do I need upgrade with using EAP-SIM?
Hi~ My radius server isrunning freeradius-0.9.3 right now, and I wish that could support the EAP-SIM. What should I do? Using the snapshot version to take place the 0.9.3? or just only need to add a new module? In addition, when the authencation mechanism is EAP-SIM,isthere any differencebetweento be a home serverand to be a radius proxy server in config, modules, orsomething else? thanks a lot alex
How to pass password via password of radiusd.conf
I want to connect the RAdius server to Active directory for doing authentication, but I encountered a problem in passing the Password to the Active directory server. The following is part of the radiusd.conf file: ldap { server = "192.168.250.25" identity = "CN=cbhoh,CN=Users,DC=example,DC=com" password="%{User-Password}" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "CN=cbhoh,CN=Users,DC=example,DC=com" #filter = "(CN=%{Stripped-User-Name:-%{User-Name}})" filter = "(CN=%{Stripped-User-Name:-%{User-Name}})" By running the command, ./radtest cbhoh cbhoh123 127.0.0.1:8000 10 testing123, then authentication fails, and the following is the log details from radiusd: modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAPauth: type "LDAP"modcall: entering group Auth-Type for request 0rlm_ldap: - authenticaterlm_ldap: login attempt by "cbhoh" with password "cbhoh123"radius_xlat: '(CN=cbhoh)'radius_xlat: 'CN=cbhoh,CN=Users,DC=example,DC=com'ldap_get_conn: Got Id: 0rlm_ldap: attempting LDAP reconnectionrlm_ldap: (re)connect to 192.168.250.25:389, authentication 0rlm_ldap: bind as CN=cbhoh,CN=Users,DC=example,DC=com/%{User-Password} to 192.168.250.25:389rlm_ldap: waiting for bind result ...rlm_ldap: LDAP login failed: check login, password settings in ldap section of radiusd.confrlm_ldap: (re)connection attempt failedldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns fail for request 0modcall: group Auth-Type returns fail for request 0auth: Failed to validate the user. As the log details show that the %{User-Password} doesn't substituted with the correct value for password passed by radtest Is there any idea.. maybe i miss out something.. regards, - HOH
MySQL accounting and Cisco-AVPair
Hi, i'm using FreeRADIUS Version 0.9.3on FreeBSD 4.9 i'm using with a Cisco PIX to AAA internet access it works fine, but i need to store the Cisco-AVPair info in radacct SQL table. As i can see in the detail accounting freeradius store Cisco-AVPair info -snip- Cisco-AVPair = ip:source-ip=192.168.0.127 Cisco-AVPair = ip:source-port=4051 Cisco-AVPair = ip:destination-ip=10.10.10.1 Cisco-AVPair = ip:destination-port=23 -snip but i cannot store this info on sql I've tried to modify sql.conf as is: accounting_stop_query_alt = INSERT into ${acct_table2} (RadAcctId, AcctSessionId... AcctStopDelay) values('', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}'... '%{Cisco-AVPair}', '%{Cisco-AVPair}'..}') but it returns only the first instance of Cisco-AVPair (ip:source-ip=192.168.0.127) how can i store all the values? -- Federico Pugnaloni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
That was the problem, I solved last night reading an old post. I really apreciate your help. But this is not documented in module`s doc file. What is sqlacc3??? Thankyou all!!! apellido dijo: To to change the following : Try to change the following in your sqlcounter dailycounter and montlycounter. sqlmod-inst = sqlcca3 sqlmod-inst = sql - Original Message - From: Juan Pablo Fava [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 10:18 PM Subject: Re: sqlcounter: count=0 ? Here it is. Thanks! apellido dijo: can we take a look at your sqlcounter.conf? - Original Message - From: Juan Pablo Fava [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 10:12 AM Subject: sqlcounter: count=0 ? Hi, the problem is that my instalation of sqlcounter doesn`t work, i think because the counter returns ZERO!! and i don`t know why, because if i execute sql code by hand, i doesn`t get zero: radcheck is ok: mysql select * from radcheck where username='troll'; ++--+-++---+ | id | UserName | Attribute | op | Value | ++--+-++---+ | 3 | troll| User-Password | == | troll | | 5 | troll| Max-Monthly-Session | := | 3600 | ++--+-++---+ 2 rows in set (0.11 sec) mysql SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'; +--- ---+ | SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) | +--- ---+ | 376200 | +--- ---+ 1 row in set (0.00 sec) Now, lets see radiusd output: rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'' sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'}' WARNING: Attempt to use unknown xlat function or attribute in string %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'} radius_xlat: '' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0 = HERE !! rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout, value=3600 modcall[authorize]: module monthlycounter returns ok for request 5 NO, IT`S NOT OK USER CAN`T LOGIN!! :P Some one have an idea about what`s going on here? I doesn`t understand the Warning above... Thanks in advance, and excuse my english. -- Juan Pablo Fava - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius backup authentication
Hi! I have a generally question. Is it possible to have more than one authentication method. I know, that the freeradius have multiple possibilities to authenticate, but is it possible to have one as backup. For examble: There is one freeradius Server which have two Authentication Methods: Primary: Mysql Secondary: users file If the primary Authentication fails, because mysql Server is down, then it should take the second authentication. The users file would be dynamicaly generated, everytime the mysql user information has changed. Is this possible ??? Regards, Ahmad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
benchmarks, comparative, claim to be high-performance
I wonder if there are existing benchmarks of freeradius performance compared with other radius servers. Or even non-comparative benchmarks. Also, I'm having trouble finding information about what is unique to freeradius in terms of performance. The website suggests that freeradiius is high performance... but doesn't elaborate. Where does this unqiue-to-freeradius performance come from? is it from its use of threads? it it from its use C as opposed to perl (radiator)? does it compile using OS specific accelerations (kqueue, for example) tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Authorization based on certificate?
Am Sonntag, 21. März 2004 13:53 schrieb Peter Stamfest: Hello, The problem is that there is no connection between the certificate and the id / User-Name: * The User-Name can be freely chosen by the supplicant. This username is then used for authorization (NOT authentication) * The certificate gets used for authentication (NOT authorization) Trouble is: There is no connection between the two. Assume the following situation: I wrote a patch and submited it to the mailing list. It compares the identity in radius-packet (User-Name) with the identity in the certificat. If they differ the user will be rejected! regards Gunter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Hello Juan, i dont know why and i already ask that in the mailing list. And if you read old question you've got the answer. rlm_sqlcounter is not yet stable (experimental). If you want to setup prepaid internet then use rlm_counter. question - Original Message - From: Juan Pablo Fava [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 8:20 PM Subject: Re: sqlcounter: count=0 ? That was the problem, I solved last night reading an old post. I really apreciate your help. But this is not documented in module`s doc file. What is sqlacc3??? Thankyou all!!! apellido dijo: To to change the following : Try to change the following in your sqlcounter dailycounter and montlycounter. sqlmod-inst = sqlcca3 sqlmod-inst = sql - Original Message - From: Juan Pablo Fava [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 10:18 PM Subject: Re: sqlcounter: count=0 ? Here it is. Thanks! apellido dijo: can we take a look at your sqlcounter.conf? - Original Message - From: Juan Pablo Fava [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 10:12 AM Subject: sqlcounter: count=0 ? Hi, the problem is that my instalation of sqlcounter doesn`t work, i think because the counter returns ZERO!! and i don`t know why, because if i execute sql code by hand, i doesn`t get zero: radcheck is ok: mysql select * from radcheck where username='troll'; ++--+-++---+ | id | UserName | Attribute | op | Value | ++--+-++---+ | 3 | troll| User-Password | == | troll | | 5 | troll| Max-Monthly-Session | := | 3600 | ++--+-++---+ 2 rows in set (0.11 sec) mysql SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'; +--- ---+ | SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) | +--- ---+ | 376200 | +--- ---+ 1 row in set (0.00 sec) Now, lets see radiusd output: rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'' radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'' sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'}' WARNING: Attempt to use unknown xlat function or attribute in string %{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'} radius_xlat: '' rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0 = HERE !! rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout, value=3600 modcall[authorize]: module monthlycounter returns ok for request 5 NO, IT`S NOT OK USER CAN`T LOGIN!! :P Some one have an idea about what`s going on here? I doesn`t understand the Warning above... Thanks in advance, and excuse my english. -- Juan Pablo Fava - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MS-Chapv2 Problem
Hi Folks, i have following Problem with my Freeradius: The Network: # Laptop Windows 2000 IP: 192.168.10.23 | | # Access Point (W-Lan) It's a Fujitsu Siemens Connect2Air 2000RDS IP: 192.168.10.100 | | # Freeradius-Server IP: 192.168.10.1 Version 1.0.0-pre0 (Cause of the PEAP-Support) Now, my task is to authenticate the Laptop over PEAP-MSCHAPv2 with the Freeradius-Server. I use the buildin 802.1X - Support from Windows 2k. I uploaded the log of the Radius-Server ('radius -X log') and the needed Config-files for you. (And Of course: stipped the Comments out) Debugginglog (with 'radiusd -X'): http://leenox.net/dateien/ML-errorlog.txt EAP-Config File: http://leenox.net/dateien/ML-eap.conf Radius.conf File: http://leenox.net/dateien/ML-radiusd.conf In the Log I found this Errors: - At the SSL-Handshake: TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A Comment: I imported the Client-Certificate on my Laptop - Nothing happened But the Log shows also that the SSL-Tunnel connects sucessfully.(!?) - And at the Login modcall: group authenticate returns reject for request 8 auth: Failed to validate the user. Login incorrect: [alex/no User-Password attribute] (from client Wlan-AP port 0 cli 00-02-72-02-86-73) Comment: I have no idea why the Freeradius get no Password .. :/ Hope, someone can help me. Thanks in advance Alex Dornhoefer (from Germany) -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems
no, that's wrong. DON'T force the Auth-Type. do it as i said before. ciao artur Mihai RUSU wrote: Hi again Sorry for the SPAM, I solved my problem after a while, the solution was to have a line like this in users: dizzy Auth-Type := EAP, User-Password = parola On Mon, 22 Mar 2004, Mihai RUSU wrote: Hi I have instaleld xsupplicant version 0.8b and freeradius 0.9.3 on gentoo linux (from portage). I am trying to make my Linux system auth to a Cisco 3550 switch. 1. radius configuration - I have removed any trace of unix module (it didnt worked, probably something to do with radius running as radiusd/radiusd) - I have eap module as from the default radiusd.conf file - I have configured in clients.conf the autheticator with test123 secret, nastype cisco - in users I have this entry before any DEFAULT ones: dizzy Auth-Type += Local, User-Password = parola 2. authenticator configuration: - #sh dot1x Sysauthcontrol= Enabled Dot1x Protocol Version= 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both - #sh running-config interface fastEthernet 0/10 Building configuration... Current configuration : 110 bytes ! interface FastEthernet0/10 switchport access vlan 2 switchport mode access dot1x port-control auto end - I have configured radius-server with test123 key 3. client configuration - eth1 is directly linked to interface 0/10 of the cisco switch I run xsupplicant like: # xsupplicant -i eth1 -u dizzy -p parola -d 255 -m MD5 And I get: (EAPMD5) Initalized (EAPMS-CHAP) Initalized Done with init. Sending EAPOL-Start #1 ## eap_decode_packet ##: Got an EAP request ## eap_decode_packet ##: Type is Identity Connection Established, authenticating... ACQUIRED ## eap_decode_packet ##: Got an EAP failure Failed to Authenticate CONNECTING RADIUS log says: rad_recv: Access-Request packet from host ip-cisco-removed:1812, id=24, length=100 NAS-IP-Address = ip-cisco-removed NAS-Port-Type = Async User-Name = dizzy Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-50-8d-f9-2a-e8 EAP-Message = 0x020a0164697a7a79 Message-Authenticator = 0x605f11bd6926fbbe39dd75d41070183e modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type notification id 0 length 10 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = dizzy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched dizzy at 148 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'dizzy' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 24 to ip-cisco-removed:1812 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 24 with timestamp 405ee145 Nothing to do. Sleeping until we see a request. Any ideea why it doesnt work ? Please tell me if you need any more information, thanks! -- Mihai RUSUEmail: [EMAIL PROTECTED] GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net Linux is obsolete -- AST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
On Mon, 22 Mar 2004, Artur Hecker wrote: hi something to do with radius running as radiusd/radiusd) (it's not related but yes, it can't read the shadow file as user 'radiusd'. deactivate the caching if wou want it back.) But caching is disabled (as in the default config, cache = no) and still unix module fails to load on server startup or check config (the last lines): Module: Loaded Pam pam: pam_auth = radiusd Module: Instantiated pam (pam) radiusd.conf[545] Failed to link to module 'rlm_unix': file not found Interesting is that it does find the file (from a strace output) but it fails on something else, I thought it fails on accessing shadow beeing run as a non-privileged user. Here are the relevant part of the strace output: [pid 8849] access(/usr/lib/rlm_unix.so, R_OK) = 0 [pid 8849] open(/usr/lib/rlm_unix.so, O_RDONLY) = 3 [pid 8849] read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000..., 512) = 512 [pid 8849] fstat64(3, {st_mode=S_IFREG|0755, st_size=53892, ...}) = 0 [pid 8849] mmap2(NULL, 107232, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40243000 [pid 8849] mmap2(0x4024f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xb) = 0x4024f000 [pid 8849] mmap2(0x40251000, 49888, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40251000 [pid 8849] close(3)= 0 [pid 8849] mprotect(0x40243000, 49152, PROT_READ|PROT_WRITE) = 0 [pid 8849] munmap(0x40243000, 107232) = 0 [pid 8849] time(NULL) = 1079964365 [pid 8849] write(1, radiusd.conf[545] Failed to link..., 71) = 71 Pretty strange huh ? :) -- Mihai RUSUEmail: [EMAIL PROTECTED] GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net Linux is obsolete -- AST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems
On Mon, 22 Mar 2004, Artur Hecker wrote: no, that's wrong. DON'T force the Auth-Type. do it as i said before. Thanks! I did as you said and it works fine. ciao artur -- Mihai RUSUEmail: [EMAIL PROTECTED] GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net Linux is obsolete -- AST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
hi But caching is disabled (as in the default config, cache = no) and still unix module fails to load on server startup or check config (the last lines): Module: Loaded Pam pam: pam_auth = radiusd Module: Instantiated pam (pam) radiusd.conf[545] Failed to link to module 'rlm_unix': file not found ok, that's on another level, it can't even link the module. Interesting is that it does find the file (from a strace output) but it fails on something else, I thought it fails on accessing shadow beeing run as a non-privileged user. i'd suppose that i'd complain later in that case but i'm not sure. anyway, if you want to test it, run as root 'radiusd -s -X'. in that case, the server will execute with root rights. so, it should be able to read everything. compare the outputs if it works. if it does not, the problem is obviously on the system level. Here are the relevant part of the strace output: [pid 8849] access(/usr/lib/rlm_unix.so, R_OK) = 0 [pid 8849] open(/usr/lib/rlm_unix.so, O_RDONLY) = 3 [pid 8849] read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000..., 512) = 512 [pid 8849] fstat64(3, {st_mode=S_IFREG|0755, st_size=53892, ...}) = 0 [pid 8849] mmap2(NULL, 107232, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40243000 [pid 8849] mmap2(0x4024f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xb) = 0x4024f000 [pid 8849] mmap2(0x40251000, 49888, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40251000 [pid 8849] close(3)= 0 [pid 8849] mprotect(0x40243000, 49152, PROT_READ|PROT_WRITE) = 0 [pid 8849] munmap(0x40243000, 107232) = 0 [pid 8849] time(NULL) = 1079964365 [pid 8849] write(1, radiusd.conf[545] Failed to link..., 71) = 71 Pretty strange huh ? :) hmm, try 'ldd rlm_unix.so' and see if it finds everything linked withing the module itself. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
