rlm_perl.c memory leak
hi, When the module rlm_perl is used, and freeradius is restarted multiple times by using "kill -1 ", then the heap of the radiusd process grows. After a few restarts all memory is used up. My c is rusty, so I don't see what causes this memory leak. Anyone else? loz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl.c multithreaded?
hi, Does the rlm_perl module allow for multiple threads to run the authorize method? (I tried, and it seems it only allows single threads to execute the methods at any given time). loz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [MikroTik] Radius Double login with one Username
Well, thats a bug and not a bug at the same time. Because if you are doing case checking then they sarky and SARKY are different username's thus different user's can login. Now, checkrad program doesnt have a switch to figure that out. If you want to use case checking or not. It requires further developing. I believe other NAS types etc. in checkrad does case checking also. I didnt think about it actually hmm... This is a freeradius related question I think Evren sarky wrote: Hello all Yes the simltaneous-login is set to 1 :) but i am having a problem with the same username but different STYLE of typing it . for example: username: sarky loges in and another machine can log on with username: SARKY same password so it looks like by changing the case of the word it works. Sarky ___ ALL POSTS SHOULD BE ABOUT GENERAL ROUTEROS QUESTIONS To post to the list, address emails to [EMAIL PROTECTED] To unsubscribe/subscribe: email to [EMAIL PROTECTED] , with text in the body "unsubscribe " or "subscribe" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
Jim <[EMAIL PROTECTED]> wrote: > > If you're trying to set Proxy-to-Realm in that file, and expecting > > the request to be proxued, it won't work. You have to decide to proxy > > requests during the "authorize" stage, which means the "users" file. > > Which is why I had the "preproxy_users" file in the 'files' module in the > "authorize" stage as I originally had asked. That last sentence makes no sense to me. The "users" file is what the "files" module processes in the "authorize" stage. The "preproxy_users" mfile is what the "files" module processes in the "preproxy" stage. I don't understand why you would confuse or mix up those concepts. > Putting the entry in the > "users" file accomplished what we're trying to do, except that > > Called-Station-ID =~ "*1234" > > didn't work Of course not. > until we made it > > Called-Station-ID == "9876541234" > > Is '*' a valid wild card regexp? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS
hi all!!
I'm going to use TTLS with my freeRadius 0.8.1. I
have used TLS already and it run ok, but now I need TTLS too. Currently my code
in radius.conf is:
--
# Extensible Authentication
Protocol
# # For all EAP related
authentications eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is
received
default_eap_type = tls
# Default expiry time to clean the EAP
list,
# It is maintained to co-relate
the
# EAP-response for each EAP-request
sent.
timer_expire = 60
# Supported
EAP-types
#md5
{
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing
list.
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are
located in
the
# same file, then private_key_file &
certificate_file
# must contain the same file
name.
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA
list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN
(4096)
# preferably half the MAX_RADIUS_LEN,
to
# accomodate other attributes in RADIUS
packet.
# On most APs the MAX packet length is
configured
# between 1500 - 1600. In these cases,
fragment
# size should be <=
1024.
#
fragment_size = 600
# include_length is a flag which is by
default set to
yes
# If set to yes, Total Length of the message
is
included
# in EVERY packet we
send.
# If set to no, Total Length of the message
is
included
# ONLY in the First packet of a fragment
series.
#
include_length =
yes
}
}-
What changes I need if I want authentacation with
TLS AND TTLS. Anybody could to help me please???
Thanks a lot in advance!!
---
A litle question: Anybody use XSupplicant client
with TLS and TTLS?
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
To Alan Dekok: EAP-TTLS
Hi Alan!!
Idon't know you but I know you are old in this
list, so I thiks you can help me!!
I'm going to use TTLS with my freeRadius 0.8.1. I
have used TLS already and it run ok, but now I need TTLS too. Currently my code
in radius.conf is:
--
# Extensible Authentication
Protocol
# # For all EAP related
authentications eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is
received
default_eap_type = tls
# Default expiry time to clean the EAP
list,
# It is maintained to co-relate
the
# EAP-response for each EAP-request
sent.
timer_expire = 60
# Supported
EAP-types
#md5
{
#}
## EAP-TLS is highly experimental EAP-Type at the
moment.
# Please give feedback on the mailing
list.
tls
{
private_key_password =
izadisan
private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are
located in
the
# same file, then private_key_file &
certificate_file
# must contain the same file
name.
certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA
list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN
(4096)
# preferably half the MAX_RADIUS_LEN,
to
# accomodate other attributes in RADIUS
packet.
