LDAP MySQL
Hello, I'm using freeradius-0.9.3 and I'd like to perform authorization of my users against our LDAP directory, but the reply items should be retrieved from an SQL database (MySQL). I've now got authorize { preprocess chap realmslash realmsuffix files ldap sql } working, but the sql module wants me to have a Password == attribute in the SQL table `radcheck', which I'd like to avoid. Is it possible to do this, and what would I need to change? Thanks regards, -JP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius naslist from sql database
i've had a search through the archives and google and can't find examples of anyone using freeradius with its list of allowed NAS clients (ip or dns names) held in a database - which is imported at startup, or periodically, not necessarily at every request (perhaps a refesh after a max counter). i am hapy to write my own module to import these in - but can't find any information about how to do this. i have written a simple test module but this doesn't alter the freeradius's internal list of allowed nas ip's has anyone else done this? any ideas? tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot nearing completion
Does the Session-Atrribute get decreased automatically in the users file ? --- Alan DeKok [EMAIL PROTECTED] wrote: Daniel Baughman [EMAIL PROTECTED] wrote: How can I tell the NAS AP's to time out a user's connection after he has used his allotted minutes? See the Session-Timeout attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP PEAP and FreeRadius :rlm_eap_peap: Had sent TLV failure, rejecting
Hi, I'm trying to run WindowsXP client with PEAP - MSCHAP-V2 auth and the authentication fails I got two possible points of error, but I cannot guess where is my problem: (1) rlm_eap_peap: Had sent TLV failure, rejecting (2) modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. What is TLV ? What is doing request 7 and why does it fail ? Any ideas ? Details below: My WindowsXP client settings are : Connection properties - Authentication : Enable IEEE 802.1x ... EAP type PEAP Properties - Select Auth. Method: EAP-MSCHAP-v2 The users file: user3 User-Password == cisco the radiusd.conf peap { default_eap_type = mschapv2 } mschapv2 { } The complete log: # /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 212.39.64.183 IP address [212.39.64.183] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /root/CA/btc.pem tls: certificate_file = /root/CA/btc.pem tls: CA_file = /root/CA/root.pem tls: private_key_password = whatever tls: dh_file = /root/CA/DH tls: random_file = /root/CA/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module:
Re: Getting group information from sql
Tim Bates [EMAIL PROTECTED] wrote: Ah, this could work. The /etc/group file on the RADIUS server is generated out of the same database which FreeRADIUS is configuring, so I can use that as a (hopefully) temporary solution. Just to confirm, did you mean using the etc_group example of the passwd module in the default radiusd.conf? That will work, but you can use the unix module, too. It is the one managing the Group/Group-Name attribute. If you use etc_group to do group checking, then use an attribute other than Group, or it will conflict with the Unix module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP PEAP and FreeRadius :rlm_eap_peap: Had sent TLV failure, rejecting
hi (1) rlm_eap_peap: Had sent TLV failure, rejecting (2) modcall[authenticate]: module eap returns reject for request 7 the error is (2) and more precisely (out of your log): rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. it seems that mschapv2 can not authenticate the user user3. are you sure that: a) mschap module is in your authorize and authenticate sections of your radiusd.conf file? b) you type the right password at the XP prompt? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin [EMAIL PROTECTED] wrote: Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to authenticate against a password (or NT/LM hash) taken from an external source (for example, using rlm_exec or rlm_perl)? MS-CHAP does this already. If you would have tried it, you would see that it works. It's impossible to do for CHAP. The PAP module could do it I guess, but it would require code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with cryptocards
