unsubscribe? See > GAL> http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: ippool issue
Hello Gustavo, Wednesday, October 29, 2003, 8:42:51 AM, you wrote: GAL> Sure you can. GAL> But if you do that you cant get routed to any place. GAL> You need a gateway address within the same logical network. What do you mean? NAS in the same logical network or radius server in the same logical network? For example, i want this ippool working with NAS. ippool main_pool { range-start = 192.168.253.1 range-stop = 192.168.253.254 netmask = 255.255.0.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no } NAS is a FreeBSD box with 3 multiport cards and 2 network interfaces. First iface is 192.168.33.127/24, second is x.x.x.2/24 ('white' network). So when authentification of ppp session is done and it's time to receive IP address for this session, radiusd cannot find range for this NAS. It says rad_recv: Access-Request packet from host x.x.x.2:2740, id=239, length=105 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) User-Name = "lan" Service-Type = Framed-User Framed-Protocol = PPP CHAP-Password = 0x0176a7169a89a0a8s8aa34a03e630f1ead CHAP-Challenge = 0x38328232349865433746313036313635 NAS-Identifier = "zeus.domain.ru" NAS-Port-Type = Ethernet NAS-Port = 61 [authentification and other skip] rlm_ippool: Searching for an entry for nas/port: zeus.domain.ru/61 modcall[post-auth]: module "main_pool" returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 239 to x.x.x.2:2740 Framed-Compression = Van-Jacobson-TCP-IP Idle-Timeout = 10 Framed-MTU = 576 Framed-IP-Address = 255.255.255.254 Framed-Protocol = PPP Service-Type = Framed-User Finished request 0 What should i do? Is there any 'magic word'? :) GAL> On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: >> Hello freeradius-users, >> >> Is there a possibility to pool range of IP addresses for NAS >> while NAS is not in that range? For example, if i try to pool >> 192.168.253.0/24 network for NAS with address 192.168.3.3 - it >> says that nas/port not found for that NAS address (192.168.3.3). >> is it possible to assign to NAS client IP address not from NAS >> network? GAL> - GAL> List info/subscribe/unsubscribe? See GAL> http://www.freeradius.org/list/users.html -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ippool issue
Sure you can. But if you do that you cant get routed to any place. You need a gateway address within the same logical network. On Wed, 2003-10-29 at 19:29, Alexander Lunyov wrote: > Hello freeradius-users, > > Is there a possibility to pool range of IP addresses for NAS > while NAS is not in that range? For example, if i try to pool > 192.168.253.0/24 network for NAS with address 192.168.3.3 - it > says that nas/port not found for that NAS address (192.168.3.3). > is it possible to assign to NAS client IP address not from NAS > network? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP Woes
Matt, How did you synchronize the Active Directory with OpenLDAP. Are you Keeping passwords in the clear on OpenLDAP or in NTpassword form? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool issue
Hello freeradius-users, Is there a possibility to pool range of IP addresses for NAS while NAS is not in that range? For example, if i try to pool 192.168.253.0/24 network for NAS with address 192.168.3.3 - it says that nas/port not found for that NAS address (192.168.3.3). is it possible to assign to NAS client IP address not from NAS network? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Messages "warning: junk pointer, too high to make sense" after upgrade 0.8.1 -> 0.9.2.
Hello. I have FreeBSD 4.8R-p13 with freeradius. After upgrade to 0.9.2 i have noticed warnings on radiusd start, when starting from /usr/local/etc/rc.d/radiusd.sh as usual, e.g. without flags, there is couple of messages "radiusd in free(): warning: junk pointer, too high to make sense" getting out to console. Everything is working fine, but why is those messages coming out? This is start with 'xx' flags: ldap: ldap_cache_timeout = 0 ldap: ldap_cache_size = 0 radiusd in free(): warning: junk pointer, too high to make sense ldap: identity = "cn=admin,dc=domain,dc=ru" ldap: start_tls = no ldap: tls_mode = no radiusd in free(): warning: junk pointer, too high to make sense ldap: password = "password" radiusd in free(): warning: junk pointer, too high to make sense ldap: basedn = "ou=users,dc=domain,dc=ru" radiusd in free(): warning: junk pointer, too high to make sense ldap: filter = "(uid=%u)" radiusd in free(): warning: junk pointer, too high to make sense ldap: default_profile = "cn=radprofile,dc=domain,dc=ru" radiusd in free(): warning: junk pointer, too high to make sense ldap: profile_attribute = "(null)" radiusd in free(): warning: junk pointer, too high to make sense ldap: password_header = "(null)" radiusd in free(): warning: junk pointer, too high to make sense ldap: password_attribute = "userPassword" radiusd in free(): warning: junk pointer, too high to make sense ldap: access_attr = "dialupAccess" radiusd in free(): warning: junk pointer, too high to make sense ldap: groupname_attribute = "cn" radiusd in free(): warning: junk pointer, too high to make sense ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-Us erDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" radiusd in free(): warning: junk pointer, too high to make sense ldap: groupmembership_attribute = "(null)" radiusd in free(): warning: junk pointer, too high to make sense Any suggestions? -- Best regards, Alexander mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Woes [fixed]
Alan, Your pointer to the MS-CHAP issue with usernames got me thinking. I looked closely at the logs and one machine was sending usernames in lowercase, and the other was sending them partially upper-cased (which, after some research, i found they were in our Active Directory with some characters capitalized for some reason =/ ). After changing the user in AD to have an all-lowercase name just as they are in our OpenLDAP, the problem laptop is able to login. This doesn't explain why one laptop would lowercase the username before authenticating, but I don't think that is anything I'll ever understand. Thanks for the help. -Matt MNU Network Administrator --- Original Message Below --- From: "Matt Sapp" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:03:21 -0500 Alan, Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be found in ldap, so the systems that did work before do not now: radius_xlat: '(uid=MNU.EDU\\Matt)' radius_xlat: 'dc=mnu,dc=edu' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 25 It looks to me like the domain is not used in the calculation of ms-chap, otherwise it would not work at all when using with_ntdomain_hack, or am I missing something? I'll do a packet dump and come back with the results. -Matt MNU Network Administrator --- Original Message Below --- From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:44:33 -0500 "Matt Sapp" <[EMAIL PROTECTED]> wrote: > On the Centrino laptop, logging into the domain, wireless also comes up. > > However, the laptop with the Atheros card in it, when logging into > the domain rather than locally to the laptop, I get this when running > with -X: If one works and the other doesn't, then the ONLY difference is in the RADIUS requests. Compare the RADIUS requests from the two laptop authentications, and see what's different. The differences are breaking authentication. > I am using "with_ntdomain_hack = yes" in my configuration. See a post earlier today on the list. MS-CHAP depends on usernames. "with_ntdomain_hack = yes" means that the user name is changed, so MS-CHAP authentication will NOT work. Try setting "with_ntdomain_hack = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA
I am trying to set up a wireless network with WPA security, using a SMC 2804 AP and a SMC 2835 card with a XP laptop and MS WPA patch. Does anyone have details on how to set up the freeradius environment for WPA (including generating the certificates)? I have tried to follow the EAPTLS document from Ken Roser, but it is old (FR April 15 2002) and the openssl scripts doesn't appear to work on RH9. Mike Paneth Melbourne, Australia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Woes
Alan, Upon setting "with_ntdomain_hack = no", of course now my wireless users cannot be found in ldap, so the systems that did work before do not now: radius_xlat: '(uid=MNU.EDU\\Matt)' radius_xlat: 'dc=mnu,dc=edu' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=MNU.EDU\\Matt) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 25 It looks to me like the domain is not used in the calculation of ms-chap, otherwise it would not work at all when using with_ntdomain_hack, or am I missing something? I'll do a packet dump and come back with the results. -Matt MNU Network Administrator --- Original Message Below --- From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: PEAP Woes Date: Wed, 29 Oct 2003 16:44:33 -0500 "Matt Sapp" <[EMAIL PROTECTED]> wrote: > On the Centrino laptop, logging into the domain, wireless also comes up. > > However, the laptop with the Atheros card in it, when logging into > the domain rather than locally to the laptop, I get this when running > with -X: If one works and the other doesn't, then the ONLY difference is in the RADIUS requests. Compare the RADIUS requests from the two laptop authentications, and see what's different. The differences are breaking authentication. > I am using "with_ntdomain_hack = yes" in my configuration. See a post earlier today on the list. MS-CHAP depends on usernames. "with_ntdomain_hack = yes" means that the user name is changed, so MS-CHAP authentication will NOT work. Try setting "with_ntdomain_hack = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Woes
"Matt Sapp" <[EMAIL PROTECTED]> wrote: > On the Centrino laptop, logging into the domain, wireless also comes up. > > However, the laptop with the Atheros card in it, when logging into > the domain rather than locally to the laptop, I get this when running > with -X: If one works and the other doesn't, then the ONLY difference is in the RADIUS requests. Compare the RADIUS requests from the two laptop authentications, and see what's different. The differences are breaking authentication. > I am using "with_ntdomain_hack = yes" in my configuration. See a post earlier today on the list. MS-CHAP depends on usernames. "with_ntdomain_hack = yes" means that the user name is changed, so MS-CHAP authentication will NOT work. Try setting "with_ntdomain_hack = no" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different SQL backend for different realms
Leon Li <[EMAIL PROTECTED]> wrote: > I tried according to doc/Autz-Type, still no luck. What it mentions > seems to be clear and easy. > I added something like > > DEFAULT >Realm == "companyA.com", > Autz-Type := sql_a Which won't do what you want. Please use the examples as posted, and do NOT edit them to add whitespace, unless you know what you're doing. Read the 'man' page for the 'users' file. > Debug shows "No atuhentication method (Auth-Type) configuration > found ... " Yes. You didn't follow the instructions, and didn't use the correct format for the 'users' file. There are many examples in the default 'users' file to explain how to do it correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius snap version doesn't compile..any help?
hulusi onder <[EMAIL PROTECTED]> wrote: > i ma trying to follow the guide EAP/TLS HOWTO guide > (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) > .througout this guide i made the first changes to the > src/modules/rlm_eap/types/rlm_eap_tls/Makefile. Don't do that. Those instructions are for an older version of the software. The Makefile doesn't need editing. > mppe_keys.c: In function `P_hash': > mppe_keys.c:61: too many arguments to function > `HMAC_Init_ex' OpenSSL version 0.9.7b works for me. If the OpenSSL people have changed the function prototype, then they shouldn't have done that... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different SQL backend for different realms
Thanks for the help. I tried according to doc/Autz-Type, still no luck. What it mentions seems to be clear and easy. I added something like DEFAULT Realm == "companyA.com", Autz-Type := sql_a into users file and Autz-Type sql_a { sql2 } into "authorize" block. Anything else needs to be done? Debug shows "No atuhentication method (Auth-Type) configuration found ... ", seems like the request "[EMAIL PROTECTED]" didn't fall into the "sql_a" group. I have also one block like realm companyA.com { type ... authhost ... } in proxy.conf, I don't know if it has anything to do with the problem. According to the radiusd.conf doc, proxy.conf (suffix) is processed before the user file, does "strip" or "nostrip" matter here? Appreciate more help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Woes
Alrighty, I've been hitting my head on the wall because of this for a couple days, and I still havn't figured anything out, so maybe someone else has some information. I apologize for this long message ahead of time ;) The setup: We have a Win2k domain (MNU.EDU) with all of our users. Windows Clients (laptops in this case) use Win2K DC's for login to the domain. We also have an OpenLDAP server that has the same user accounts in it, and usernames and passwords are syncronized between the two. Now, on top of all this, I've got a bunch of Cisco AP's, and a freeradius server. LEAP and PEAP are our preferred methods of authenticating at this point. Freeradius is setup to authenticate wireless users against the OpenLDAP server. On to the problem: I have a couple laptops here. One with Intel Centrino wireless, one with Atheros a/b miniPCI (both builtin to laptop). Both laptops have a user account "matt" on them, with the same password as is in our AD controllers and in OpenLDAP. Both laptops are patched with the same patches from MS (SP1 + Criticals) and have the same configuration for wireless and basically everything else. On the both laptops, if I login locally, everything is fine, peap goes off, and they're authenticated to the network. On the Centrino laptop, logging into the domain, wireless also comes up. However, the laptop with the Atheros card in it, when logging into the domain rather than locally to the laptop, I get this when running with -X: rad_recv: Access-Request packet from host 10.194.210.255:2046, id=64, length=261 User-Name = "MNU.EDU\\matt" Cisco-AVPair = "ssid=mnu.edu" NAS-IP-Address = 10.194.210.255 Called-Station-Id = "00409658876f" Calling-Station-Id = "00022d59f0fd" NAS-Identifier = "Cisco-AP350-255" NAS-Port = 37 Framed-MTU = 1400 State = 0x5f59aa6719deb2ced82c8ed183351946 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0233005...blah Message-Authenticator = 