# On most APs the MAX packet length is
configured
# between 1500 - 1600. In these cases,
fragment
# size should be <=
1024.
#
fragment_size = 600
# include_length is a flag which is by
default set to
yes
# If set to yes, Total Length of the message
is
included
# in EVERY packet we
send.
# If set to no, Total Length of the message
is
included
# ONLY in the First packet of a fragment
series.
#
include_length =
yes
}
}-
What changes I need if I want authentacation with
TLS AND TTLS. Anybody could to help me please???
Thanks a lot in advance!!
---
A litle question: Anybody use XSupplicant client
with TLS and TTLS?
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
Re: rlm_perl.c multithreaded?
On Mon, Feb 09, 2004 at 09:24:05AM +0100, loz wrote: > hi, > > Does the rlm_perl module allow for multiple threads to run the authorize > method? > You need to have a perl compiled with this options MULTIPLICITY USE_ITHREADS PERL_IMPLICIT_CONTEXT. Then you will have pool of perl interpreters. > (I tried, and it seems it only allows single threads to execute the methods > at any given time). -- Best Regards, Boian Jordanov SNE Orbitel - the Internet Company tel. +359 2 937 07 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl.c memory leak
On Mon, Feb 09, 2004 at 09:17:24AM +0100, loz wrote: > hi, > > When the module rlm_perl is used, and freeradius is restarted multiple times > by using "kill -1 ", then the heap of the radiusd process > grows. After a few restarts all memory is used up. My c is rusty, so I don't > see what causes this memory leak. Anyone else? > Try to find a patch that i send to freeradius-devel and apply it on CVS version of rlm_perl. Just tell me if you can't find it, i will send it directly to you. -- Best Regards, Boian Jordanov SNE Orbitel - the Internet Company tel. +359 2 937 07 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAP Challenge password change
Ok, I was lead to believe it could use the challenge password. How do I send a Challenge Packet ? Dave -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Saturday, February 07, 2004 9:24 PM To: [EMAIL PROTECTED] Subject: Re: PAP Challenge password change David Lomax <[EMAIL PROTECTED]> wrote: > I am trying to emulate a feature that is in the RSA ACE Radius server. > It allows you to schedule a password change so when you login you are > asked to change your password. FreeRADIUS doesn't supoport password change packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Challenge password change
David Lomax <[EMAIL PROTECTED]> wrote: > Ok, I was lead to believe it could use the challenge password. By what document? > How do I send a Challenge Packet ? For changing passwords? You don't. It won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA group key exchange -
"Singh, Alok" <[EMAIL PROTECTED]> wrote: > I''m trying to test EAPOL-Key(4-way and group key handshaking) exchange > between the AP and the STA (Win XP-SP1-WPA). Does this have anything to do with RADIUS or FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAP Challenge password change
Alan, Thanks for your help so far. I am trying to find a way to send a Challenge back to the client. Are you telling me that the vanilla FreeRadius will not allow me to send a Challenge to the user When they attempt an Auth ? I have the trace from an Ace Radius server that does have this feature and I would like to put it Into the FreeRadius version we are going to run. This will be running a DB of 6000 users and we need A Password change feature. The exchange will be done over a VPN connection so I am not worried about Security. The Ace Radius does as shown in the attached capture file. If this is impossible by amending the DB What part of the code should I look at to add it ? Thanks Dave -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 10:17 AM To: [EMAIL PROTECTED] Subject: Re: PAP Challenge password change David Lomax <[EMAIL PROTECTED]> wrote: > Ok, I was lead to believe it could use the challenge password. By what document? > How do I send a Challenge Packet ? For changing passwords? You don't. It won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html PWChange2.cap Description: Binary data
Re: Freeradius PEAP Problems
"Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Challenge password change
David Lomax <[EMAIL PROTECTED]> wrote: > Thanks for your help so far. I am trying to find a way to send a Challenge > back to the client. > Are you telling me that the vanilla FreeRadius will not allow me to send a > Challenge to the user > When they attempt an Auth ? What will you challenge the user with? Why? What will you do with the response to the challenge? If you don't know the answers to those questions, you're wasting your time trying to get the server to send challenges. For the record, the server CAN and DOES issue challenges... when it's appropriate. > I have the trace from an Ace Radius server that does have this feature and I > would like to put it > Into the FreeRadius version we are going to run. Do you understand what that packet trace does? So far, it looks like you don't. > The Ace Radius does as shown in the attached capture file. It's not plain-text, so I'm not going to jump through hoops trying to figure out how to read it. > If this is > impossible by amending the DB > What part of the code should I look at to add it ? If you can't explain what happens during the packet trace, you won't be able to change any of the code to do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are located in the
# same file, then private_key_file & certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
#
fragment_size = 600