Christoph Galuschka [EMAIL PROTECTED] wrote: Configuration seems to work well as I do get a challange when logging in to my cisco box (IOS 12.2). But I get an error message after entering my response: rlm_x99_token: auth: bad state for [tigalch]: length The NAS is mangling the State attribute. It's not supposed to do that. You can edit the source to rlm_x99_token to decrease the length off the State it uses. That might help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending NAS-IP-Address to proxied realm
Sure. See preproxy_users DEFAULT Realm = icradius NAS-IP-Address := 1.2.3.4 As per your earlier suggestion I added: DEFAULT Realm = abc.com NAS-IP-Address := 1.2.3.4- replaced with real IP to the preproxy_users file and when I restart FreeRADIUS I get: Error: Errors reading /etc/raddb/preproxy_users Error: radiusd.conf[921]: files: Module instantiation failed. Below is my files section, starting at line 921 files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } Do I need to add the path to the preproxy_users file in the files section? Or is this some that needs to be enabled in some other way? Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending NAS-IP-Address to proxied realm
That is not at all what I suggested. Please go back and read the message again. Thanks, I did. For what ever reason in my mail client the 2 lines have the same starting point so I did not pick up on the second line being indented but thanks for pointing it out to me. That did the trick! Thanks for all of you continued help and advice, it is much appreciated! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hotspot nearing completion
Alan, :-) i think the question is if the session-timeout value in the users file gets automagically decreased in order to represent the remaining session time :-) Aime, session-timeout is something sent to the NAS. the NAS is responsible for counting the session minutes of the current session and to close it after its expiration. nothing gets ever changed in the user file and does not need to. Session-timeout is _not_ supposed to represent the max allowed user connection time per month. You can do that with other methods (i.e. using accounting values). Please search the freeradius list for rlm_counter or Max-Monthly-Session: http://www.mail-archive.com/[EMAIL PROTECTED]/ ciao artur Alan DeKok wrote: Aime [EMAIL PROTECTED] wrote: Does the Session-Atrribute get decreased automatically in the users file ? Huh? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP MySQL
On Fri, 27 Feb 2004, Alan DeKok wrote: the sql module wants me to have a Password == attribute in the SQL table `radcheck', which I'd like to avoid. I don't see why. There's nothing in the module which requires a User-Password attribute in the database. Would you be willing to post the debug output which leads you to that conclusion? My `users' file holds: DEFAULT NAS-IP-Address == 10.37.8.1, Realm == NL Cisco-AVPair = ip:dns-servers=37.37.37.1 37.37.37.2, Fall-Through = no I'm hitting the server with radclient -f /tmp/n hostname auth secret where /tmp/n contains: User-Name = nl/su00 User-Password = ts Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async `radclient' reports: Received response ID 50, code 2, length = 64 Cisco-AVPair = ip:dns-servers=37.37.37.1 37.37.37.2 My `radcheck' MySQL table is empty, and `radreply' holds: select * from radreply where realm = 'NL'; ++--+-++---+---+ | id | UserName | Attribute | op | Value | realm | ++--+-++---+---+ | 6 | su00 | Session-Timeout | := | 3737 | NL| ++--+-++---+---+ [I've added a realm column and adjusted the queries in sql.conf accordingly] This is the output of radiusd -X: Listening on IP address 10.0.243.143, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.0.243.143:50261, id=50, length=65 User-Name = nl/su00 User-Password = ts Service-Type = Framed-User NAS-IP-Address = 10.37.8.1 NAS-Port-Type = Async rad_lowerpair: User-Name now 'nl/su00' rad_rmspace_pair: User-Name now 'nl/su00' modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_realm: Looking up realm nl for User-Name = nl/su00 rlm_realm: Found realm NL rlm_realm: Adding Stripped-User-Name = su00 rlm_realm: Proxying request from user su00 to realm NL rlm_realm: Adding Realm = NL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module realmslash returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module realmsuffix returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=retail-sc,dc=com' radius_xlat: '(uid=su00)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to m1.intdus.retail-sc.com m2.intdus.retail-sc.com:389, authentication 