0xbd39fb...blah ... rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=matt) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 0x480A0..blah & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 0xC0793..blah & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user matt authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 101 modcall: group authorize returns updated for request 101 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 101 rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: EAP type 26 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x023300...blah PEAP: Adding old state with 5f bb PEAP: Sending tunneled request EAP-Message = 0x023300...blah Freeradius-Proxied-To = 127.0.0.1 User-Name = "MNU.EDU\\matt" State = 0x5fbb...blah modcall: entering group authorize for request 101 ... (same LDAP as above) ... modcall: group authorize returns updated for request 101 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 101 rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 101 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 101 modcall: group Auth-Type returns reject for request 101 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 101 modcall: group authenticate returns reject for request 101 auth: Failed to validate the user. Login incorrect: [matt/] (from client localhost port 0) ... I am using "with_ntdomain_hack = yes" in my configuration. This is really confusing me as it works on one machine but not another. I'm 99.9% sure this isn't a freeradius issue per-se, but I'm hoping someone can at least point me in the right direction (maybe radius needs different configuration from what I have for domain logins ?) Thanks for any light you can shed on this. -Matt MNU Network Administrator - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 4400 dict/EAP problem
Jonathan Richard Brockmeier <[EMAIL PROTECTED]> wrote: > If I need to do the following, how do I setup the dictionary to be correct? Read the other dictionary files, and 'man dictionary', it should be pretty straightforward. > Also when I am trying to get 802.1x working against mysql data (since that is > how we have it setup) I get the following error: I'm not sure what you mean by "working against mysql data" > rad_check_password: Found Auth-Type EAP > auth: No User-Password or CHAP-Password attribute in the request > auth: Failed to validate the user. > Login incorrect: [brockj/] (from client ss4400 It looks like you're taking a crypt'd password out of the MySQL database. That won't work with EAP. EAP requires plain-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius snap version doesn't compile..any help?
hi everybody ; i ma trying to follow the guide EAP/TLS HOWTO guide (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) .througout this guide i made the first changes to the src/modules/rlm_eap/types/rlm_eap_tls/Makefile. however the make command didn't work as expected, it is giving two errors and quit. could you please give an hand to me about this problem. here is the log of the error. the openssl is the snapshot version. i had once beat this problem by skipping the mppe_keys.c in the preceding make file. but that might be the reason of the next problems that i had encountered. ... ... /usr/local/openssl/include/openssl/ssl.h:349: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:350: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:351: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:610: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:758: warning: function declaration isn't a prototype In file included from rlm_eap_tls.h:61, from eap_tls.h:26, from mppe_keys.c:25: /usr/local/openssl/include/openssl/ssl.h:1235: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:1271: warning: function declaration isn't a prototype /usr/local/openssl/include/openssl/ssl.h:1273: warning: function declaration isn't a prototype mppe_keys.c: In function `P_hash': mppe_keys.c:61: too many arguments to function `HMAC_Init_ex' mppe_keys.c:62: too many arguments to function `HMAC_Init_ex' mppe_keys.c:84: too many arguments to function `HMAC_Init_ex' mppe_keys.c:89: too many arguments to function `HMAC_Init_ex' gmake[10]: *** [mppe_keys.o] Error 1 gmake[10]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types/rlm_eap_tls' gmake[9]: *** [common] Error 1 gmake[9]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types' gmake[8]: *** [static] Error 2 gmake[8]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap/types' gmake[7]: *** [common] Error 1 gmake[7]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap' gmake[6]: *** [static] Error 2 gmake[6]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules/rlm_eap' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/download/freeradius-snapshot-20031029/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/root/download/freeradius-snapshot-20031029/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/download/freeradius-snapshot-20031029/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/download/freeradius-snapshot-20031029' make: *** [all] Error 2 __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3Com 4400 dict/EAP problem
If I need to do the following, how do I setup the dictionary to be correct? 3Com Vendor Specific Attribute The default user levels on the Switch (monitor, manager, admin) are supported by a 3Com Vendor Specific Attribute (VSA). The Vendor-ID for 3Com is 43. You must configure the RADIUS server to send this attribute in the Access-Accept message in order to specify the access level required for each user account. The configurable attribute values are: Monitor (1) the user can view all manageable parameters, except special/security features, but cannot change any manageable parameters. Manager (2) the user can access and change the operational parameters but not special/security features. Administrator (3) the user can access and change all manageable parameters. The attribute body consists of a 3Com Vendor type (1), Vendor data length (6) and the Vendor data (4 octet integer containing the access level value), as shown in Figure 25. Also when I am trying to get 802.1x working against mysql data (since that is how we have it setup) I get the following error: rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair modcall[authorize]: module "daily" returns noop rlm_eap: EAP packet type notification id 0 length 11 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [brockj/] (from client ss4400 port 119 cli 00-00-39-CA-99-AF) Any ideas on what I can try? Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modems can login but ISDN users cannot?
First of all Try a debug with radiusd -x then check configuration may be the user is trying to use the second ISDN channel and your radius doesnt let him use it.. May be there is some issue with the NAS and nothing with the radius itself.. On Wed, 2003-10-29 at 14:43, James Green wrote: > Hi all, > > Got a FreeRadius installation working fine for analog modem users. A > client is now trying to send through loads of ISDN traffic, and he's > getting the following: > > 691: username/password declined (windows errors message) > > radius.log shows his test username as Login: ok. Yet Radius isn't > logging him in the details logs at all. > > Any ideas? > > Thanks, > > James > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modems can login but ISDN users cannot?