hi Acording to strace -s is not enough to execute with root rights, I had to comment the user/group entries from radiusd.conf. Anyway, even running as root it fails the same way :-/ hmm? if you execute it in debug mode as root, it runs as root. it reads but should ignore the rights you set in the config file. but the essential part is that it also fails, that's what i thought. Seems ok # ldd /usr/lib/rlm_unix.so linux-gate.so.1 = (0xe000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x4002c000) libnsl.so.1 = /lib/libnsl.so.1 (0x40059000) libresolv.so.2 = /lib/libresolv.so.2 (0x4006e000) libpthread.so.0 = /lib/libpthread.so.0 (0x40081000) libc.so.6 = /lib/libc.so.6 (0x400d2000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) yes, seems ok to me too. strange. I have noticed one message about this on gentoo-users list but no reply. Either the complainer found the solution or he dropped it. I presume too to be something related to the system (gentoo linux distro) but I would very much apriciate someone with more freeradius experience to guide me where to look for problems, in the end if there really is a problem we get happy people on both sides (gentoo users which will use freeradius ;)). first of all (lame backpedalling :-) ): 1. there is no obligation to use the unix module. 2. in your case, you can't use it even if it worked (EAP/MD5 can't use crypt passwords). 3. there is no EAP method except TTLS/PAP which can use it, and ttls/pap has a Man-in-the-middle problem... all that to say that you hardly need the rlm_unix module anyway. second: the problem is now that radiusd can't link the unix module. thus, it seems to be a compilation/installation/system and not a configuration problem, so perhaps we should wait till Alan wakes up and see what he says :-) should be against 16h00 CET :-) Alan? :) now, in the meantime: 1. i would suggest to recompile all and to try again. 2. also try the newest snapshot. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: do I need upgrade with using EAP-SIM?
Alex Wang [EMAIL PROTECTED] wrote: My radius server is running freeradius-0.9.3 right now, and I wish that could support the EAP-SIM. What should I do? Using the snapshot version to take place the 0.9.3? or just only need to add a new module? Upgrade to the CVS snapshot. A lot more than that module has changed. In addition, when the authencation mechanism is EAP-SIM, is there any difference between to be a home server and to be a radius proxy server in config, modules, or something else? The only difference is that one proxis requests, and the other doesn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Juan Pablo Fava [EMAIL PROTECTED] wrote: But this is not documented in module`s doc file. What is sqlacc3??? Nothing. It's fixed in the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: benchmarks, comparative, claim to be high-performance
Tariq Rashid [EMAIL PROTECTED] wrote: I wonder if there are existing benchmarks of freeradius performance compared with other radius servers. Only messages posted to the list. Search the archives for details. Also, I'm having trouble finding information about what is unique to freeradius in terms of performance. The website suggests that freeradiius is high performance... but doesn't elaborate. Where does this unqiue-to-freeradius performance come from? It's not claimed that high permormance is unique to FreeRADIUS. It's claimed that FreeRADIUS *is* a high-performance server, and that it's often faster than other servers. There may be another server as high-performance as FreeRADIUS. is it from its use of threads? That's one. it it from its use C as opposed to perl (radiator)? That makes a big difference. does it compile using OS specific accelerations (kqueue, for example) No. The general reasons why it's high performance are that it's designed properly. Since it's a Free Software project, it's designed and written to be independent of any corporate/management/marketing fads. Features go in because they make engineering sense, not because they add another check-box on a marketing slide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with