0 rlm_ldap: bind as cn=manager,dc=retail-sc,dc=com/fupdoc to m1.intdus.retail-sc.com m2.intdus.retail-sc.co m:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=su00)(objectclass=radiusProfile))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter ((radiusGroupName=disabled)((uid=su00)( objectclass=radiusProfile))) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group disabled not found or user is not a member. users: Matched DEFAULT at 13 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for su00 radius_xlat: '(uid=su00)' radius_xlat: 'dc=retail-sc,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=retail-sc,dc=com, with filter (uid=su00) rlm_ldap: Added password ts in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user su00 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 radius_xlat: 'su00' rlm_sql (sql): sql_set_user escaped user -- 'su00' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'su00' ORDER BY id rlm_sql (sql): User su00 not found in radcheck ^^^ radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu e,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup.GroupNam e = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupch eck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'su00' AND usergroup. GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
Re: Freeradius-Users digest CVS snapshot
Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. CVS snapshot (Rick Stevens) 2. RE: remove me (Paul Roberts) 3. Re: CVS snapshot (Alan DeKok) --__--__-- Message: 1 Date: Sun, 15 Feb 2004 20:27:27 -0600 (CST) Subject: CVS snapshot From: Rick Stevens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] I was told to grab tha CVS snapshot for the EAP-PEAP functionality to work with my 802.1x WIN XP - Aironet 350. I must not have completely copied the files. I am getting this segment Fault when the Access point send the EAP request, and radiusd just dies. How do I properly install the CVS files? I installed 0.9.3 with ./configre --localstaedire=/var --sysconfdir=/etc Then make make install. got 02152004 snapshot and ran configure with same options. then copied share/* to /usr/local/share/freeradius and raddb/* to /etc/raddb What am I missing? Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp. Ready to process requests. rad_recv: Access-Request packet from host 176.26.23.146:2732, id=166, length=155 User-Name = jstevens Cisco-AVPair = ssid=SISLINK_NET NAS-IP-Address = 176.26.23.146 Called-Station-Id = 00409645d552 Calling-Station-Id = 00028a1e9992 NAS-Identifier = aplock01 NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020b000d016a73746576656e73 Message-Authenticator = 0xa633de31dd5271dbab1eb6b4f30e6eda modcall: entering group authorize for request 0 Segmentation fault brbr- This message including any attachments contains privileged and confidential information intended for the use of the addressee. If you are not the intended recipient, you should delete this message (and its attachments) immediately and are hereby notified that any dissemination of this communication is strictly prohibited. brwww.sislink.net Come Join Us! --__--__-- Message: 2 Subject: RE: remove me Date: Sun, 15 Feb 2004 19:34:18 -0800 From: Paul Roberts [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --_=_NextPart_001_01C3F43D.D02966E4 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Remove me --_=_NextPart_001_01C3F43D.D02966E4 Content-Type: application/ms-tnef; name=winmail.dat Content-Transfer-Encoding: base64 eJ8+IisDAQaQCAAEAAABAAEAAQeQBgAI5AQAAADoAAEIgAcAGElQTS5NaWNy ABMAAABzdGVwb25Ad2F2ZXRleC5jb20AAB4AcAABCgAAAHJlbW92ZSBtZQIBcQAB GwHD8lh6z/dEEOrs9UVuheS5Wyx5tCYAeVHNywAeAHQAAQAAACYAAABmcmVlcmFkaXVzLXVz QXEiBlFhMhQVgWIjUjPwkUJyQ2MkBxEAAgEDAgQEAgsAAQIRADEDIRJBURMEYYEiMnGR 8KHB4UJSYiMzYxT/2gAMAwEAAhEDEQA/AL52CKWPhXFJNxt+opZHPJncplY24LHiMgt4kMoJNvOt uQ3YKyKPT0tXjzZcyOcm39lCogasZ9x8q2ACI4mu922gfE1ximWXcB1Q2NdSSCeb0/StZs1Wwm+8 jayXG5b21J6VEzu7NkQbsSv0/jF2HnQqAIN4mmdFKfcPuHF4HETJnUymVwkcaEAnS5OvgKW5XvnF xMDDy5sSUSZ12hxwVL9sGwc/7vCvUcigwZ8gTWYqooqb5H3nj4PIY/GfayTZk6xlo1I/jeX6Ub50 05Xkp+PijeHCmzXdrGOAXKi17kmp1kiZMaGx40g0woqYm935mPE88/CZkcUYLO522VR1Jrqb/wCg 8d+N/IxY0zqsohkQ2UqzKXBvcg/TTrJzN4seNINVlFL+O5jGzuJj5Zv/AD47qXbuEegKSDc9PCle N70xczIyBiY0kmFigtPnEhYlVRcnXXyHU0bKgEk+NqQapKKlMX319+XPHcVl5UcZsXUL4/HU0Zvv iXAjEubxGVBGx2qzlQC1r2p1kmJM8opBqropRBzv3eBiZOLDabMBdIZW27UX6nYqG06W8xWnj898 lZTOI4zHIY1KPuDbQN31KvQ6UXNjZ+mGl9u/b+nnSDE1uorLmZq4yJsXuyzHbFGCBusNxJbWwApa /+Ph9Q+elUVfa