# include_length is a flag which is by default set to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
> modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
> PEAP: Got tunneled reply RADIUS code 3
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
> EAP-Message =
>
0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703
> 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4
> Message-Authenticator = 0x
> State = 0x13eb44c46fbe30f082eaf7522f3c315e
> Finished request 6
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180,
> length=168
> User-Name = "lga"
> Framed-MTU = 1400
> Called-Station-Id = "000c.304f.75da"
> Calling-Station-Id = "000c
RE: PAP Challenge password change
Alan, Sorry yes I am a little green behind the ears on this topic. However I would like to get a better understanding. Attached (this time) is a TXT version of my capture. Sorry last time I sent the ethereal version. Looking at what the other server does the Challenge data is stored then another Access-Challenge is sent. They compare the two strings and then change the DB password. Or at least that's what I get from this trace. I am sure this is very non standard however I would like to mirror this behavior. I was leave to believe that This is a feature a lot of PAP Radius servers have. If I have said anything even more stupid please go easy on me, I do learn fast. Thanks Dave -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, February 09, 2004 10:50 AM To: [EMAIL PROTECTED] Subject: Re: PAP Challenge password change David Lomax <[EMAIL PROTECTED]> wrote: > Thanks for your help so far. I am trying to find a way to send a > Challenge back to the client. Are you telling me that the vanilla > FreeRadius will not allow me to send a Challenge to the user > When they attempt an Auth ? What will you challenge the user with? Why? What will you do with the response to the challenge? If you don't know the answers to those questions, you're wasting your time trying to get the server to send challenges. For the record, the server CAN and DOES issue challenges... when it's appropriate. > I have the trace from an Ace Radius server that does have this feature > and I would like to put it Into the FreeRadius version we are going to > run. Do you understand what that packet trace does? So far, it looks like you don't. > The Ace Radius does as shown in the attached capture file. It's not plain-text, so I'm not going to jump through hoops trying to figure out how to read it. > If this is > impossible by amending the DB > What part of the code should I look at to add it ? If you can't explain what happens during the packet trace, you won't be able to change any of the code to do anything useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Frame 1 (116 bytes on wire, 116 bytes captured) Arrival Time: Feb 6, 2004 14:23:24.99000 Time delta from previous packet: 0.0 seconds Time since reference or first frame: 0.0 seconds Frame Number: 1 Packet Length: 116 bytes Capture Length: 116 bytes Ethernet II, Src: 00:a0:35:01:13:9c, Dst: 00:a0:c9:c9:2b:6b Destination: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b) Source: 00:a0:35:01:13:9c (Cylink_01:13:9c) Type: IP (0x0800) Internet Protocol, Src Addr: 65.163.78.61 (65.163.78.61), Dst Addr: 65.163.78.44 (65.163.78.44) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 102 Identification: 0x2a58 (10840) Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 30 Protocol: UDP (0x11) Header checksum: 0x5280 (correct) Source: 65.163.78.61 (65.163.78.61) Destination: 65.163.78.44 (65.163.78.44) User Datagram Protocol, Src Port: 42245 (42245), Dst Port: radius (1812) Source port: 42245 (42245) Destination port: radius (1812) Length: 82 Checksum: 0x (none) Radius Protocol Code: Access Request (1) Packet identifier: 0x4 (4) Length: 74 Authenticator Attribute value pairs t:NAS identifier(32) l:9, Value:"NAME_ME" t:NAS Port Type(61) l:6, Value:Virtual(5) t:Calling Station Id(31) l:14, Value:"172.16.8.124" t:User Name(1) l:7, Value:"test1" t:User Password(2) l:18, Value:"íá³0Ì\015J0a\004M Ç\033Õ\030" 00 a0 c9 c9 2b 6b 00 a0 35 01 13 9c 08 00 45 00 +k..5.E. 0010 00 66 2a 58 00 00 1e 11 52 80 41 a3 4e 3d 41 a3 .f*XR.A.N=A. 0020 4e 2c a5 05 07 14 00 52 00 00 01 04 00 4a 9c bc N,.R.J.. 0030 81 0e 6e 3f 52 99 85 c3 3a 7d 1d a7 70 87 20 09 ..n?R...:}..p. . 0040 4e 41 4d 45 5f 4d 45 3d 06 00 00 00 05 1f 0e 31 NAME_ME=...1 0050 37 32 2e 31 36 2e 38 2e 31 32 34 01 07 74 65 73 72.16.8.124..tes 0060 74 31 02 12 ed e1 b3 30 cc 0d 4a 30 61 04 4d 20 t1.0..J0a.M 0070 c7 1b d5 18 Frame 2 (134 bytes on wire, 134 bytes captured) Arrival Time: Feb 6, 2004 14:23:25.070122000 Time delta from previous packet: 0.080122000 seconds Time since reference or first frame: 0.080122000 seconds Frame Number: 2 Packet Length: 134 bytes Capture Length: 134 bytes Ethernet II, Src: 00:a0:c9:c9:2b:6b, Dst: 00:01:30:57:28:00 Destination: 00:01:30:57:28:00 (ExtremeN_57:28:00) Source: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b) Type
RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are located in the
# same file, then private_key_file & certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
#
fragment_size = 600
# include_length is a flag which is by default set to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
> modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
> PEAP: Got tunneled reply RADIUS code 3
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
> EAP-Message =
>
0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703
> 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4
> Message-Authenticator = 0x
> State = 0x13
Re: Freeradius PEAP Problems
Thanks Thanks Thanks Thanks a lot Lionel!!!