Hi all, Got a FreeRadius installation working fine for analog modem users. A client is now trying to send through loads of ISDN traffic, and he's getting the following: 691: username/password declined (windows errors message) radius.log shows his test username as Login: ok. Yet Radius isn't logging him in the details logs at all. Any ideas? Thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating directly from NT domain controller
"Ron Wahler" <[EMAIL PROTECTED]> wrote: > What does it use for the authentication method? PAP to what? > > Does it bind to a database? PAP to SMB, similar to what any client would do when mounting network shares. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
What does it use for the authentication method? PAP to what? Does it bind to a database? > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2003 12:27 PM > To: [EMAIL PROTECTED] > Subject: Re: authenticating directly from NT domain controller > > "Ron Wahler" <[EMAIL PROTECTED]> wrote: > > Is there any doc on rlm_smb ? > > raddb/experimental.conf > > The SMB module is so simple & stupid, that there's little to > configure, and little to get right (or wrong). > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_smbpasswd !!
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > Ok Alan. You are always right. I don't want you to be nice to me. I want you to READ the available documentation, and to DESCRIBE what you're doing when you post to the list. So far, you've done poorly on both. > Let's say that I need to authenticate wireless users from Open1x > through freeradius. These users are not in a local file (for example > users) but in an Active Directory Server (my PDC). What methods > should I use? I've spent over 3 days to do that. EAP-TTLS + PAP. You have pretty much no other alternatives. If you were using a real LDAP server, you could use any wireless authentication method, and it would work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating directly from NT domain controller
"Ron Wahler" <[EMAIL PROTECTED]> wrote: > Is there any doc on rlm_smb ? raddb/experimental.conf The SMB module is so simple & stupid, that there's little to configure, and little to get right (or wrong). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: etc_smbpasswd !!
Ok Alan. You are always right. Let's say that I need to authenticate wireless users from Open1x through freeradius. These users are not in a local file (for example users) but in an Active Directory Server (my PDC). What methods should I use? I've spent over 3 days to do that. Thanks again, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: Re: etc_smbpasswd !! "Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > Alternatively, I'm trying to wireless authenticate through MS-CHAPV2 MS-CHAPv2 is not a wireless authentication protocol. > auth: type "MS-CHAP" > modcall: entering group Auth-Type for request 1 > rlm_mschap: Found LM-Password > rlm_mschap: Found NT-Password > rlm_mschap: No MS-CHAP-Challenge in the request Exactly. Now read the rest of the debugging output (which you didn't post), in order to discover what the client is trying to do. Read 'radiusd.conf', in the 'eap' section to discover what you're doing wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct packets
Alan I send some usefull information (I think). Could you help me (when you have time)??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
Is there any doc on rlm_smb ? > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2003 10:20 AM > To: [EMAIL PROTECTED] > Subject: Re: authenticating directly from NT domain controller > > "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > > Is it possible to have freeRADIUS communicate directly to an NT domain > > controller for the purpose of authenticating and/or authorizing users? > > See rlm_smb. It's experimental, so you'll have to do some minor > work to build it, but it works for me. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: etc_smbpasswd !!
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > Alternatively, I'm trying to wireless authenticate through MS-CHAPV2 MS-CHAPv2 is not a wireless authentication protocol. > auth: type "MS-CHAP" > modcall: entering group Auth-Type for request 1 > rlm_mschap: Found LM-Password > rlm_mschap: Found NT-Password > rlm_mschap: No MS-CHAP-Challenge in the request Exactly. Now read the rest of the debugging output (which you didn't post), in order to discover what the client is trying to do. Read 'radiusd.conf', in the 'eap' section to discover what you're doing wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
-> MSCHAPv2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 8:58 PM To: [EMAIL PROTECTED] Subject: Re: authenticating directly from NT domain controller "Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > Right. So, there is no way of wireless auth through rlm_smb? It would help to actually say which wireless authentication method you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
etc_smbpasswd !!
Title: Message Alan, Alternatively, I'm trying to wireless authenticate through MS-CHAPV2 and etc_smbpasswd. I dumped the password from Domain Controller to a file /etc/smbpasswd but unfortunately I'm getting rejected !! auth: type "MS-CHAP"modcall: entering group Auth-Type for request 1 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 1modcall: group Auth-Type returns reject for request 1auth: Failed to validate the user. Thanks, Marios
Re: authenticating directly from NT domain controller
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > Right. So, there is no way of wireless auth through rlm_smb? It would help to actually say which wireless authentication method you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
Right. So, there is no way of wireless auth through rlm_smb? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 8:33 PM To: [EMAIL PROTECTED] Subject: Re: authenticating directly from NT domain controller "Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > I just tried to be authenticated from open1x client. > I got the following: > > rlm_smb: Attribute "User-Password" is required for authentication. rlm_smb can only do PAP. I don't think you said you were doing wireless authentication... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating directly from NT domain controller
"Marios Karagiannopoulos" <[EMAIL PROTECTED]> wrote: > I just tried to be authenticated from open1x client. > I got the following: > > rlm_smb: Attribute "User-Password" is required for authentication. rlm_smb can only do PAP. I don't think you said you were doing wireless authentication... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
I just tried to be authenticated from open1x client. I got the following: rlm_smb: Attribute "User-Password" is required for authentication. What's next modification of radiusd.conf? Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marios Karagiannopoulos Sent: Wednesday, October 29, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: RE: authenticating directly from NT domain controller Sorry Alan, I found one after the build --with-experimental-modules=yes. Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marios Karagiannopoulos Sent: Wednesday, October 29, 2003 7:37 PM To: [EMAIL PROTECTED] Subject: RE: authenticating directly from NT domain controller Alan, Could you please give us a starting point? I just compiled the rlm_smb. Is there any radiusd.conf file? Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 7:20 PM To: [EMAIL PROTECTED] Subject: Re: authenticating directly from NT domain controller "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Is it possible to have freeRADIUS communicate directly to an NT domain > controller for the purpose of authenticating and/or authorizing users? See rlm_smb. It's experimental, so you'll have to do some minor work to build it, but it works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating directly from NT domain controller
Sorry Alan, I found one after the build --with-experimental-modules=yes. Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marios Karagiannopoulos Sent: Wednesday, October 29, 2003 7:37 PM To: [EMAIL PROTECTED] Subject: RE: authenticating directly from NT domain controller Alan, Could you please give us a starting point? I just compiled the rlm_smb. Is there any radiusd.conf file? Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 7:20 PM To: [EMAIL PROTECTED] Subject: Re: authenticating directly from NT domain controller "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Is it possible to have freeRADIUS communicate directly to an NT domain > controller for the purpose of authenticating and/or authorizing users? See rlm_smb. It's experimental, so you'll have to do some minor work to build it, but it works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to know configure parameters with bin file ???
