802.1x: PEAP + MS-CHAPv2
Hi freeradius mailing list,
i set up a freeradius server (suse 9.0 freeradius-snapshot-20040119 +
openssl-0.9.7c), to authenticate wireless windows (Windows 2000, XP)
based clients with 802.1x. On my AccessPoint (a WLAN Router with DHCP,
NAT) SMC2804WBR v2 802.1x Authentication is supported and is set up to
use the radius server with the specified secret. To test all things, i
use a WinXP laptop (SP1) with D-Link DWL G650+ inserted.
In programming language, the paket from the AP to Radius will
encapsulated like:
RADIUS ( EAP ( MSCHAPv2 ) )
where EAP will be "Secure EAP" PEAP. Please tell me if i'm wrong
My setup of the RADIUS is oriented on this, i used only the things where
i think that i need them to eliminate other error-sources.
I have read all relevant mails about these topicand experimented with
many snapshots before, but found none to help at this last step. TLS is
running, but authentication will not work:
My problem (full logs listed below):
rlm_mschap: No MS-CHAP-Challenge in the request
My setup:
XP-Laptop:
-[WEP] activated
-[Networkauthentication (common mode)] deactivated
-[key automatically provided] activated
-[IEEE 802.1x Authentivation activate] set with EAP (PEAP) --> [test
Servercertificate] deactivated, [Secure password MSCHAPv2] activated
On the AccessPoint, the NAS-Identifier was set tp "port", beacause a
value must be entered. The other Options (secret, ports and ip) was set
as required.
RADIUS [freeradius-snapshot-20040119] + [openssl-0.9.7c]:
-set up EAP-TLS with help of
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htmwich works fine.
-set up the testuser
-commented out "not needed" modules
---> played with options
mschap: use_mppe
mschap: require_encryption
mschap: require_strong
If anyone have set up this authentication method completely working,
please post all relevant stuff, you will help me verry much! But please
quote only the relevant text from my mail, i know what i have written
Greatest Thanks for replies and to the complete list, your help is
unpayable!
The Files and Logs (comments deleted):
radiusd.conf
prefix = /usr/local/radius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = yes
tls {
private_key_password = whatever
private_key_file = /etc/1x/Radius.pem
certificate_file = /etc/1x/Radius.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-
Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
}
instantiate {
}
authorize {
preprocess
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
preacct {
preprocess
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
##
Re: 802.1x: PEAP + MS-CHAPv2
i just went through this. change: > users # > > "tester" Auth-Type :=MS-CHAP, User-Password == "test" to Auth-Type: Local and let the radius server do its job. i got rather scolded for fiddling with the auth-type. --brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VoIP gw + FreeRadius + prepaid card (fwd)
Hi, ALL! anybody do whis? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/TLS ... Needs some help !
Hi, I needs help to solve my problem. If you have any suggestion that it can investigate. Thank in advance. Jean-Paul. -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D smime.p7s Description: S/MIME Cryptographic Signature
Re: Using NAS IP as part of auth
Graeme Hinchliffe wrote:
Hiya
Thanks for your help, took me a while to get my head around what you were doing,
hehe ! , i can imagine :)
im not a good teacher .
but I have the general gist of it now and a working config.
this is the most important :)
much appreciated
Graeme
regards
thomas .
On Mon, 19 Jan 2004 16:12:53 +0100
Thomas MARCHESSEAU <[EMAIL PROTECTED]> wrote:
Hi,
Im not sure to understand exactly your request but im selecting the auth
via the NAS-IP-Address :
* first the user.conf file , i have created huntgroups (lns, bas,
lns-rtc , and even wifi)
- a part of user.conf -
DEFAULT Realm == "XXX.net", Huntgroup-Name == "bas", Autz-Type :=
"autz.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "lns", Autz-Type :=
"autz1.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "nas", Autz-Type :=
"autz2.XXX.net"
DEFAULT Realm == "XXX.net", Huntgroup-Name == "lns-rtc", Autz-Type :=
"autz.XXX.net"
-end-
* then here comes the huntgroups file :
- a part of huntgroups -
# BAS #
bas NAS-IP-Address == xx.124.255.2
# a verif si existe
bas NAS-IP-Address == xx.124.255.128
# LNS #
lns NAS-IP-Address == xx.223.42.14
lns NAS-IP-Address == xx.223.238.197
lns-rtc NAS-IP-Address == xx.223.14.226
lns-rtc NAS-IP-Address == xx.115.111.13
# les dupont (supervision Nagios)
lns-rtc NAS-IP-Address == 192.168.7.229
lns-rtc NAS-IP-Address == 192.168.7.230
*then your can find a parts of my sql.conf
authorize_check_query = "select USER_ID,
USER_LOGIN, \"User-Password\", USER_PWD, ':=' from USER where USER_LOGIN
= '%{User-Name}' and USER_ETAT = 'TRUE'"
# utilise pour remonter la variable
Post-Auth-Type, en vue de l'utilisation du loadbalancing de LNS
authorize_group_check_query = "select GATTR_ID,
USER_LOGIN,GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
from USER,GATTR where USER_LOGIN =
'%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE =
'%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'check' "
# remonte les attributs de user
authorize_reply_query = "select UATTR_ID,
USER_LOGIN, UATTR_NOM , UATTR_VALEUR, UATTR_OPERATION \
from USER,UATTR where USER_LOGIN =
'%{User-Name}' and UATTR.USER_ID = USER.USER_ID and UATTR_CLTTYPE =
'%{Huntgroup-Name}'and GATTR_QUERYTYPE = 'reply' "
# remonte les attributs de groupe
authorize_group_reply_query = "select GATTR_ID,
USER_LOGIN, GATTR_NOM , GATTR_VALEUR, GATTR_OPERATION \
from USER,GATTR where USER_LOGIN =
'%{User-Name}' and GATTR.GROUPE_ID = USER.GROUPE_ID and GATTR_CLTTYPE =
'%{Huntgroup-Name}' and GATTR_QUERYTYPE = 'reply' "
}
* and may be you need to have a look on radiusd.conf
authorize {
preprocess
suffix
files
Autz-Type autz.XXX.net {
chap
sql.XXX.net
}
Autz-Type autz.david.cl {
chap
sql.david.cl
}
Autz-Type autz.valerie.cl {
chap
sql.valerie.cl
}
}
ok may be its not clear :/
if you feel it can help you tell me :)
Graeme Hinchliffe wrote:
Hiya
I am building a centralised authentication system for our routers, we are
using RADIUS (well freeRADIUS :) ) as the authentication and authorization system.
Ideally we want to just have one radius server running on the machine that will be
responcible for this, but there are several different types of router. So we have
people that can enable on router A but not B and vice-versa.
For this to work nicely I need to take into account the NAS IP address from which the auth request is comming and use a lookup in another table to determine the users access level on the router. Is this possible in freeRADIUS without using an external call? I was looking at the sql_xlat call, or am I barking up the wrong tree?
thanks for any help,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying based on Dialed No and no Username.