Good luck with your problem
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be <= 1024.
> #
> fragment_size = 600
>
> # include_length is a flag which is by default set
to
> yes
> # If set to yes, Total Length of the message is
> included
> # in EVERY packet we send.
> # If set to no, Total Length of the message is
> included
> # ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:23 PM
> Subject: Freeradius PEAP Problems
>
>
> > Hi,
> >
> > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We
require
> a
> > User-Name for MS-CHAPv2".
> > However I sending well a login/pass. I use Aegis Client under Windows
XP.
> >
> > Extract of the log:
> >
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > modcall: entering group authenticate for request 6
> > rlm_eap: Request found, released from the list
> > rlm_eap: EAP/mschapv2
> > rlm_eap: processing type mschapv2
> > modcall: entering group Auth-Type for request 6
> > rlm_mschap: We require a User-Name for MS-CHAPv2
> > modcall[authenticate]: module "mschap" returns invalid for request 6
> > modcall: group Auth-Type returns invalid for request 6
> > rlm_eap: Freeing handler
> > modcall[authenticate]: module "eap" returns reject for request 6
> > modcall: group authenticate returns reject for request 6
> > auth: Failed to validate the user.
> > PEAP: Got tunneled reply RADIUS code 3
> > EAP-Message
RE: Freeradius PEAP Problems
Hi José,
If you always have a problem don't hesitate ;)
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:17
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Thanks Thanks Thanks Thanks a lot Lionel!!!
Good luck with your problem
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be <= 1024.
> #
> fragment_size = 600
>
> # include_length is a flag which is by default set
to
> yes
> # If set to yes, Total Length of the message is
> included
> # in EVERY packet we send.
> # If set to no, Total Length of the message is
> included
> # ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:23 PM
> Subject: Freeradius PEAP Problems
>
>
> > Hi,
> >
> > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We
require
> a
> > User-Name for MS-CHAPv2".
> > However I sending well a login/pass. I use Aegis Client under Windows
XP.
> >
> > Extract of the log:
> >
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > modcall: entering group authenticate for request 6
> > rlm_eap: Request found, released from the list
> > rlm_eap: EAP/mschapv2
> > rlm_eap: processing type mschapv2
> > modcall: entering group Auth-Type for request 6
> > rlm_mschap: We require a User-Name for MS-CHAPv2
> > modcall[authenticate]: module "mschap" returns invalid for request 6
> > modcall: group Auth-Type returns invalid for requ
RE: Freeradius PEAP Problems
I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double Logins
Byron NQ Support wrote: Can anyone tell me all the files that need edited so my customers can not double log in. I have gone through and setup what I thougt would work but I am still seeing double log ins Thank You in Advance Byron Read the documentation, look for "Simultaneous-Use" and checkrad. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For "default_eap_type" is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be <= 1024.
> #
> fragment_size = 600
>
> # include_length is a flag which is by default set
to
> yes
> # If set to yes, Total Length of the message is
> included
> # in EVERY packet we send.
> # If set to no, Total Length of the message is
> included
> # ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "free
Re: Mobile IP Support
At 10:19 AM 2/9/2004, Guy Fraser wrote: kiko kix wrote: Hi! I'm studying the components of the CDMA2000 1xEVDO architecture. One of the components in the Packet Data system is the AAA server. I'm making a comparison between the Cisco Access Registrar, Steel Belted Radius and FreeRadius. Does freeradius support Mobile IP or EVDO ? Thanks. Francis What are they? L2 Transport methods. They have nothing themselves to do with RADIUS. The access hardware that provides the services may well be configured to speak RADIUS. If the RADIUS implementations on the access hardware uses standard RADIUS methods then there's no reason why FreeRADIUS can't support them. The original poster is trying to compare/reveiw products which are completely unrelated. It's like asking about who manufactures the best LCD flat panel displays, ConAgra or General Mills? :) -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive "default_eap_type" (in EAP module) must be fixed at "tls".