Hi Many time ago I compiled freeradius with some configure parameter but, I forgot what. I'vo got binary files and I wonder if there's a way to know parameters I used on compile time with this binary. Is there a way to know what parameters I used ??? just like php do with phpinfo(). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius set up help needed
Hello Gurus, Iam a Research Assistant at George Mason University trying to set up freeradius server for cisco aironet 1200 APs (MAC based auth). Though I have been googling for almost 3 days I dont get the big picture. Its been hard to find documentation or configuration steps. Iam to install freeradius on RedHat Linux 9.0 that authenticates clients coming through cisco aironet 1200 APs. I have no clue what is to be done(totally confused). I would appreciate if anybody could run me through the process of getting this working/any extensive doc will be an added benifit. Thanking you all in anticipation, Ravi Kiran Bhaskar Do you Yahoo!? Exclusive Video Premiere - Britney Spears
RE: authenticating directly from NT domain controller
Alan, Could you please give us a starting point? I just compiled the rlm_smb. Is there any radiusd.conf file? Thanks, Marios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, October 29, 2003 7:20 PM To: [EMAIL PROTECTED] Subject: Re: authenticating directly from NT domain controller "Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Is it possible to have freeRADIUS communicate directly to an NT domain > controller for the purpose of authenticating and/or authorizing users? See rlm_smb. It's experimental, so you'll have to do some minor work to build it, but it works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different SQL backend for different realms
Am Mit, 2003-10-29 um 17.37 schrieb Leon Li: > Hi all: > > Sorry if this question has been asked million times. I'm new to > FreeRadius and now working on a project > migrating Radiator to Freeradius. I've been using Radiator for years and > the first thing that concerns me > about the migration is the realms. > > I now have about over 10 realms in Radiator each of which gets > authentication from different user tables > in one oracle database. I digged the Freeradius for couple of days and > found something about proxy and > Autz-Type, etc. But still not clear. cause in this case, proxy is not > what I want, user requests from different > realms will not be proxied to another radius server, they just need to > go different sql backends. > [...] >From what I see in doc/Autz-Type, it will work... ---snip--- DEFAULT Realm == "other.company.com", Autz-Type := SQL{1|2|3...} ---snip--- You'll have to add different oraclesql{1|2|3...}.conf files to fit your needs... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating directly from NT domain controller
"Woods, Bryan" <[EMAIL PROTECTED]> wrote: > Is it possible to have freeRADIUS communicate directly to an NT domain > controller for the purpose of authenticating and/or authorizing users? See rlm_smb. It's experimental, so you'll have to do some minor work to build it, but it works for me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple Airport Extreme
Jan van Rensburg <[EMAIL PROTECTED]> wrote: > I see the Airport supports Cisco's LEAP, do I > need to configure freeradius with LEAP support, or is this not > necessary if Cisco equipment aren't used? Configuring FreeRADIUS to use LEAP is required if you are going to authenticate users via LEAP. > If I later want to configure user auth in addition to MAC auth, can > this be done via PAM smb? We usually use pam_smb to authenticate things > like ssh sessions against our NT4 domain controllers. Will this work > with freeradius/apple's airport? How do users authenticate before they > can use the WLAN? Is extra client software required for Windows/Mac OS > X? They will have to use a wireless authentication method. This means LEAP, TTLS, or PEAP. Of them, TTLS is recommended. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: lower_user with MS-CHAPv2...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: 29 October 2003 17:11 > To: [EMAIL PROTECTED] > Subject: Re: lower_user with MS-CHAPv2... > > > Guy Davies <[EMAIL PROTECTED]> wrote: > > I've been using FreeRADIUS 0.9.2 to authenticate users > using MS-CHAPv2 and, > > up to now, everything has been working fine. However, I > have several users > > who use a username in Uppercase so I thought I'd use the "lower_user > > after" function to make everything lowercase if uppercase > fails. However, > > as soon as I do this, I have the following problem. > > The user name is part of the MS-CHAP challenge/response scheme. So > changing the username means that the MS-CHAP response from the user > will be invalid, as it was for the *original* username, not the > modified one. > > Alan DeKok. Ah, br! Thanks for explaining that Alan. That puts an end to that then ;-) Regards, Guy -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP5/11o3dwu/Ss2PCEQI7GQCgvTkBL+yDINZeXrdfl1iq0nNqbeMAn0rY YAJDpGJ3+r0QVWyK78oQUXAe =frIw -END PGP SIGNATURE- >>> 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating directly from NT domain controller
I have to believe that this topic has come up so frequently that most members of this list are sick of hearing about it... Unfortunately, my search of the archives did not result in a definitive answer for me - so I am compelled to bring up this question once again. Please forgive me. Is it possible to have freeRADIUS communicate directly to an NT domain controller for the purpose of authenticating and/or authorizing users? Would migrating the NT domain to Active Directory open any additional options? This posting leads me to beleive that A.D. doesn't like to play nicely with anything that isn't licensed by micro$oft: --- http://www.mail-archive.com/[EMAIL PROTECTED]/msg19912.html > I looked briefly pam_smb, but as best as I could determine, it will > not work with AD. AFAIK, IAS is the only means to authenticate users to AD. I wonder why... Microsoft does supply an LDAP interface to AD, and it is possible to use it to do *some* kinds of authentication. But it's impossible to do anything other than PAP against AD, unless your name is "IAS". That's rude. --- I'd love to hear from others who have been faced with a similar challenge. Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lower_user with MS-CHAPv2...