Hi all,
Hi all, I posted this Question again , I hope I can find an answer,
I have Radius server Ver. 0.9.3 , we want to proxy the accounting info to a remote
radius based on Dialed No, no username will be sent to the radius, I managed to proxy
the accounting requests but with username attribute available using the default Relam
only ( not based no Called-Station-Id) , I got the following when no username is used
:
Note the blue line below which says : rlm_realm: Proxy reply, or no User-Name.
Ignoring.
So radius is ignoring proxying if username is not available in request, so how can we
configure it to proxy accounting based on only the Dialed no , we will use many
dialed No’s
Thanks again,
rad_recv: Accounting-Request packet from host 172.16.0.2:1646, id=29, length=123
Acct-Session-Id = "00FB"
Framed-Protocol = PPP
Acct-Authentic = Local
Acct-Status-Type = Start
Calling-Station-Id = "234"
Called-Station-Id = "235"
NAS-Port-Type = Async
Connect-Info = "28800/33600 V34+/V44/LAPM"
NAS-Port = 26
Service-Type = Framed-User
NAS-IP-Address = 172.16.0.2
Acct-Delay-Time = 0
modcall: entering group preacct for request 3
modcall[preacct]: module "preprocess" returns noop for request 3
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[preacct]: module "suffix" returns noop for request 3
modcall[preacct]: module "files" returns noop for request 3
modcall: group preacct returns noop for request 3
modcall: entering group accounting for request 3
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique
ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute User-Name was not found in request, unique I
D MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 172.16.0.2,NAS-IP-Address = 172.1
6.0.2,Acct-Session-Id = "00FB",'
rlm_acct_unique: Acct-Unique-Session-ID = "d1d8fd64aa3ff5da".
modcall[accounting]: module "acct_unique" returns ok for request 3
radius_xlat: '/usr/local/var/log/radius/radacct/172.16.0.2/detail-20040120'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/172.16.0.2/detail-20040120
modcall[accounting]: module "detail" returns ok for request 3
modcall[accounting]: module "unix" returns noop for request 3
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: ''
modcall[accounting]: module "radutmp" returns ok for request 3
modcall: group accounting returns ok for request 3
Sending Accounting-Response of id 29 to 172.16.0.2:1646
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
Thanks in advance
Regards,
*
The contents of this email and any attachments are confidential. It is
intended for the named recipient(s) only. If you have received this email
in error please notify the system manager or the sender immediately and
do not disclose the contents to any one or make copies.
*
PALTEL E-Safety System scanned this email and found NO viruses,
vandals or malicious content.
*
Should you need any information or clarifications regarding this system,
please do not hesitate to contact our team at the IP Dep.
<[EMAIL PROTECTED]>.
*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Manuals and guides about Freeradius
Hi, I'm new with Freeradius, and I don't wont to write annoying message to the list :) I'm looking for pdf or manual over the internet that explain radius concept and make example "freeradius oriented". I've already downloaded and printed the manual reported in the README that comes with freeradius distro. There is anything else over the internet? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Brian Clarkson wrote: i just went through this. change: > users # > > "tester" Auth-Type :=MS-CHAP, User-Password == "test" to Auth-Type: Local and let the radius server do its job. i got rather scolded for fiddling with the auth-type. --brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry Brian, i changed the Auth-Type to Local, but it did not work. The error Message recieved is listed below. If your setup work, please send your radiusd.conf and users files as Attachment, this can help a lot. I think the Problem is only the following line: auth: No User-Password or CHAP-Password attribute in the request He opens the Peap-Pakt, but see nothing like a password.. Thanks to you anyway! ### radiusd -X -A -f ... rad_recv: Access-Request packet from host [IP], id=12, length=95 User-Name = "tester" NAS-IP-Address = [IP] NAS-Identifier = "port" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020c000b01746573746572 Message-Authenticator = 0xfbccbf9244d0a44b7856d130ce1e1afd modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 12 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched tester at 143 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 12 to [IP] Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 12 with timestamp 400f9aeb Nothing to do. Sleeping until we see a request. # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users for prepaid VoIP service
Hello ALL. Someone have experience to configure FreeRadius for accounting VoIP prepaid cards. In particular i want to know how you pass VSA attributes to CISCO? Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault with eap-tls
When I try to authenticate with a WinXP supplicant using tls I get a segfault in freeRadius. I'm using the CVS snapshot from yesterday. Here is the relevant output from gdb: (gdb) bt #0 eaptls_compose (eap_ds=0xd, reply=0xbfffda70) at eap_tls.c:537 #1 0x4004a963 in eaptls_start (eap_ds=0xd) at eap_tls.c:93 #2 0x4004a68a in eaptls_initiate (type_arg=0x80636cc, handler=0x814b818) at rlm_eap_tls.c:151 #3 0x4003d62a in eaptype_call (atype=0x8139410, handler=0x814b818) at eap.c:139 #4 0x4003d8bf in eaptype_select (inst=0x8138a90, handler=0x8139410) at eap.c:246 #5 0x4003ccf9 in eap_authenticate (instance=0x8138a90, request=0x814a7c0) at rlm_eap.c:269 #6 0x08056860 in call_modsingle (component=0, sp=0x8138380, request=0x814a7c0, default_result=0) at modcall.c:212 #7 0x080569c1 in modcall (component=135571392, c=0x8138380, request=0x814a7c0) at modcall.c:323 #8 0x08056936 in call_modgroup (component=0, g=0xd, request=0x814a7c0, default_result=0) at modcall.c:237 #9 0x08056a55 in modcall (component=0, c=0x8138380, request=0x814a7c0) at modcall.c:314 #10 0x08056430 in module_authenticate (auth_type=13, request=0xd) at modules.c:893 #11 0x08052c12 in rad_check_password (request=0x814a7c0) at auth.c:353 #12 0x08053050 in rad_authenticate (request=0x814a7c0) at auth.c:601 #13 0x0804dc2d in rad_respond (request=0x8138380, fun=0x8052f50 ) at radiusd.c:1764 #14 0x0804d3be in main (argc=0, argv=0x814a7c0) at radiusd.c:1552 It seems that eap_ds is not checked for NULL contents in eaptls_initiate(...). Anyone knows what causes this? Cheers Magnus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
I will give some aditional informations about the main objective of the setup, in hope, anybody set up it and it work. I want to use the Windows-XP and/or Windows 2000 included 802.1x Supplicant to authenticate the wireless cient's on the Radius-Server with a username and password phrase. I have sampled with the Aegis Client, but he shut up the installed Novell-Client. Are there some other possibilities to do this ecxept of PEAP + MSCHAPv2 or some other FREE clients do use the other possibilities? At best, they finally get authenticated at the Novell eDirectory, there i think about LDAP, but at first a simple authentication should work. Recapitulating the following target should be reached: -> 802.1x Authentication with username and password -> secure connection I hope someone can help me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is: 802.1x EAP-TTLS + PAP Was: 802.1x: PEAP + MS-CHAPv2