It's right
And the "default_eap_type" (in TTLS module) to "md5". It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For "default_eap_type" is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be <= 1024.
> #
> fragment_size = 600
>
> # include_length is a flag which is by default set
to
> yes
> # If set to yes, Total Length of the message is
> included
> # in EVERY packet we send.
> # If set to no, To
Re: Mobile IP Support
kiko kix wrote: Hi! I'm studying the components of the CDMA2000 1xEVDO architecture. One of the components in the Packet Data system is the AAA server. I'm making a comparison between the Cisco Access Registrar, Steel Belted Radius and FreeRadius. Does freeradius support Mobile IP or EVDO ? Thanks. Francis What are they? These may be features that are supported, but they are using proprietary names. Your doing the research, don't make us do the leg work to figure out what these things are, and what they do. Have a nice day - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP Problems
Hi again and sorry if I ask you a lot!!
If you want to send me your radiusd.conf, it will be "très bien" for me. So,
please send me your file if it's possible.
À tout!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 5:31 PM
Subject: RE: Freeradius PEAP Problems
> Hi José,
>
> I use a freeradius snapshot because TTLS isn't in rpm package.
> You must have the TLS module to use TTLS module.
>
> The directive "default_eap_type" (in EAP module) must be fixed at "tls".
> It's right
> And the "default_eap_type" (in TTLS module) to "md5". It's right too.
>
> I can send my config file to you if u want.
>
> Lionel Gavage
>
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:32
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
>
> Sorry Lionel!!! Another question.
>
> I have changed my radiusd.conf and I have activated the TTLS module. But
> now, there are two modules activated, is it a problem?
>
>
> eap {
>default_eap_type = tls !!
>timer_expire = 60
>
> #md5 {
> #}
>
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> fragment_size = 600
> include_length = yes
> }
>
> ttls {
> default_eap_type = md5
> !
> use_tunneled_reply = no
> }
> }
>
> is it correct
>
> My freeRADIUS is 0.8.1, TTLS runs with this version?
> For "default_eap_type" is possible md5 value only?
>
>
>
> Thanks again Lionel
>
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:59 PM
> Subject: RE: Freeradius PEAP Problems
>
>
> >
> > Activated the TTLS module:
> >
> > ttls {
> > default_eap_type = md5
> > use_tunneled_reply = no
> > }
> >
> > and it's all.
> >
> >
> > Lionel Gavage
> >
> > -Message d'origine-
> > De : [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] la part de José
> > Luis Solano
> > Envoyé : lundi 9 février 2004 17:03
> > À : [EMAIL PROTECTED]
> > Objet : Re: Freeradius PEAP Problems
> >
> >
> > Hi Lionel!!
> >
> >
> > I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The
first
> > one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
> run
> > TTLS and I will run PEAP after. So, can you help me please?. Currently,
my
> > radiusd.conf is:
> >
> >
> > # Extensible Authentication Protocol
> > #
> > # For all EAP related authentications
> > eap {
> > # Invoke the default supported EAP type when
> > # EAP-Identity response is received
> > default_eap_type = tls
> >
> > # Default expiry time to clean the EAP list,
> > # It is maintained to co-relate the
> > # EAP-response for each EAP-request sent.
> > timer_expire = 60
> >
> > # Supported EAP-types
> > #md5 {
> > #}
> >
> > ## EAP-TLS is highly experimental EAP-Type at the
moment.
> > # Please give feedback on the mailing list.
> > tls {
> > private_key_password = izadisan
> > private_key_file =
> > /usr/local/openssl/ssl/certs/server/server.pem
> >
> > # If Private key & Certificate are located in the
> > # same file, then private_key_file &
> certificate_file
> > # must contain the same file name.