Guy Davies <[EMAIL PROTECTED]> wrote: > I've been using FreeRADIUS 0.9.2 to authenticate users using MS-CHAPv2 and, > up to now, everything has been working fine. However, I have several users > who use a username in Uppercase so I thought I'd use the "lower_user > after" function to make everything lowercase if uppercase fails. However, > as soon as I do this, I have the following problem. The user name is part of the MS-CHAP challenge/response scheme. So changing the username means that the MS-CHAP response from the user will be invalid, as it was for the *original* username, not the modified one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)
ok looking at your radiusd.conf file, i wonder if you have to add a preacct section with a suffix module in it in order to look up the realms. otherwise it seems ok to me. ciao artur I made a mistake editing that mail last night. realm dimapel.com.br { type= radius authhost= 200.180.55.65:1812 accthost= 200.180.55.65:1813 secret = teste - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apple Airport Extreme
On Oct 29, 2003, at 6:21 AM, Jan van Rensburg wrote: Hi, I'm new to radius in general, and wonder if anyone can provide me with good a nod in the right direction. I installed freeradius 0.9.2 from source on RedHat advance server 2.1. Initial testing as described in INSTALL went fine. We will be getting Apple Airport Extreme base stations ( http://www.apple.com/airport/) for company WiFi access, and I want to manage the allowed MAC list for all the base stations centrally on the radius server. What exactly do I need to configure on the freeradius side? Do I have to configure users as well, or can you just put up a list of MACs somewhere? I see the Airport supports Cisco's LEAP, do I need to configure freeradius with LEAP support, or is this not necessary if Cisco equipment aren't used? As usually, you'll need to create entries in clients.conf file for the AirPort Extreme Base Stations (accepted IPs, shared secret). In the user's file you'll need to create entries for each client MAC (an external database could be used instead, I suppose). The AirPort Admin Utility gives a choice of how to format the MAC addresses ('001122-334455' or '001122334455'). If I later want to configure user auth in addition to MAC auth, can this be done via PAM smb? We usually use pam_smb to authenticate things like ssh sessions against our NT4 domain controllers. Will this work with freeradius/apple's airport? How do users authenticate before they can use the WLAN? Is extra client software required for Windows/Mac OS X? I don't know about that. AFAIK, as of AiPort Extreme 3.1 you can't do user auth. The AirPort client supports LEAP but not the Apple Base Stations. -Andreas Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different SQL backend for different realms
Hi all: Sorry if this question has been asked million times. I'm new to FreeRadius and now working on a project migrating Radiator to Freeradius. I've been using Radiator for years and the first thing that concerns me about the migration is the realms. I now have about over 10 realms in Radiator each of which gets authentication from different user tables in one oracle database. I digged the Freeradius for couple of days and found something about proxy and Autz-Type, etc. But still not clear. cause in this case, proxy is not what I want, user requests from different realms will not be proxied to another radius server, they just need to go different sql backends. I hope this is just a configuration issue for me because of my shortage in Freeradius. Anyone can shed some lights on it will be highly appreciated. Best regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring unknown host
I have a problem where I continue to get unknown host rad_recv: Access-Request packet from host 10.64.254.8:40001, id=25, length=89 Ignoring request from unknown client 10.64.254.8:40001 I have defined the host in my clients.conf and I have set up my naslist correctly.Any pointers? I am running Redhat 9.0 and freeradius 0.9.2 Með kveðju/Best Regards Bragi Baldursson GPRS Kerfisverkfræðingur/GPRS Systems Engineer Sími/Tel.: +354 550 63 08mailto:[EMAIL PROTECTED] Fax: +354 550 62 39www:http://www.siminn.is Gsm: +354 892 63 08 - Síminn auðveldar samskipti - ___ Þessi tölvupóstur og viðhengi hans gætu innihaldið trúnaðarupplýsingar eingöngu ætlaðar þeim sem hann er stílaður á. Efni tölvupóstsins og viðhengi er á ábyrgð sendanda ef það tengist ekki starfsemi Símans. Sjá nánar: http://www.siminn.is/control/index?pid=6164 This e-mail and its attachments may contain confidential and privileged information only intended for the person or entity to which it is addressed. Further information: http://www.siminn.is/control/index?pid=6772 ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius (correct proxy.conf)
Artur I made a mistake editing that mail last night. 200.193.87.129 has no relation to problem related. It's another server for tests. my problem is: the proxy server doesn't send acct (accounting) packets to 200.180.55.65 server. Justo know: 200.180.22.15 is the RAS that consult only 200.180.22.9 (the proxy). The correct proxy.conf is: $ cat proxy.conf | grep -v "#" $$$ proxy server { synchronous = no retry_delay = 5 retry_count = 3 dead_time = 120 servers_per_realm = 15 default_fallback = yes } realm dimapel.com.br { type= radius authhost= 200.180.55.65:1812 accthost= 200.180.55.65:1813 secret = teste } Artur Hecker em 29-10-2003 07:11 disse: hi looking at your proxy.conf file: realm dimapel.com.br { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } now looking at the proxied Access Request out of your debug output: modcall: group authorize returns updated Sending Access-Request of id 3 to 200.180.55.65:1812 User-Name = "dumes" User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u" Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 200.180.22.15 NAS-Port = 108 Calling-Station-Id = "475211600" Called-Station-Id = "12110482815300" Connect-Info = "34000/28800_K56_/LAPM/V42BIS" Proxy-State = "73" --- Walking the entire request list --- i strongly doubt that the proxy.conf file you are editing is relevant to this server. (it should proxy to 200.193.87.129:1812 but it does to 200.180.55.65:1812). unless of course you have a WEIRD host file ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_counter question