Hello Christian! Christian Richter wrote: I will give some aditional informations about the main objective of the setup, in hope, anybody set up it and it work. [...] Recapitulating the following target should be reached: -> 802.1x Authentication with username and password -> secure connection Have you looked at EAP-TTLS + PAP with SecureW2 (WinXP and W2k): http://www.alfa-ariss.com/products/product31.htm -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Christian Richter wrote: I will give some aditional informations about the main objective of the setup, in hope, anybody set up it and it work. Sorry for my ugly expression, corrective it should be called "in hope somebody has set it up correctly". - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Memory Leak
Hello all: I'm running freeradius-0.9.3 on RedHat Linux 9. Recently I ran MemProf (Memory Profiler) against freeradius. It showed quite a *number* of instances of memory leak (involving ip_getaddr() ). Below is one snapshot. Leaked 0x80f85d8 (40 bytes) [0x40018809] __i686.get_pc_thunk.cx() __i686.get_pc_thunk.cx() __i686.get_pc_thunk.cx() __i686.get_pc_thunk.cx() __i686.get_pc_thunk.cx() __i686.get_pc_thunk.cx() ip_getaddr(): /home/radius/freeradius-0.9.3/src/lib/misc.c:121 [0x804f9db] [0x8058980] [0x804c3b2] __i686.get_pc_thunk.cx() [0x804bd61] Any solution already implemented? Regards, Bhaskar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
md5-passwords in mysql db did not work
Hi, I have problems to authenticat against md5-passwords in a mysql database. On my Redhat Box I have this config: After I created a md5-password with cryptpasswd script und put it into the usersfile the authentication was no problem. test Auth-Type := Local, Crypt-Password == "$1$ZBTIFfKy$8sUu/dCy0ccA1AT7lf3ih0" With this entry in the mysql database: | 12 | test| Crypt-Password | == | $1$ZBTIFfKy$8sUu/dCy0ccA1AT7lf3ih0 | then authentication don't work. On my sun box (solaris 8) neither the authentication against the usersfile nor the authentication against the mysql database work. Any ideas? Hans -- Universitaet Dortmund Hochschulrechenzentrum - Digitale Netze - August Schmidt Str.12 44227 Dortmund Tel. ++49 231 - 7552132 Fax. ++49 231 - 7552731 Mail: [EMAIL PROTECTED] Web: http://www.hrz.uni-dortmund.de/s1/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is: 802.1x EAP-TTLS + PAP Was: 802.1x: PEAP + MS-CHAPv2
Rok Papež wrote: Hello Christian! Have you looked at EAP-TTLS + PAP with SecureW2 (WinXP and W2k): http://www.alfa-ariss.com/products/product31.htm Hi Rok, i have installed the tool and configured the radius server. The Client is running good and works well. But what configuration options have to be done on the server side? I set up ttsl with md5. Are there other otions to set (in the pap or other sections)? What for an Auth-type is to set? Local or EAP (Eap as Auth-Type show me that he is found ttls)? I have tested EAP, LOCAL, PAP . I set the encryption sceme to clear, md5 and crypt but none is working. Please mail your config and users file if your setup is working. Thanks!! users: Ath-Type:= Local # rad_recv: Access-Request packet from host [IP], id=73, length=95 User-Name = "tester" NAS-IP-Address = [IP] NAS-Identifier = "port" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0249000b01746573746572 Message-Authenticator = 0x7e49260470dcf3b57f8bcebe58a4df20 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 73 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched tester at 143 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 73 to [IP] Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 73 with timestamp 400fc9a0 Nothing to do. Sleeping until we see a request. Auth-Type:= EAP ## rad_recv: Access-Request packet from host [IP], id=77, length=95 User-Name = "tester" NAS-IP-Address = [IP] NAS-Identifier = "port" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x024d000b01746573746572 Message-Authenticator = 0x1ea76f65adec7898ede3ceed810a61be modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 77 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched tester at 143 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 77 to [IP] EAP-Message = 0x014e00060d20 Message-Authenticator = 0x State = 0xaaffe038e3468aa0bbe3c7f8eff7cb50 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host [IP], id=78, length=108 User-Name = "tester" NAS-IP-Address = [IP] NAS-Identifier = "port" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xaaffe038e3468aa0bbe3c7f8eff7cb50 EAP-Message = 0x024e00060315 Message-Authenticator = 0x3074e554bfb126ae666c7294b8f7e454 modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 78 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request
Re: Problem with EAP/TLS
Hi, I've realized a new test with WindowXP-SP1 client, a Cisco AP1200 (IOS 12.2(11)JA) and my FreeRadius server (snapshot 2004-01-12). I've the same result : Access-Request seem Ok and come in the radius server but it's a access-Reject that is reply ! Thank for your help. Jean-Paul. See below radiusd output : -- --- Walking the entire request list --- Cleaning up request 1 ID 48 with timestamp 400fc633 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.154.91.201:1645, id=49, length=151 User-Name = "chapalain" Framed-MTU = 1400 Called-Station-Id = "0007.85b3.4a0d" Calling-Station-Id = "000c.ceff.4678" NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x5c0158d09438271f24fe93ca87d4fb80 EAP-Message = 0x0201000e0163686170616c61696e NAS-Port-Type = Virtual NAS-Port = 145 Cisco-AVPair = "interface=" Service-Type = Login-User NAS-IP-Address = 10.154.91.201 modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_realm: No '@' in User-Name = "chapalain", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Checking chapalain at 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 users: Matched DEFAULT at 19 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [chapalain/] (from client ap-info-ouest-2 port 145 cli 000c.ceff.4678) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 49 to 10.154.91.201:1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x Waking up in 4 seconds... -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D smime.p7s Description: S/MIME Cryptographic Signature
Re: Cisco VoIP gw + FreeRadius + prepaid card (fwd)
> anybody do whis? Yes =) But I'm used MCCP soft. This soft used CISCO VSA =) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd usage?
Dear Dan Hollis, --Thursday, January 22, 2004, 2:15:24 AM, you wrote to [EMAIL PROTECTED]: DH> If I have a flatfile of the format DH> user:unix-crypted-password:someotherstuff:morestuff DH> The proper format would be DH> format = DH> "*User-name:Crypt-Password:Some-Other-Attributes:More-Attributes" It depends on how you want Some-Other-Attributes and More-Attributes to be used later. If you want to add Some-Other-Attributes to reply items, you need =Some-Other-Attributes in format string. -- ~/ZARAZA Особую проблему составляет алкоголизм. (Лем) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program problem..