> > certificate_file =
> > /usr/local/openssl/ssl/certs/server/server.pem
> >
> > # Trusted Root CA list
> > CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
> >
> > dh_file = /usr/local/openssl/ssl/certs/dh
> > random_file =
/usr/local/openssl/ssl/certs/random
> >
RE: Freeradius PEAP Problems
Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to setup clients.conf to allow clients from all subnet
Dear all, I believe this question may have been asked many times, but I don't find it in FAQ. So here it comes. I know the answer is not 0.0.0.0/0. Thanks, Jian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
see the list of users
hi everybody; i am running FreeRadius 0.9.3. i would like to learn if i can see the list of all authenticated users and the user that are not let to the system. does FreeRadius do this or should i add something else to obtain this data? thanks. Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online
RES: Merging Detail Files
may be you can do : cat file >> bigfile ? is it ? Sergio Jose Ferreira WGO Internet -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Matt Enviada em: segunda-feira, 9 de fevereiro de 2004 18:41 Para: [EMAIL PROTECTED] Assunto: Merging Detail Files I want to merge a bunch of detail files into one big file so I can run radiusreport on it. Anyone tell me how to do that? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Merging Detail Files
perhaps using: cat detail_file1 detail_file2 detail_ file3 > result_file ? Ernesto Freyre R. Área de Operaciones Qnet - Servicios Internet Teléfono. 241-4122 anexo 2245 www.qnet.com.pe - Original Message - From: Matt <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 4:41 PM Subject: Merging Detail Files > I want to merge a bunch of detail files into one big file so I can run > radiusreport on it. Anyone tell me how to do that? > > Matt > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Merging Detail Files
At 10:41 10/02/2004, Matt wrote: I want to merge a bunch of detail files into one big file so I can run radiusreport on it. Anyone tell me how to do that? Matt Merging them into one file in chronological order ? No doubt there is a perl script out there that can do it, but are you sure that radiusreport can't read multiple detail files and handle it itself ? I know that RadiusContext (what I use) can... Trying to merge them is an extra step that shouldn't be necessary if you use the right software to analyze them. Regards, Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Merging Detail Files
Radiusreport can read multiple files. radiusreport -t -l username -f /var/adm/radacct/xxx.xxx.xxx.xxx/detail:/var/adm/radacct/xxx.xxx.xxx.xxx/detail:/var/adm/radacct/xxx.xxx.xxx.xxx/detail -- Jeff > At 10:41 10/02/2004, Matt wrote: >>I want to merge a bunch of detail files into one big file so I can run >>radiusreport on it. Anyone tell me how to do that? >> >>Matt > > Merging them into one file in chronological order ? No doubt there is a > perl script out there that can do it, but are you sure that radiusreport > can't read multiple detail files and handle it itself ? I know that > RadiusContext (what I use) can... > > Trying to merge them is an extra step that shouldn't be necessary if you > use the right software to analyze them. > > Regards, > Simon > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS: Livingston PM
You are correct my Portmasters are transmitting on 1645/1646 and my RADIUS is listing on 1812/1813. How do I change my RADIUS configuration to listen on 1812/1813? On Sunday, February 8, 2004, at 07:17 PM, Chris Parker wrote: At 05:15 PM 2/8/2004, Richard Bradley wrote: Does anyone have suggestions why freeRADIUS is not picking up the Livingston PM3? freeRADIUS starts and I set the AUTH and ACCCOUNTING toward the freeRADIUS server and it never picks it up. I'll take someone fishing if they figure it out:-) http://www.lagooner.com What ports is freeRADIUS listening on, and what ports is the PM3 sending to? One is likely set to 1645/1646, and the other set to 1812/1813. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo-- \-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About use FreeRadius with postgresql
Title: Untitled Document Aniversario 40 de la CUJAE Visite: XII Convención Científica de Ingeniería y Arquitectura http://www.cujae.edu.cu/eventos/convencion/
Re: About use FreeRadius with postgresql
Yuset Amado Calzadilla Cámbara wrote: Can I install freeradius with postgresql using my own tables and not the tables given in rlm_postgresql?? Yes, you will likely need to create your own queries in postgresql.conf as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get Crypt-Password to work in SQL
I have scrubbed my RnD machine and installed FreeBSD 5.2, and installed
FreeRadius from CVS on 2004 Feb 06 16:16 MST.
I looked through the archives, and I can't find any reason why I can't get
encrypted passwords to work using MySQL or PostgreSQL. I have had it
working before with the same data, but I must have missed something in the
config file. I also tried changing the crypt type to md5 but that didn't
work either. I have the same data in PostgreSQL and MySQL, and both
exibit the same behavior. I switched back to PostgreSQL to make sure it
wasn't MySQL specific, so my example data is from PostgreSQL.
Clear text passwords seem to work with "User-Password".
but
Neither DES nor MD5 encrypted passwords work with "Crypt-Password".
I am using the same data that worked in 0.9.3 and CVS before 2004.
A weird thing I came accross was that if I put the password in clear
text using "Crypt-Password" the user authenticates OK.
I am using the standard configs, queries and schemas.