Hello Mr. Kalevras, i already look @ rad_counter.pl and i understand the flow of this script. It open the database as READONLY, print the information where u can specify the db filename, user, how the counter will be shown, second (default), minutes, hours and match. My problem is i dont have any hint in command or syntax. Just like how do i open the database as read/write? What is cmd to update, delete, add or edit. I know this is not related in Freeeradius but i dont have any choice, im spending days try to search this web but i dont see any documentation. thanks very much ... = wilfredo pahilanga apellido jr. technical support mactan online bacolod city, philippines +63 34 4348311 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: lower_user with MS-CHAPv2...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for the self reply but there's a bit more info... I'm using the same user entries for PAP authentication using System and MS-CHAPv2 authentication with a locally defined User-Password. The lower_user = after appears to work fine for PAP but fails dismally with MS-CHAPv2. Regards, Guy > -Original Message- > From: Guy Davies [mailto:[EMAIL PROTECTED] > Sent: 29 October 2003 12:55 > To: '[EMAIL PROTECTED]' > Subject: lower_user with MS-CHAPv2... > > Hi, > > Sorry if this is a dumb question or if it has been answered > before but I've > looked through the RADIUS book and back through the emails I > have received > from the list and found nothing relevant. [deleted the rest, which you've probably read already :-)] -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP5/Vlo3dwu/Ss2PCEQKlSQCbBssh1H37eZ7NzyvJwwfwieXXlGoAoK4g Y11sBnzbwzvxBTY2pDoGYp3V =/4Wf -END PGP SIGNATURE- >>> 30th Telindus International Symposium Thursday, October 30, 2003 - Brussels Expo, Belgium Check out the complete conference programme, exhibition, workshops and register now for this high value'must attend' event! http://www.telindussymposium.com <<< - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apple Airport Extreme
Hi, I'm new to radius in general, and wonder if anyone can provide me with good a nod in the right direction. I installed freeradius 0.9.2 from source on RedHat advance server 2.1. Initial testing as described in INSTALL went fine. We will be getting Apple Airport Extreme base stations ( http://www.apple.com/airport/) for company WiFi access, and I want to manage the allowed MAC list for all the base stations centrally on the radius server. What exactly do I need to configure on the freeradius side? Do I have to configure users as well, or can you just put up a list of MACs somewhere? I see the Airport supports Cisco's LEAP, do I need to configure freeradius with LEAP support, or is this not necessary if Cisco equipment aren't used? If I later want to configure user auth in addition to MAC auth, can this be done via PAM smb? We usually use pam_smb to authenticate things like ssh sessions against our NT4 domain controllers. Will this work with freeradius/apple's airport? How do users authenticate before they can use the WLAN? Is extra client software required for Windows/Mac OS X? Thanks, Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS authentication against LDAP
Hi everybody, we finally did it in having all the stuff work. The server is running fine with our TTLS client, and performs authentication against a RadiantOne virtual LDAP running over a couple of different sources (quite a long tour to authenticate a user). Thank you very much for your help and kindness. When are you planning to have the stable version featuring TTLS be released? Silvio Arcangeli
Re: rlm_counter question
On Tue, 28 Oct 2003, apellido jr., wilfredo p wrote: > hello , after searching for any documents and tutorial > regarding GDBM and perl got no luck. i want to write a > script that would reset the counter in GDBM database > using perl. Anyone know documentation or maybe > tutorial, books... thanks very much Look in src/modules/rlm_counter for rad_counter.pl Take that script and extend it to also change counter values and you should be ok > > = > wilfredo pahilanga apellido jr. > technical support > mactan online > bacolod city, philippines > +63 34 4348311 > > If you can't hear me, it's because i'm in parentheses. > > __ > Do you Yahoo!? > Exclusive Video Premiere - Britney Spears > http://launch.yahoo.com/promos/britneyspears/ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
lower_user with MS-CHAPv2...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Sorry if this is a dumb question or if it has been answered before but I've looked through the RADIUS book and back through the emails I have received from the list and found nothing relevant. I've been using FreeRADIUS 0.9.2 to authenticate users using MS-CHAPv2 and, up to now, everything has been working fine. However, I have several users who use a username in Uppercase so I thought I'd use the "lower_user = after" function to make everything lowercase if uppercase fails. However, as soon as I do this, I have the following problem. If the username is in lowercase in the users file and the user uses lowercase in their request, everything works fine (as expected). If the username is in uppercase in the users file and the user sends uppercase in their request, everything works fine (as expected). If the username is in lowercase in the users file and the user sends uppercase in their request, the request fails (not as expected). If the username is in uppercase in the users file and the user sends lowercase in their request, the request fails (as expected). In the logfile, I was seeing errors like this... Wed Oct 29 11:40:48 2003 : Auth: Login incorrect: [GUYD/] (from client MX-20-Tech-Eng-PM port 0 cli 00-2 0-A6-4C-F7-1C) Wed Oct 29 11:40:48 2003 : Error: rlm_eap: EAP-Message not found Wed Oct 29 11:40:48 2003 : Auth: Login incorrect: [guyd/] (from client MX-20-Tech-Eng-PM port 0 cli 00-2 0-A6-4C-F7-1C) I was running radiusd with -X and got the following, which relates directly to the messages above... rad_recv: Access-Request packet from host 10.24.0.200:20007, id=208, length=157 NAS-Port-Id = "1/2" Calling-Station-Id = "00-20-A6-4C-F7-1C" Called-Station-Id = "00-0B-0E-00-0A-44" User-Name = "GUYD" MS-CHAP-Challenge = 0xdad9af6fac7c8ba98a460cd911841fd8 MS-CHAP2-Response = 0x45f4b3128611804c99e54c88527004a518afea36077a13bd6e105d 941cc1711b30a53423bde826d7 NAS-IP-Address = 10.24.0.200 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "GUYD", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 154 users: Matched DEFAULT at 160 modcall[authorize]: module "files" returns ok rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No LM-Password or NT-Password attribute found. Cannot perform MS-CHAP authentication. modcall[authenticate]: module "mschap" returns fail modcall: group Auth-Type returns fail auth: Failed to validate the user. Login incorrect: [GUYD/] (from client MX-20-Tech-Eng-PM port 0 cli 00-20-A6-4C-F7-1C) rad_lowerpair: User-Name now 'guyd' modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP-Message not found modcall[authorize]: module "eap" returns noop rlm_realm: No '@' in User-Name = "guyd", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched guyd at 39 users: Matched DEFAULT at 154 users: Matched DEFAULT at 160 modcall[authorize]: module "files" returns ok rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type := MS-CHAP' modcall[authorize]: module "mschap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject modcall: group Auth-Type returns reject auth: Failed to validate the user. Login incorrect: [guyd/] (from client MX-20-Tech-Eng-PM port 0 cli 00-20-A6-4C-F7-1C) Delaying request 4 for 1 seconds Finished request 4 Going to the next request However, with exactly the same username (guyd) and the same client, I get this when I login directly using lowercase (i.e. the lower_user function isn't used). rad_recv: Access-Request packet from host 10.24.0.200:20007, id=209, length=157 NAS-Port-Id = "1/2" Calling-Station-Id = "00-20-A6-4C-F7-1C" Called-Station-Id = "00-0B-0E-00-0A-44" User-Name = "guyd" MS-CHAP-Challenge = 0xac9c8132067b24c328bb5d132892710a MS-CHAP2-Response = 0x96b81f06b43769757e10228a321fe43600