Hello freeradius-users, I'm trying to get my external program to work ( which is in fact - a billing program for users' accounting) I have in /etc/acct_users: DEFAULT Acct-Status-Type == Start Exec-Program = "/usr/bin/billing -d" I couldn't get it work the right way until todays afternoon when I decided to start FR with '-X' to see what happens. And it appeared , that was enough for billing to work! It just works, when radius is started in debug mode '-X' and doesn't - when its started without it. === to be more specific, it works without '-X' the wrong way - it just doesnt execute an internal function sig_hup, which is a handler for a SIGHUP signal , and as a consequence it hangs forever until I kill it manually. Program(billing) is written in C(ANSI) and worked good so far for 3 years... Though I had to rewrite it slightly to work with radutmp file (it worked with tacacs' utmp initially). What could it be ? What changes happens with external program execution when FR runs in debug mode? Best regards, Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is: 802.1x EAP-TTLS + PAP Was: 802.1x: PEAP + MS-CHAPv2
Hello Christian! Christian Richter wrote: Have you looked at EAP-TTLS + PAP with SecureW2 (WinXP and W2k): http://www.alfa-ariss.com/products/product31.htm > i have installed the tool and configured the radius server. The Client is running good and works well. But what configuration options have to be done on the server side? I set up ttsl with md5. > Are there other otions to set (in the pap or other sections)? SecureW2 supports _only_ EAP-TTLS + PAP. For the client have a look at Alfa & Ariss user guides. What for an Auth-type is to set? Local or EAP (Eap as Auth-Type show me that he is found ttls)? Unforunately I have not yet installed freeradius. We are currently using Radiator. I'm attaching relevant settings from the Radiator configuration. Identifier OUTERAuthentication Filename %D/users EAPType TTLS EAPTLS_CAFile /opt/openssl/cacert.pem EAPTLS_CertificateFile /opt/openssl/tmp/signed.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /opt/openssl/tmp/key.pem EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys Outer authentication must be open (user anonymous). I have tested EAP, LOCAL, PAP . I set the encryption sceme to clear, md5 and crypt but none is working. Only PAP will work ! Did you disable server certificate check in SecureW2 client ? -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: apache & mod_auth_radius
Alan DeKok wrote: "Alan DeKok" <[EMAIL PROTECTED]> wrote: This is explained in the README which comes with the server. I meant "apache module". How could I miss this section from README?! Thanks! Tanel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem..
On Thu, 2004-01-22 at 14:25, Andrei Loukinykh wrote: > What changes happens with external program execution when FR runs in > debug mode? When run in debug mode, AFAIK freeradius doesn't drop root priviliges. What user/group does your freeradius run as when started without -X -- Regards, Dennis Roos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VoIP gw + FreeRadius + prepaid card (fwd)
Please what is needed to do CISCO VoIP with IVR ? Thanks --- Norguhtar <[EMAIL PROTECTED]> wrote: > > anybody do whis? > Yes =) But I'm used MCCP soft. This soft used CISCO > VSA =) > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP methods
On Thu, 22 Jan 2004, Artur Hecker wrote: > hi list > > > if i understand correctly, FR currently does not support EAP method > restrictions per user (john is to use EAP/TLS but jack is to use > PEAP/CHAPv2, etc) > > alan, would that be difficult to integrate? are there plans to integrate > this? (i know that patches are always welcome :-)) > > anyway, it seems to me like a very handy feature because currently FR > would accept *ANY* supported EAP method for ANY user who is allowed to > do EAP, right? so i have to restrict the whole server to only one method > if i want to go for sure... however, in a WLAN you typically have user > groups which do not have the same access level so the authentication > could also vary... Search the dictionary for the EAP-Type attribute and it's values. You can set it during the authorize phase in order to do a per user selection of the EAP method. > > > ciao > artur > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is: 802.1x EAP-TTLS + PAP Was: 802.1x: PEAP + MS-CHAPv2
Rok Papež wrote: SecureW2 supports _only_ EAP-TTLS + PAP. For the client have a look at Alfa & Ariss user guides. Yes, i know. The other settings i used only for testing purposes. Only PAP will work ! Did you disable server certificate check in SecureW2 client ? Yes, all is disabled as described in the Manual of SecureW2 client. I think that is the reason, freeradius is not listed as supported radiusserver on the Alfa and Ariss homepage :-( If there are persons who have set up this correctly: Please provide your config files here! You will help not only me, i think this is interresting for many people. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help! Ascend-Disconnect-Cause=2 .
Hello! Using freeradius all our users fors fine, but when I try to log in with realm ([EMAIL PROTECTED]) our TNT rejects call after one second. See logs below. Description: I written my own module for registration and logging information about all events special for my database. Module does not change attributes. Only adds Framed-IP-Address. With any local users all forks fine. With realm -- see logs. Any ideas? Thu Jan 22 15:43:29 2004 : Auth: Username "[EMAIL PROTECTED]" Access Accepted Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PACKET VPS <= Thu Jan 22 15:43:29 2004 : Auth: User-Name="[EMAIL PROTECTED]" Thu Jan 22 15:43:29 2004 : Auth: Password="**" Thu Jan 22 15:43:29 2004 : Auth: NAS-IP-Address=X.X.X.X Thu Jan 22 15:43:29 2004 : Auth: NAS-Port=2162 Thu Jan 22 15:43:29 2004 : Auth: NAS-Port-Type=Async Thu Jan 22 15:43:29 2004 : Auth: Service-Type=Framed-User Thu Jan 22 15:43:29 2004 : Auth: Framed-Protocol=PPP Thu Jan 22 15:43:29 2004 : Auth: State=0x Thu Jan 22 15:43:29 2004 : Auth: Calling-Station-Id="***" Thu Jan 22 15:43:29 2004 : Auth: Called-Station-Id="XXX" Thu Jan 22 15:43:29 2004 : Auth: Acct-Session-Id="420501343" Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Data-Rate=31200 Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Xmit-Rate=28800 Thu Jan 22 15:43:29 2004 : Auth: Stripped-User-Name="rad" Thu Jan 22 15:43:29 2004 : Auth: Realm="some" Thu Jan 22 15:43:29 2004 : Auth: Realm="some" Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PROXY VPS <= Thu Jan 22 15:43:29 2004 : Auth: User-Name="rad" Thu Jan 22 15:43:29 2004 : Auth: Password="" Thu Jan 22 15:43:29 2004 : Auth: NAS-IP-Address=X.X.X.X Thu Jan 22 15:43:29 2004 : Auth: NAS-Port=2162 Thu Jan 22 15:43:29 2004 : Auth: NAS-Port-Type=Async Thu Jan 22 15:43:29 2004 : Auth: Service-Type=Framed-User Thu Jan 22 15:43:29 2004 : Auth: Framed-Protocol=PPP Thu Jan 22 15:43:29 2004 : Auth: State=0x Thu Jan 22 15:43:29 2004 : Auth: Calling-Station-Id="***" Thu Jan 22 15:43:29 2004 : Auth: Called-Station-Id="XXX" Thu Jan 22 15:43:29 2004 : Auth: Acct-Session-Id="420501343" Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Data-Rate=31200 Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Xmit-Rate=28800 