This is my radcheck,radgroupcheck and usergroup test data :
id | username | attribute | op | value
+--+++
1 | fredf | User-Password | == | wilma
2 | barneyr | User-Password | == | betty
4 | frog | User-Password | == | kermit
3 | troll | Crypt-Password | == | $1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.
(4 rows)
id | groupname | attribute | op | value
+---+---++---
1 | ppp-unlimited | Auth-Type | := | Local
2 | ppp-static | Auth-Type | := | Local
3 | nas-prompt | Auth-Type | := | Local
(3 rows)
id | username | groupname
+--+---
1 | fredf | ppp-unlimited
2 | barneyr | ppp-static
3 | troll | ppp-unlimited
4 | frog | nas-prompt
(4 rows)
The real password for troll is :
skunk
Here is the stripped versions of my radiusd.conf and postgresql.conf
as well as my debug output:
--radiusd.conf--
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
eap {
`
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
mschapv2 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address"
}
$INCLUDE ${confdir}/postgresql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = repl
Re: freeRADIUS: Livingston PM
At 04:46 PM 2/9/2004, Richard Bradley wrote: You are correct my Portmasters are transmitting on 1645/1646 and my RADIUS is listing on 1812/1813. How do I change my RADIUS configuration to listen on 1812/1813? On the PM3, the setting is 'set auth x.y.z.a 1812'. If you don't specify the port, the PM3 defaults to 1645/1646. Do the same ( though with 1813 ) for the acct server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get Crypt-Password to work in SQL
At 07:04 PM 2/9/2004, Guy Fraser wrote: I have scrubbed my RnD machine and installed FreeBSD 5.2, and installed FreeRadius from CVS on 2004 Feb 06 16:16 MST. I looked through the archives, and I can't find any reason why I can't get encrypted passwords to work using MySQL or PostgreSQL. I have had it working before with the same data, but I must have missed something in the config file. I also tried changing the crypt type to md5 but that didn't work either. I have the same data in PostgreSQL and MySQL, and both exibit the same behavior. I switched back to PostgreSQL to make sure it wasn't MySQL specific, so my example data is from PostgreSQL. Clear text passwords seem to work with "User-Password". but Neither DES nor MD5 encrypted passwords work with "Crypt-Password". I am using the same data that worked in 0.9.3 and CVS before 2004. A weird thing I came accross was that if I put the password in clear text using "Crypt-Password" the user authenticates OK. Try setting Auth-Type := Crypt-Local, as well for the user. It seems the server is trying to do a password compare, but not realizing that it retrieved an encrypted password from the DB. This will be fixed before the next release, so the server doesn't have to be explicitly told to use Crypt-Local. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About use FreeRadius with postgresql
And the configuration is the same as MySql one?? - Original Message - From: "Guy Fraser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 09, 2004 7:13 PM Subject: Re: About use FreeRadius with postgresql Yuset Amado Calzadilla Cámbara wrote: > Can I install freeradius with postgresql using my own tables and not > the tables given in rlm_postgresql?? Yes, you will likely need to create your own queries in postgresql.conf as well. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Aniversario 40 de la CUJAE Visite: XII Convencion de Ingenieria y Arquitectura http://www.cujae.edu.cu/eventos/convencion/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x WIN XP - Aironet 350
The question is about the snipit below taken from cli-> radiud -X -yKeep in mind, the authentication seems fine due to the radtest results drun localy.[EMAIL PROTECTED] raddb]# radtest jstevens finished localhost 0 testing123Sending Access-Request of id 55 to 127.0.0.1:1812 User-Name = "jstevens" User-Password = "finished" NAS-IP-Address = ibm350pii NAS-Port = 0rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=55, length=20BUT WHEN THE CISCO AIRONET SENDS ITS EAP REQUEST, IT FAILS.There looks to be TWO interesting bits of information:UNKNOWN EAP TYPE 25 and NO User-Password attribute--rad_recv: Access-Request packet from host 176.26.23.146:2697, id=151, length=186 User-Name = "jstevens" Cisco-AVPair = "ssid=SISLINK_NET" NAS-IP-Address = 176.26.23.146 Called-Station-Id = "00409645d552" Calling-Station-Id = "00028a1e9992" NAS-Identifier = "aplock01" NAS-Port = 37 Framed-MTU = 1400 State = 0xa842c7f08d7428460061e4b5e15bfeb1dc622840f35a69b0db055a038b5d062eb5c78c0f NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x021f00060319 Message-Authenticator = 0xecadb6dd41e56a14a8d3c08ca33640e4modcall: entering group authorize for request 9061 modcall[authorize]: module "preprocess" returns ok for request 9061 modcall[authorize]: module "chap" returns noop for request 9061 rlm_eap: EAP packet type notification id 31 length 6 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 