Re: Dialup Admin
Am Mit, 2003-10-29 um 12.57 schrieb Bruno Gianelli Braido: > Thanks for your help Uli, > > So my FR is working with Mysql, my problem is "configure the Dialup > Admin", I used the help come with DialupAdmin but not work. > Where I get a example to configure the Dialup Admin [...] Most important is to have php working properly. apache with php4: http://www.php.net/manual/en/install.apache.php All attributes are well explained in conf/admin.conf There you might have to change: general_base_dir: /usr/local/dialup_admin general_radiusd_base_dir: /usr/local/radiusd general_test_account_login: test general_test_account_password: testpass general_radius_server: localhost [IP-Address_of_RADIUS_server] general_radius_server_auth_proto: pap general_encryption_method: crypt sql_server: localhost [IP-Address_of_sql_server] sql_username: dialup_admin sql_database: radius sql_accounting_table: radacct sql_badusers_table: badusers sql_check_table: radcheck sql_reply_table: radreply sql_user_info_table: userinfo sql_groupcheck_table: radgroupcheck sql_groupreply_table: radgroupreply sql_usergroup_table: usergroup sql_total_accounting_table: totacct You'll have to change: general_radius_server_secret: XX sql_password: XX The rest should work by default. Little more information on what's not working is helpful. Otherwise the answer will be be: You misconfigured something... Uli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
Thanks for your help Uli, So my FR is working with Mysql, my problem is "configure the Dialup Admin", I used the help come with DialupAdmin but not work. Where I get a example to configure the Dialup Admin [], Bruno Gianelli Braido Linux User# 32000 ICQ:71059588 [EMAIL PROTECTED] - Original Message - From: "Ulrich Walcher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 29, 2003 5:46 AM Subject: Re: Dialup Admin > Am Die, 2003-10-28 um 17.59 schrieb Bruno Gianelli Braido: > > Hello all, > > > > I'd like to use the "Dialup_Admin", I tried use the example from > > http://kstadler.ch/index.php?topgroupid=1&subgroupid=14&groupid=11 > > but not success. > > Who knows where I get a good example??? > > My equipament is a PM3, Freeradius with Auth Mysql. > > > > Thanks for your help. > [...] > Do you have FR with MySQL working? > "No success" is not very precise. Give us a little more details and > maybe someone con help you. > > Uli > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy doesn't send acct packets to other radius
hi looking at your proxy.conf file: realm dimapel.com.br { type= radius authhost= 200.193.87.129:1812 accthost= 200.193.87.129:1813 secret = teste } now looking at the proxied Access Request out of your debug output: modcall: group authorize returns updated Sending Access-Request of id 3 to 200.180.55.65:1812 User-Name = "dumes" User-Password = "D\277\255\261\350~V\037\005\240\331\360^\330\206u" Service-Type = Framed-User Framed-Protocol = PPP NAS-IP-Address = 200.180.22.15 NAS-Port = 108 Calling-Station-Id = "475211600" Called-Station-Id = "12110482815300" Connect-Info = "34000/28800_K56_/LAPM/V42BIS" Proxy-State = "73" --- Walking the entire request list --- i strongly doubt that the proxy.conf file you are editing is relevant to this server. (it should proxy to 200.193.87.129:1812 but it does to 200.180.55.65:1812). unless of course you have a WEIRD host file ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Authentication problem
Am Mit, 2003-10-29 um 09.55 schrieb Remesh: > hai , > > in my case when i am dialing we can see the following entry when we run tcpdump udp > > 16:29:59.071115 164.100.96.13.datametrics > mp9.radius: rad-access-req 66 [id 1] > Attr[ NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} > [|radius] > > > no entries in logs especially. 'Ready to process requests' is showing in radius.log. > > please help me > > Remesh run radiusd -X All logs will be shown on the screen... Uli > > On Wed, 29 Oct 2003 Ulrich Walcher wrote : > >Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > > > hai friends, > > > > > > I have installed free radius and radtest commands working fine locally. > > > The OS used is RedHat 8.0 . But When i am trying this command from other > > > servers, it is not responding. Also when i am dialing, i am getting > > > authentication failed message. > > > > >[...] > >Please post the logs. > >Uli > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > Remesh Babu. T - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Authentication problem
hai , in my case when i am dialing we can see the following entry when we run tcpdump udp 16:29:59.071115 164.100.96.13.datametrics > mp9.radius: rad-access-req 66 [id 1] Attr[ NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} [|radius] no entries in logs especially. 'Ready to process requests' is showing in radius.log. please help me Remesh On Wed, 29 Oct 2003 Ulrich Walcher wrote : >Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > > hai friends, > > > > I have installed free radius and radtest commands working fine locally. > > The OS used is RedHat 8.0 . But When i am trying this command from other servers, > > it is not responding. Also when i am dialing, i am getting authentication failed > > message. > > >[...] >Please post the logs. >Uli > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Remesh Babu. T
Re: Authentication problem
Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > hai friends, > > I have installed free radius and radtest commands working fine locally. > The OS used is RedHat 8.0 . But When i am trying this command from other servers, it > is not responding. Also when i am dialing, i am getting authentication failed > message. > [...] Please post the logs. Uli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin
Am Die, 2003-10-28 um 17.59 schrieb Bruno Gianelli Braido: > Hello all, > > I'd like to use the "Dialup_Admin", I tried use the example from > http://kstadler.ch/index.php?topgroupid=1&subgroupid=14&groupid=11 > but not success. > Who knows where I get a good example??? > My equipament is a PM3, Freeradius with Auth Mysql. > > Thanks for your help. [...] Do you have FR with MySQL working? "No success" is not very precise. Give us a little more details and maybe someone con help you. Uli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problem
hai friends, I have installed free radius and radtest commands working fine locally. The OS used is RedHat 8.0 . But When i am trying this command from other servers, it is not responding. Also when i am dialing, i am getting authentication failed message. The same configuration i have done in another redhat machine and got successfully authentication and connection. Please help me to solve this. Regards, Remesh Remesh Babu. T