Thu Jan 22 15:43:29 2004 : Auth: Realm="some" Thu Jan 22 15:43:29 2004 : Auth: Realm="some" Thu Jan 22 15:43:29 2004 : Auth: Proxy-State="105" Thu Jan 22 15:43:29 2004 : Auth: => LOGGING REPLY VPS <= Thu Jan 22 15:43:29 2004 : Auth: Session-Timeout=3601 Thu Jan 22 15:43:29 2004 : Auth: Framed-IP-Address=X.X.X.X Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PROXY_REPLY VPS <= Thu Jan 22 15:43:29 2004 : Auth: => LOGGING REQUEST CONFIG <= Thu Jan 22 15:43:29 2004 : Auth: Auth-Type=Accept Thu Jan 22 15:43:29 2004 : Auth: => THE END OF LOG ATTRS <= Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PACKET VPS <= Thu Jan 22 15:43:29 2004 : Auth: User-Name="[EMAIL PROTECTED]" Thu Jan 22 15:43:29 2004 : Auth: NAS-IP-Address=X.X.X.X Thu Jan 22 15:43:29 2004 : Auth: NAS-Port=2162 Thu Jan 22 15:43:29 2004 : Auth: NAS-Port-Type=Async Thu Jan 22 15:43:29 2004 : Auth: Acct-Status-Type=Start Thu Jan 22 15:43:29 2004 : Auth: Acct-Delay-Time=0 Thu Jan 22 15:43:29 2004 : Auth: Acct-Session-Id="420501343" Thu Jan 22 15:43:29 2004 : Auth: Acct-Authentic=RADIUS Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Multilink-ID=674236559 Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Num-In-Multilink=1 Thu Jan 22 15:43:29 2004 : Auth: Acct-Link-Count=1 Thu Jan 22 15:43:29 2004 : Auth: Acct-Multi-Session-Id="2830088f" Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Modem-PortNo=16 Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Modem-SlotNo=9 Thu Jan 22 15:43:29 2004 : Auth: X-Ascend-Modem-ShelfNo=1 Thu Jan 22 15:43:29 2004 : Auth: Calling-Station-Id="***" Thu Jan 22 15:43:29 2004 : Auth: Called-Station-Id="XXX" Thu Jan 22 15:43:29 2004 : Auth: Framed-Protocol=MP Thu Jan 22 15:43:29 2004 : Auth: Framed-IP-Address=X.X.X.X Thu Jan 22 15:43:29 2004 : Auth: Stripped-User-Name="rad" Thu Jan 22 15:43:29 2004 : Auth: Realm="some" Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PROXY VPS <= Thu Jan 22 15:43:29 2004 : Auth: => LOGGING REPLY VPS <= Thu Jan 22 15:43:29 2004 : Auth: => LOGGING PROXY_REPLY VPS <= Thu Jan 22 15:43:29 2004 : Auth: => LOGGING REQUEST CONFIG <= Thu Jan 22 15:43:29 2004 : Auth: Proxy-To-Realm="some" Thu Jan 22 15:43:29 2004 : Auth: => THE END OF LOG ATTRS <= Thu Jan 22 15:43:30 2004 : Auth: => LOGGING PACKET VPS <= Thu Jan 22 15:43:30 2004 : Auth: User-Name="[EMAIL PROTECTED]" Thu Jan 22 15:43:30 2004 : Auth: NAS-IP-Address=X.X.X.X Thu Jan 22 15:43:30 2004 : Auth: NAS-Port=2162 Thu Jan 22 15:43:30 2004 : Auth: NAS-Port-Type=Async Thu Jan 22 15:43:30 2004 : Auth: Acct-Status-Type=Stop Thu Jan 22 15:43:30 2004 : Auth: Acct-Delay-Time=0 Thu Jan 22 15:43:30 2004 : Auth: Acct-Session-Id="420501343" Thu Jan 22 15:43:30 2004 : Auth: Acct-Authentic=RADIUS Thu Jan 22 15:43:30 2004 :
Re: Exec-Program problem..
Thu, 22 Jan 2004, Dennis Roos писал(а): > On Thu, 2004-01-22 at 14:25, Andrei Loukinykh wrote: > > > What changes happens with external program execution when FR runs in > > debug mode? > When run in debug mode, AFAIK freeradius doesn't drop root priviliges. > > What user/group does your freeradius run as when started without -X As in default configuration. nobody/nogroup. Seems I need to change it to something with root privileges... to let my program operate in /var/run.. or elsewhere it needs to. Thank you, I'll try ... Best regards, Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Hello.
In programming language, the paket from the AP to Radius will
encapsulated like:
RADIUS ( EAP ( MSCHAPv2 ) )
I think it will be like this: radius - eap - tls - peap - mschapv2
If anyone have set up this authentication method completely working,
please post all relevant stuff, you will help me verry much! But please
quote only the relevant text from my mail, i know what i have written
We use:
- Slackware linux 9.1
- openssl-0.9.7b-i486-2
- freeradius-snapshot-20040112
- patch from Mike Saywell
(http://lists.cistron.nl/archives/freeradius-users/2004/01/msg00495.html)
- hostapd v0.2.0 (from CVS)
client:
- Windows XP SP1 + updates everyday
- AEGIS client (PEAP, MS-CHAPv2, username trl, identify trl)
authorize {
preprocess
may be mschap here?
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap - here
}
preacct {
preprocess
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
and eap here?
hope this will help you.
--
Best regards, Eugene Kandlen
Rubtsovsk, inc (http://firma.rubtsovsk.ru)
Phone/fax: +7 (38557) 4-44-74
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/radacct
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = /etc/raddb/cert/cert-srv.pem
certificate_file = /etc/raddb/cert/cert-srv.pem
CA_file = /etc/raddb/cert/root.pem
dh_file = /etc/raddb/cert/.dh
random_file = /etc/raddb/cert/.rnd
fragment_size = 1024
include_length = yes
check_crl = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{NAS-IP-Address}/detail
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{NAS-IP-Address}/auth-detail
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{NAS-IP-Address}/reply-detail
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
freeradius with nomadix
there's somebody who already experimented freeradius with nomadix... If so... can you help me giving me suggestions in how to configure freeradius to work with nomadix in the better way? thanx a lot byez CioloWeb
Re: EAP methods
hi kostas thanks for the fast reply. Search the dictionary for the EAP-Type attribute and it's values. You can set it during the authorize phase in order to do a per user selection of the EAP method. i've searched my dictionary files for EAP and i have neither "EAP-Type" nor a general "EAP-TLS" or "PEAP" attributes: radius:~/freeradius-snapshot-20030212/share$ grep EAP dict* dictionary:ATTRIBUTEEAP-Message 79 string dictionary:VALUEAuth-Type EAP 6 dictionary.altiga:VALUE Altiga-PPTP-Min-Authentication-G/U EAP-MD5 4 dictionary.altiga:VALUE Altiga-PPTP-Min-Authentication-G/U EAP-GTC 8 dictionary.altiga:VALUE Altiga-PPTP-Min-Authentication-G/U EAP-TLS 16 dictionary.altiga:VALUE Altiga-L2TP-Min-Authentication-G/U EAP-MD5 4 dictionary.altiga:VALUE Altiga-L2TP-Min-Authentication-G/U EAP-GTC 8 dictionary.altiga:VALUE Altiga-L2TP-Min-Authentication-G/U EAP-TLS 16 dictionary.microsoft:ATTRIBUTE MS-Acct-EAP-Type24 integer dictionary.microsoft:VALUE MS-Acct-Auth-Type EAP 5 dictionary.microsoft:# MS-Acct-EAP-Type Values dictionary.microsoft:VALUE MS-Acct-EAP-TypeMD5 4 dictionary.microsoft:VALUE MS-Acct-EAP-TypeOTP 5 dictionary.microsoft:VALUE MS-Acct-EAP-Type Generic-Token-Card 6 dictionary.microsoft:VALUE MS-Acct-EAP-TypeTLS 13 dictionary.usr:VALUEUSR-Auth-Mode Auth-EAP-Proxy 8 where should i search for it? or should i use a newer dictionary? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin and CHAP
On Wed, 21 Jan 2004, Ryan Yaldor wrote: > > Is there a way to use dialup admin if you have to use CHAP authentication? > I haven't found anywhere to tell dialup admin to store passwords in clear > text. 4:19pm /src/cvs/radiusd/dialup_admin/conf # grep clear admin.conf # can be one of crypt,md5,clear 4:19pm /src/cvs/radiusd/dialup_admin/conf # grep encryption admin.conf general_encryption_method: crypt # # can be one of crypt,md5,clear # general_encryption_method: crypt > > Thanks, > > Ryan Yaldor > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem..