Dear List, I'm trying to use mod_auth_radius-2.0.c http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c with apache httpd-2.0.4. The problem is, that the module doesn't set any cookies. Is there anybody out, who has a working installation of the both apps above? With apache_1.3.29 everything works without problems, Unfortunately I need httpd-2.0.4. regards Thomas -- - [EMAIL PROTECTED] EDAG Engineering + Design AG Phone: +49 661 6000 597 Reesbergstr. 1 Fax: +49 661 6000 592 36039 Fulda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Please Note: Radius does NOT disconnect users, only the NAS can disconnect the user. You will need to figure out how to send a command to your NAS to disconnect the user, and run that program in order to trigger a user disconnect. Graeme Hinchliffe wrote: On Tue, 16 Mar 2004 16:17:03 +0100 Tim Bots [EMAIL PROTECTED] wrote: Hi everyone, I have freeradius working correct at this moment and now is my question how can I enable accounting? I mean: how can I give users more or less time / more or less session bytes with freeradius? I use freeradius version 0.9.3 running on a p1 with 64 mb memory (I guess) with linux slackware. This works perfect. I hope someone can help me, The only way it's possible that I can think of is by doing some crazy hackery. Assuming you get interim accounting updates and monitor these, when they hit a certain level (which you have defined as your cut off) you can trigger a user disconnect, and flag them as unallowed, so they cannot auth again. But this will require hackery on your part, and a dependence on decent accounting updates -- Guy Fraser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SMC 2804WBR PEAP not working
Hello, I am trying to configure a SMC 2804WBR (european V2) AP and an internal WiFi NIC on my laptop for WPA/PEAP network access. No matter what I tried, the login would fail. After dumping some network packets, it seems that, after the identity is sent Freeradius (in an access-request radius packet), it replies with the challenge but nothing happens afterwards. Also, dumping packets on the wireless side, it seems that the challenge does not reach the NIC on the laptop. The login fails after ~10 seconds of inactivity. Looking through the posts, I found some other people reporting a problem with SMC APs when using PEAP. Pavol Zibritamentioned this issue in the 'TLS Setup' post a couple of days ago. Is there any solution? (aside from using EAP/TLS which Pavol says works with SMC) I did not provide network/debug dumps to keep this post small. Thank you, Ionut
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
Artur Hecker [EMAIL PROTECTED] wrote: second: the problem is now that radiusd can't link the unix module. thus, it seems to be a compilation/installation/system and not a configuration problem, so perhaps we should wait till Alan wakes up and see what he says :-) should be against 16h00 CET :-) Read the make and make install process to see if the Unix module. was built, Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Error Message and Postgresql Question
Ugur GUNCER wrote: Hi Im my radius server gives Mysql check_error : 1054 received message after user authorization procc. What is it mean My usergroup table is empty !!! modcall: entering group authorize modcall[authorize]: module preprocess returns ok radius_xlat: 'dark' rlm_sql (sql): sql_set_user escaped user -- 'dark' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'dark' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dark' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'dark' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dark' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error rlm_sql (sql): Released sql socket id: 4 And my second question is im exporting detail to mysql But i want to export detail to postgresql At same time with mysql i edit my Radius.conf . Like this # Include another file that has the SQL-related configuration. # This is another file solely because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # $INCLUDE ${confdir}/sql.conf The line above should be commented out or removed. $INCLUDE /usr/local/radiusd/etc/raddb/postgresql.conf # Write a 'utmp' style log file, of which users are currently # logged in, and where they've logged in from. # And postgresql.conf like this # Connect info server = localhost login = puser password = ppass # Database table configuration radius_db = pdata_db But in postgres radacct table is empty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SMC 2804WBR PEAP not working