K3iw4V7ZsYyb8BVvVIgIb+ocudQk7pjWv//Z1h4CBZAGACQBAAAPAwAgDkQHAAADACEO AAMA9w8AAgH5DwEQ6zGlr4GpSUquQPiMnU5a3R4AATABEQAAAHdhdmV0ZXhf bG9nby5qcGcAQAAHMN7SA8I99MMBQAAIMORmKdA99MMBAwAFNwEeAAc3AQAAABEAAAB3 YXZldGV4X2xvZ28uanBnAAMACzf/HgAONwELaW1hZ2UvanBlZwAAHgASNwEA AAAkcGFydDEuMDQwNzA3MDIuMDcwNjA2MDlAd2F2ZXRleC5jb20AHgATNwERd2F2 ZXRleF9sb2dvLmpwZwADABQ3BB4AFjcBBwAAAGlubGluZQAAw0A= --_=_NextPart_001_01C3F43D.D02966E4-- --__--__-- Message: 3 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: CVS snapshot Date: Sun, 15 Feb 2004 23:17:36 -0500 Reply-To: [EMAIL PROTECTED] Rick Stevens [EMAIL PROTECTED] wrote: How do I properly install the CVS files? make install ? got 02152004 snapshot and ran configure with same options. then copied share/* to /usr/local/share/freeradius and raddb/* to /etc/raddb What am I missing? I don't understand why you would copy some of the files by hand over top of an existing 0.9.3 installation,
Re: Hotspot nearing completion
Arthur understood exactly what i would like to say in my previous mail. My question is if the session-timeout value in the users file or in the Mysql table gets automagically decreased in order to represent the remaining session time . I had an access point that expect to have Session_Timeout in the Access Reply packet. I did set the Session-Timeout to 600. The access point terminated the session after 600seconds. But when the user reconnects he could have again 600s, because Session_timeout did not change and that it the attribute the access point is taking for the total session-time of the user. So how to i can handle this ? The AP issues interim accounting time to time. --Aimé Last time i was trying --- Artur Hecker [EMAIL PROTECTED] wrote: Alan, :-) i think the question is if the session-timeout value in the users file gets automagically decreased in order to represent the remaining session time :-) Aime, session-timeout is something sent to the NAS. the NAS is responsible for counting the session minutes of the current session and to close it after its expiration. nothing gets ever changed in the user file and does not need to. Session-timeout is _not_ supposed to represent the max allowed user connection time per month. You can do that with other methods (i.e. using accounting values). Please search the freeradius list for rlm_counter or Max-Monthly-Session: http://www.mail-archive.com/[EMAIL PROTECTED]/ ciao artur Alan DeKok wrote: Aime [EMAIL PROTECTED] wrote: Does the Session-Atrribute get decreased automatically in the users file ? Huh? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP PEAP and FreeRadius Authorization
Hello! I'm trying to get working Windows XP - PEAP - MS-CHAPv2 with freeRadius, but I don't know how to configure it correctly. I have followed the instructions in the radiusd.conf, it's also seems 'working' to me but I don't know now where is the problem (something like mschapv2 - messing with tls?). Well here is the radiusd -X. if you can help me pls. Thankx: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius//etc/raddb/proxy.conf Config: including file: /usr/local/freeradius//etc/raddb/clients.conf Config: including file: /usr/local/freeradius//etc/raddb/snmp.conf Config: including file: /usr/local/freeradius//etc/raddb/sql.conf main: prefix = /usr/local/freeradius/ main: localstatedir = /usr/local/freeradius//var main: logdir = /usr/local/freeradius//var/log/radius main: libdir = /usr/local/freeradius//lib main: radacctdir = /usr/local/freeradius//var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/freeradius//var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/freeradius//var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/freeradius//sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/freeradius//var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = mschapv2 eap: timer_expire = 240 eap: ignore_unknown_eap_types = yes tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/freeradius//etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/freeradius//etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/freeradius//etc/raddb/certs/dh tls: random_file = /usr/local/freeradius//etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/freeradius//etc/raddb/huntgroups preprocess: hints = /usr/local/freeradius//etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /usr/local/freeradius//etc/raddb/users files: acctusersfile = /usr/local/freeradius//etc/raddb/acct_users files: preproxy_usersfile =