Andrei Loukinykh wrote: As in default configuration. nobody/nogroup. Seems I need to change it to something with root privileges... to let my program operate in /var/run.. or elsewhere it needs to. Thank you, I'll try ... Best regards, Andy Better should be to let Freeradius access the needed files as nobody. Other idea is to put the binary in a group, where it can read the files (chown : ). To get the user-id simply type " ps -ux " and search for freeradius. Greetings - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP methods
On Thu, 22 Jan 2004, Artur Hecker wrote: > hi kostas > > > thanks for the fast reply. > > > > Search the dictionary for the EAP-Type attribute and it's values. You can set it > > during the authorize phase in order to do a per user selection of the EAP > > method. > > i've searched my dictionary files for EAP and i have neither "EAP-Type" > nor a general "EAP-TLS" or "PEAP" attributes: > > where should i search for it? or should i use a newer dictionary? update your dictionary files > > > ciao > artur > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with pptpd+freeradius
Hello list i have freeradius+pptpd+mysql , my problem is: i was install radius plugin , but radius dont answer , no connection between radius and pptpd -- Aii Data Processing System Administrator IT Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem..
Thu, 22 Jan 2004, Christian Richter писал(а): > Better should be to let Freeradius access the needed files as nobody. > Other idea is to put the binary in a group, where it can read the files > (chown : ). > To get the user-id simply type " ps -ux " and search for freeradius. Hmmm .. I started FR , just for a test, under root:root and the problem remains. And it's ok with "-X".. Best regards, Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius with nomadix
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ciolo_-^DusT^-_WebMasterSent: Thursday, January 22, 2004 9:15 AMTo: [EMAIL PROTECTED]Subject: freeradius with nomadix there's somebody who already experimented freeradius with nomadix... If so... can you help me giving me suggestions in how to configure freeradius to work with nomadix in the better way? Yes the nomdaix plays nicely with freeradius, radius is radius for the most part, just add the nomadix just like you would any other RAS. Jeremy thanx a lot byez CioloWeb
Re: 802.1x: PEAP + MS-CHAPv2
Eugene Kandlen wrote:
Hello.
In programming language, the paket from the AP to Radius will
encapsulated like:
RADIUS ( EAP ( MSCHAPv2 ) )
I think it will be like this: radius - eap - tls - peap - mschapv2
authorize {
preprocess
may be mschap here?
not needed
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap - here
right.
}
post-proxy {
and eap here?
hope this will help you.
[[[ the config ]]]
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
default_eap_type = md5
change default EAP_TYPE to tls.
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = /etc/raddb/cert/cert-srv.pem
certificate_file = /etc/raddb/cert/cert-srv.pem
CA_file = /etc/raddb/cert/root.pem
dh_file = /etc/raddb/cert/.dh
random_file = /etc/raddb/cert/.rnd
fragment_size = 1024
include_length = yes
check_crl = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Hi!
eap {
default_eap_type = md5
change default EAP_TYPE to tls.
My config works fine.
ignore_unknown_eap_types = no
--
Best regards, Eugene Kandlen
Rubtsovsk, inc (http://firma.rubtsovsk.ru)
e-mail: [EMAIL PROTECTED]
Phone/fax: (38557) 4-44-74
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dialup Admin and CHAP
Thank you!! I completely missed that. Also found you have to change sql_password_attribute: User-Password. Thanks again. Ryan Yaldor VP Technical Development TampaBay DSL Inc. The ISP with a difference! 5151 W. Rio Vista Ave. Tampa, FL 33634 PH# 813-243-8850 Fax# 813-249-8414 www.tampabaydsl.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Thursday, January 22, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: Re: Dialup Admin and CHAP On Wed, 21 Jan 2004, Ryan Yaldor wrote: > > Is there a way to use dialup admin if you have to use CHAP authentication? > I haven't found anywhere to tell dialup admin to store passwords in clear > text. 4:19pm /src/cvs/radiusd/dialup_admin/conf # grep clear admin.conf # can be one of crypt,md5,clear 4:19pm /src/cvs/radiusd/dialup_admin/conf # grep encryption admin.conf general_encryption_method: crypt # # can be one of crypt,md5,clear # general_encryption_method: crypt > > Thanks, > > Ryan Yaldor > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + System passwords?
[EMAIL PROTECTED] (Nathan Coraor) wrote: > That was posed as a question because that was a guess. It indicated > a return 1 and then didn't log anything else... that lead me to > believe that was not the intended behaviour. The server told you that it was sending a challenge to the client. The challenge is NOT a failure, or a success. It's just a challenge. See the RFC's for further details. If you had continued watching the EAP-TLS session, you would see a series of Access-Request's and Access-Challenges, ending with an Access-Accept or Access-Reject. > Have I configured something improperly? No. You're making a mistake. You believe you know how EAP-TLS works, so you're surprised when it doesn't work as expected. The solution is to educate yourself as to how EAP-TLS works, and then you won't be surprised. See the HOW-TO's on http://www.freeradius.org/doc/ for examples of successful EAP-TLS sessions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Brian Clarkson <[EMAIL PROTECTED]> wrote: > i just went through this. change: > > > users # > > > > "tester" Auth-Type :=MS-CHAP, User-Password == "test" > > to Auth-Type: Local No. Do NOT set Auth-Type at all! For EAP, the server will figure it out on its own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + System passwords?