9061 rlm_realm: No '@' in User-Name = "jstevens", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9061 users: Matched jstevens at 52 modcall[authorize]: module "files" returns ok for request 9061 modcall[authorize]: module "mschap" returns noop for request 9061modcall: group authorize returns updated for request 9061 rad_check_password: Found Auth-Type EAPauth: type "EAP"modcall: entering group authenticate for request 9061 rlm_eap: EAP packet type notification id 31 length 6 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: Unknown EAP type 25, reverting to default_eap_type rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns ok for request 9061modcall: group authenticate returns ok for request 9061Login OK: [jstevens/] (from client aplock01 port 37 cli 00028a1e9992)Sending Access-Challenge of id 151 to 176.26.23.146:2697 EAP-Message = 0x0120001811010008f4aa07dfa587ef686a73746576656e73 Message-Authenticator = 0x State = 0xfba3312afbc6c6eac2db515b6875ec2edc6228400615b8b5b9b524e5bf762eb303ac43c3Finished request 9061Any help? - This message including any attachments contains privileged and confidential information intended for the use of the addressee. If you are not the intended recipient, you should delete this message (and its attachments) immediately and are hereby notified that any dissemination of this communication is strictly prohibited. www.sislink.net "Come Join Us!" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble with 'redundant' block
Hello all. I just upgraded to the 0.9.3 version on a SunOS 5.6 machine,
using as recent GCC (and friends) as sunfreeware has. I had not
attempted this in the old version. Anyway:
In my accounting {} section, I tried to use the following :
redundant {
sql_clio
ok
}
with the intention of gracefully ignoring SQL failures. However,
check-radiusd-config reports the following:
[snip]
radiusd.conf[1561] Unknown module rcode 'sql_clio'.
Strangely, if I comment out the sql_clio line, it reports:
radiusd.conf[1562] Unknown action 'if'.
That leads me to beleive that the 'always' module is seriously messed.
Has anyone seen issues like this? Ideas?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SecureID support
Hello Gary, I m really interrested by a rlm_securid module , do u have start devel ? or do u have information ? We can try to develop a SecureID module at the sitadelle team (via Nicolas Baradakis) but if someone start the job .. regards Thomas MARCHESSEAU Sitadelle Team . Gary Algier wrote: Jay Wilson wrote: I have searched the mail archive for posts on SecureID support. I found a couple of hits from back in 2001. Does FreeRADIUS support SecureID today? No (not yet?). I want the same feature. I intend to run the Ace Server's own RADIUS server (which uses its own braindead GUI/CUI/FUI, etc.) for radius access to SecurID. I then intend to use FreeRADIUS as the frontend or proxy server. When I need a login to be SecurID authenticated it can refer the work to the Ace server. Other logins can use the FreeRADIUS server directly. If I have time and can figure it out, I may try writing an rlm_securid module. How hard can that be ;-)? BTW: In my searches for a RADIUS implementation that support SecurID, the best I could find was the old Livingston code. All the derivatives seem to have dropped it. Thank You --- Jay Wilson Extreme Networks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP Problems
Hi, I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a User-Name for MS-CHAPv2". However I sending well a login/pass. I use Aegis Client under Windows XP. Extract of the log: rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 6 rlm_mschap: We require a User-Name for MS-CHAPv2 modcall[authenticate]: module "mschap" returns invalid for request 6 modcall: group Auth-Type returns invalid for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 179 to 139.165.212.248:21648 EAP-Message = 0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4 Message-Authenticator = 0x State = 0x13eb44c46fbe30f082eaf7522f3c315e Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180, length=168 User-Name = "lga" Framed-MTU = 1400 Called-Station-Id = "000c.304f.75da" Calling-Station-Id = "000c.3052.9812" Message-Authenticator = 0x9f589078de1b5fe1cd17051ba032b42f EAP-Message = 0x0209002b19001703010020cd5ff5c0835b2f6cf5ae3109a04b77c096854a1ed328bb820781 ea790d6c1f6a NAS-Port-Type = Wireless-802.11 NAS-Port = 314 State = 0x13eb44c46fbe30f082eaf7522f3c315e Service-Type = Framed-User NAS-IP-Address = 139.165.212.248 modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "lga", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched lga at 54 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... By hoping that you can help me ... Lionel Gavage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Merging Detail Files
I want to merge a bunch of detail files into one big file so I can run radiusreport on it. Anyone tell me how to do that? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