Hi Alan, I assumed Freeradius is expecting an answer from the supplicant. Unfortunatelly, there's no option (or I do not know about it) to increase the verbosity and no error message whatsoever is logged. I really do not know what to do - the strange thing is that - apparently - EAP/TLS does work and - afaik - the AP does not understand anything below the EAP message so it doesn't even know whether it's PEAP or TLS. Weird. Thanks for the quick response, Ionut - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:55 PM Subject: Re: SMC 2804WBR PEAP not working Ionut Nistor [EMAIL PROTECTED] wrote: I am trying to configure a SMC 2804WBR (european V2) AP and an internal WiFi NIC on my laptop for WPA/PEAP network access. No matter what I tried, the login would fail. After dumping some network packets, it seems that, after the identity is sent Freeradius (in an access-request radius packet), it replies with the challenge but nothing happens afterwards. FreeRADIUS is waiting for the client to respond to the challenge. Also, dumping packets on the wireless side, it seems that the challenge does not reach the NIC on the laptop. The login fails after ~10 seconds of inactivity. So the SMC box is tossing the challenge. If it's not logging any message as to why, there's little you can do to debug the problem. The SMC box doesn't like something in the challenge packet. But without logs, you can't figure out what it doesn't like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem on users file
Reinaldo Silva [EMAIL PROTECTED] wrote: radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built Upgrade to 0.9.3. My users file: ... ricbasto Auth-Type := Local, User-Password == vex12ab benjamim Auth-Type := Local, User-Password == aeco9eek ... /etc/raddb/users[24]: Parse error (reply) for entry amarantep: No token read where we expected an attribute name Put a blank line between the entries, just like the ones in the sample users file. Or, upgrade to 0.9.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No User-Password msg although User-Password is defined in users file
I'am using freeradius from CVS (as of Mar 15) and I'am getting: users: Matched teste at 90 // It finds the user 'teste'.. Ok modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Local auth: type Local // Auth-Type .. Ok auth: No User-Password or CHAP-Password attribute in the request No User-Password.. Not Ok! The User-Password is specified in raddb/users, line 90, but it doesn't find it. auth: Failed to validate the user. Thank you for your help, -- Nuno Morgadinho // How is it possible that Honolulu has network connectivity? // - IP over airplane (their ping times are horrible though) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lower_pass = after problems
Federico Giannici [EMAIL PROTECTED] wrote: I have noticed that the lower_pass = after configuration command is implemented simply executing a second time the entire sequence of authorization/authentication operations. Yes. The feature is a hack, and should be removed from the server. Similarly, the lower_user feature should also be deleted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
null port name?
i am trying to use freeradius as a proxy between a Cisco gateway and a billing software. Everything worked fine, but then I couldn't dial anything. The billing software returns the error Null portname error. Any insight? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password msg although User-Password is defined in users file
Nuno Morgadinho [EMAIL PROTECTED] wrote: I'am using freeradius from CVS (as of Mar 15) and I'am getting: users: Matched teste at 90 // It finds the user 'teste'.. Ok modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Local auth: type Local // Auth-Type .. Ok auth: No User-Password or CHAP-Password attribute in the request Don't set Auth-Type = Local. And read the ENTIRE debug output. The last few lines are interesting, but there will be information elsewhere which is also useful. No User-Password.. Not Ok! The User-Password is specified in raddb/users, line 90, but it doesn't find it. The password sent by the user (if any) is very different than the password the server uses as a known good password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monitor script.