"Alan DeKok" said: > > No. You're making a mistake. You believe you know how EAP-TLS > works, so you're surprised when it doesn't work as expected. The > solution is to educate yourself as to how EAP-TLS works, and then you > won't be surprised. > > See the HOW-TO's on http://www.freeradius.org/doc/ for examples of > successful EAP-TLS sessions. > I apologize, and thanks for cluing me in. --nate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying based on Dialed No and no Username.
"Firas Shalabi" <[EMAIL PROTECTED]> wrote: > I have Radius server Ver. 0.9.3 , we want to proxy the accounting > info to a remote radius based on Dialed No, no username will be sent > to the radius, I managed to proxy the accounting requests but with > username attribute available using the default Relam only ( not > based no Called-Station-Id) , I got the following when no username > is used : Yes... the "realms" module works only when there is a User-Name attribute. So you have two choices: 1) Make the NAS send a User-Name in the accounting "start" See the "doc" directory for NAS-specific files, which may contain instructions on how to do this 2) Use the "acct_users" file to match the request somehow, and then set Proxy-To-Realm := "realm" The server will then proxy the request to the desired realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Manuals and guides about Freeradius
"Master Brian" <[EMAIL PROTECTED]> wrote: > I'm looking for pdf or manual over the internet that explain radius > concept and make example "freeradius oriented". I've already > downloaded and printed the manual reported in the README that comes > with freeradius distro. There is anything else over the internet? Not really. Being an "free software" project, there tends to be little documentation. I'd suggest buying the RADIUS book. It introduces the concepts fairly well. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory Leak
Bhaskar Bhattarai <[EMAIL PROTECTED]> wrote: > Recently I ran MemProf (Memory Profiler) against freeradius. It showed > quite a *number* of instances of memory leak (involving ip_getaddr() ). Hmm... I ran "valgrind" against it, and didn't see any memory leak. In addition, the function in question does *not* do any memory allocation. So if there's a leak, it's in one of the functions it calls, OR one of the functions it calls allocates memory, but isn't documented as doing so. > Any solution already implemented? I don't think we need to fix anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem..
Andrei Loukinykh <[EMAIL PROTECTED]> wrote: > I'm trying to get my external program to work ( which is in fact - > a billing program for users' accounting) Which version are you using? If you're not using 0.9.3, upgrade to it, and then see if the problem persists. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP methods
rtur Hecker <[EMAIL PROTECTED]> wrote: > radius:~/freeradius-snapshot-20030212/share$ grep EAP dict* Huh? In the CVS head (not 0.9.3), you can do: bob EAP-Type == MD5-Challenge, Auth-Type := Reject Reply-Message = "EAP-MD5 is insecure. Go away" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with pptpd+freeradius
Georgi Ivanov <[EMAIL PROTECTED]> wrote: > Hello list i have freeradius+pptpd+mysql , my problem is: i was > install radius plugin , but radius dont answer , no connection > between radius and pptpd I could swear this was in the FAQ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program problem..
Thu, 22 Jan 2004, Alan DeKok писал(а): > Andrei Loukinykh <[EMAIL PROTECTED]> wrote: > > I'm trying to get my external program to work ( which is in fact - > > a billing program for users' accounting) > > Which version are you using? If you're not using 0.9.3, upgrade to > it, and then see if the problem persists. 0.9.3. And the problem persists as i wrote before unless I start it with '-X'. Best regards, Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help! Ascend-Disconnect-Cause=2 .
Alex Radetsky <[EMAIL PROTECTED]> wrote: > Using freeradius all our users fors fine, but when I try to > log in with realm ([EMAIL PROTECTED]) our TNT rejects call after one second. Add a reply attribute: Session-Timeout Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP/TLS
Jean-Paul Chapalain <[EMAIL PROTECTED]> wrote: > I've realized a new test with WindowXP-SP1 client, a Cisco AP1200 (IOS > 12.2(11)JA) and my FreeRadius server (snapshot 2004-01-12). > > I've the same result : > Access-Request seem Ok and come in the radius server but it's a > access-Reject that is reply ! See 'radiusd.conf'. You have 'usercollide' set to 'yes'. Set it to 'no'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP methods
hi thanks Alan... as Kostas's already pointed out, i should update my dictionary at least once in a lifetime :-) thanks once again, it perfectly solves my problem. In the CVS head (not 0.9.3), you can do: yeah, the name of the directory was terribly misleading... sorry. ciao artur bob EAP-Type == MD5-Challenge, Auth-Type := Reject Reply-Message = "EAP-MD5 is insecure. Go away" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using MD5 hashed passwords
Hi, Here's what I want to do : - EAP-TTLS or PEAP authentication with login/password in the second phase (no EAP-TLS) - Users are stored in the local Freeradius Database with Crypt-password attributes (MD5 hashed, because logins and passwords come from a Unix User Database) - Authentication leads to assign users in a correct VLAN (Tunnel-Type ... attributes) I've succeed with PEAP/MSCHAPv2 authentication but my password was in clear-text (with Meetinghouse Aegis Client)... If you have any clue (configuration examples ...) I'll be very happy !! -- Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MD5 hashed passwords
Christophe Saillard <[EMAIL PROTECTED]> wrote: > Here's what I want to do : > > - EAP-TTLS or PEAP authentication with login/password in the second > phase (no EAP-TLS) > - Users are stored in the local Freeradius Database with Crypt-password > attributes (MD5 hashed, because logins and passwords come from a Unix User > Database) You will only be able to use PAP inside of the tunnel. See the FAQ, for PAP & CHAP issues. The same text applies here. > I've succeed with PEAP/MSCHAPv2 authentication but my password was in > clear-text (with Meetinghouse Aegis Client)... If you put the password in the server in clear-text, that works. Crypt'd passwords won't work. Ever. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using MD5 hashed passwords
there is no way to use CHAP - envelopped in whatever - with crypted passwords. the only remaining way is thus PAP, if you insist on hashed passwords. PEAP does not support PAP. => use EAP-TTLS/PAP and you can use crypted passwords locally. CHAP *is* already a hash. it thus needs the original clear-text password for verification. ciao artur Christophe Saillard wrote: Hi, Here's what I want to do : - EAP-TTLS or PEAP authentication with login/password in the second phase (no EAP-TLS) - Users are stored in the local Freeradius Database with Crypt-password attributes (MD5 hashed, because logins and passwords come from a Unix User Database) - Authentication leads to assign users in a correct VLAN (Tunnel-Type ... attributes) I've succeed with PEAP/MSCHAPv2 authentication but my password was in clear-text (with Meetinghouse Aegis Client)... If you have any clue (configuration examples ...) I'll be very happy !! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help using rlm_passwd and rlm_krb5 with a huntgroup?
Matt Garretson <[EMAIL PROTECTED]> wrote: > My problem is for cases when a user is to be authenticated by > rlm_krb5 as determined by huntgroup, but also happens to exist in > the passwd file. In this case, the user's password is checked > against the passwd file entry before rlm_krb gets called. This > behavior is not what i was hoping for. Yes, it's a bug. The server currently looks for a plain-text, or crypt'd password found from a DB. If it sees that, and a PAP password in the request, it does the authentication itself, and ignores any Auth-Type. It's fixed in the CVS head. You can fix this in src/main/auth.c in an older version, by checking out the latest CVS snapshot, and then doing: $ cvs diff -u -r1.130 -r1.131 src/main/auth.c That will spit out a patch which may be applied to an older version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP methods
hi list if i understand correctly, FR currently does not support EAP method restrictions per user (john is to use EAP/TLS but jack is to use PEAP/CHAPv2, etc) alan, would that be difficult to integrate? are there plans to integrate this? (i know that patches are always welcome :-)) anyway, it seems to me like a very handy feature because currently FR would accept *ANY* supported EAP method for ANY user who is allowed to do EAP, right? so i have to restrict the whole server to only one method if i want to go for sure... however, in a WLAN you typically have user groups which do not have the same access level so the authentication could also vary... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Try to Compile FreeRadius 0.9.3 On Cygwin
I am having a good deal of trouble trying to get FreeRadius 0.9.3 compiled under Cygwin on Windows 2000. I have been unable to patch the files as per the CYGWIN document, and attempted compiles keep crashing. Does anybody have the FreeRadius source already patched for Cygwin? -- Aaron Clausen [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and groups
You need to specify where to look for the group membership. Comments
below.
On Thu, 22 Jan 2004, Daniel wrote:
> Sorry should have included it in the first place.
>
> Here it is:
>
>ldap {
> server = "127.0.0.1"
> identity = "cn=Manager,dc=test,dc=net,dc=au"
> password =
> basedn = "dc=test,dc=net,dc=au"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>
> start_tls = no
>
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = userPassword
> groupname_attribute = cu
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
You need to change above to tell freeradius where to look for the groups
and what attribute stores the group members. Check doc/rlm_ldap, it
explains it. Look for groupname_attribute and groupmembership_filter.
> #groupmembership_attribute =
> timeout = 4
> timelimit = 3
> net_timeout = 1
> #compare_check_items = yes
> #access_attr_used_for_allow = yes
> }
>
> User entry:
>
> # testtest, People, test.net.au
> dn: uid=testtest,ou=People,dc=test,dc=net,dc=au
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: testtest
> homeDirectory: /home/testtest
> cn: testtest account
> gidNumber: 1002
> loginShell: /bin/sh
> uidNumber: 502
> userPassword::
>
> Group entry:
>
> # disabled, Group, test.net.au
> dn: cn=disabled,ou=Group,dc=test,dc=net,dc=au
> cn: disabled
> gidNumber: 1002
> userPassword:
> objectClass: posixGroup
> memberUid: testtest
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free/open NAS?
anybody out there: just want to ask if there are available free/open NAS thank you. _ Leonardo D. Pabroquez Jr. 00-51582 Department of Computer Science, College of Engineering University of the Philippines Diliman, Quezon City - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free/open NAS?
anybody out there: just want to ask if there are available free/open NAS thank you. _ Leonardo D. Pabroquez Jr. 00-51582 Department of Computer Science, College of Engineering University of the Philippines Diliman, Quezon City - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Initial Installation glitch
Hi, I installed the RADIUS server I started it under debug mode and it ends up saying “Ready to process request”. But when I open another terminal and use radtest, it says server not responding and I don’t seem to get any feedback from the server itself. I tried to go and find the log file – the one that gets defined when the server is started and it does not exist. I am using Red Had 9.0 Could use some real urgent help Thanks Philip
Re: Help! Ascend-Disconnect-Cause=2 .
Dear Alan! > Alex Radetsky <[EMAIL PROTECTED]> wrote: > > Using freeradius all our users fors fine, but when I try to > > log in with realm ([EMAIL PROTECTED]) our TNT rejects call after one second. > Add a reply attribute: Session-Timeout Attribute 'Session-Timeout' exist in Reply packet VPS. Can I repeat my log ? -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free/open NAS?
> just want to ask if there are available free/open NAS NAS for dialin server: pppd,portslave NAS for pptp server: pptpd NAS for VoIP gatekeeper: gnugk What you need? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco-2500
Marc, Do you happen to be using version 1.0.4 of the ap-2500 software? If so, have you configured any of the WDS (wireless backhaul) stuff? I've been in steady contact with proxim for several days regarding a very similar issue. From what I've seen, the reason some of your clients get theblank page is: The AP-2500 wireless interface is trying to arp through every IP on the network, causing ip conflicts with the box already on that IP. Check your arp tables on one of your (hardwired) machines, I'd be willing to bet they are full of AP-2500 mac adresses assigned to different IP's, hence your wierdness. The only difference from what I am seeing and what you are describing, is mine only occurs when I enable wireless backhaul. As for your IP/subnet question, if you assign it a routable IP,your machine on the 192.168.x.x network would be able to route to it via it's NAT gateway. As for my particular problem, proxim thinks I have come across a bug in the WDS implementation of their software, and are expecting to release a version 2.0 here in the next couple of weeks. Jeff [EMAIL PROTECTED] At 08:23 PM 1/20/2004, Marc Webster wrote: Ok, I am not a routing expert so please excuse my ignorance about this subject. I recently purchased an ap-2500 for a neighborhood wisp. I am using dsl for backhaul to the internet. The dsl modem/router uses NAT (actiontec1524su). I tried to set up the ap2500 to use ip address of 192.168.0.2 and the router/modem lan address is 192.168.0.1. The Router/modem is the dhcp server on the network. Under this configuration I am getting a lot of weirdness with the network. Mainly that clients will intermittently not connect to the network. Their dhcp assignments are given to the clients ok but when you open the browser it just displays a blank page. As I said, this happens intermitently. I am speculating that since my modem/router and the ap2500 are both using NAT that it is creating some sort of conflict that causes the intermitent failures. The ap2500 manual suggests that I assign the ap2500 a static routable ip address, which I could do but the question that now arises is how do I manange the ap-2500 when my computer has a 192.168.0.x address and the ap2500 is assigned a public routable static address? The 2 will be on different subnets and as such I cant manage the ap2500 with the routable ip. Also, if I use the routable address on the ap2500, do I need to put that ip address in a dmz on the router, or created some kind of static route on the router or what? It would be nice if the orinoco help files would address these issues as I am sure that others have the same concerns. Also, When I do an arp -a on any wireless client the cache shows that the ip address of the client is mapped to the ap-2500 mac address and not the wireless client mac. Maybe this gives some clue to what is going on. Anyone with hotspot experience I am anxious to hear your solutions. Thanks in advance, Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Alan DeKok wrote: No. Do NOT set Auth-Type at all! For EAP, the server will figure it out on its own. Alan DeKok. Hi. Wich Auth-Type need to be set then, EAP? Or should i let it clear in the users file (fallthrough, DEFAULT will used), like "tester" User-Password == "test" ? Christian Richter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x: PEAP + MS-CHAPv2
Eugene Kandlen wrote: Hi! My config works fine. Do you config also work for the integrated Windows supplicant? (No use of Aegis) If you don't know, can you please test it... Thanks to all for your encouragement! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