Hi, Does anybody out there have a quck radius monitor script they'd be willing to share? I have radius/AAA servers behind a CSS. I would like to monitor AAA services and conditionally-act on a failure. I am using radclient to successfully test the service. Thanks a bunch, Ken. == Ken Gage, Qualcomm Inc. 858.651.2737 Happiness is that state of consciousness which proceeds from the achievement of one's values Ayn Rand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLCOUNTER Problems
Hi All, I want to use RLM_SQLCOUNTER with Freeradius. After compiling RLM_SQLCOUNTER with FreeRadius .. I still cant see radius trying to update usage statistics in MYSQL tables. I read doc/rlm_sqlcounter and thought whenever user uses any minutes out of allocated values RLM_COUNTER will change statistics by calculating : (Allocated time Used time)= Remaining time. Am I right here? Any help will be appreciated. Sqlcounter.conf : sqlcounter dailycounter { driver = rlm_sqlcounter counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthly query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } # Query: # SELECT * # FROM `radcheck` # 'id','UserName','Attribute','op','Value' '[NULL]','infinite','Password','==','infinite' '[NULL]','infinite','Max-Daily-Session',':=','100' '[NULL]','infinite','Max-Monthly-Session',':=','1000' Radiusd Xp 1645 returns.. --- Walking the entire request list --- Cleaning up request 1 ID 67 with timestamp 405f32ea Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 132.146.197.111:1646, id=68, length=36 User-Name = infinite Acct-Status-Type = Stop Processing the preacct section of radiusd.conf modcall: entering group preacct for request 2 modcall[preacct]: module preprocess returns noop for request 2 rlm_realm: No '@' in User-Name = infinite, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 2 modcall[preacct]: module files returns noop for request 2 modcall: group preacct returns noop for request 2 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 2 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 132.146.197.111,NAS-IP-Address = 132.146.197.111,,User-Name = i nfinite' rlm_acct_unique: Acct-Unique-Session-ID = e017b662ef57e3ce. modcall[accounting]: module acct_unique returns ok for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/ radius/radacct/132.146.197.111/detail-20040322 modcall[accounting]: module detail returns ok for request 2 modcall[accounting]: module unix returns noop for request 2 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'infinite' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 2 radius_xlat: 'infinite' rlm_sql (sql): sql_set_user escaped user -- 'infinite' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2004-03-22 18:39:55', AcctSessionTime = '', AcctInputOctets = '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '', ConnectInfo_stop = '' WHERE AcctSessio nId = '' AND UserName = 'infinite' AND NASIPAddress = '132.146.197.111'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 2 modcall: group accounting returns ok for request 2 Sending Accounting-Response of id 68 to 132.146.197.111:1646 Finished request 2 Going to the next request --- Walking the entire request list --- Cleaning up request 2 ID 68 with timestamp 405f32fb Nothing to do. Sleeping until we see a request. Regards, Sagar
RE: Using freeradius to authenticate users to a Windows 2000 AD
OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting CA certificate is not in server certificate chain. So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select Retrieve the CA certificate or CRL radio button? Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate
RE: Using freeradius to authenticate users to a Windows 2000 AD
Would it also matter if my certificate was self-signed as we do not have a need for a third party signed certificate at this time. Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5):
Re: SQLCOUNTER Problems
Fisrt at all replace in sqlcounter.conf this line: sqlmod-inst = sqlcca3} whith this one: sqlmod-inst = sql The usage statics are updated by rlm_sql. todo this you must have sql in the accounting section of your radiusd.conf Juan Pablo [EMAIL PROTECTED] dijo: Hi All, I want to use RLM_SQLCOUNTER with Freeradius. After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see radius trying to update usage statistics in MYSQL tables. I read doc/rlm_sqlcounter and thought whenever user uses any minutes out of allocated values RLM_COUNTER will change statistics by calculating : (Allocated time - Used time)= Remaining time. Am I right here? Any help will be appreciated Sqlcounter.conf : sqlcounter dailycounter { driver = rlm_sqlcounter counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthly query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } # Query: # SELECT * # FROM `radcheck` # 'id','UserName','Attribute','op','Value' '[NULL]','infinite','Password','==','infinite' '[NULL]','infinite','Max-Daily-Session',':=','100' '[NULL]','infinite','Max-Monthly-Session',':=','1000' Radiusd -Xp 1645 returns --- Walking the entire request list --- Cleaning up request 1 ID 67 with timestamp 405f32ea Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 132.146.197.111:1646, id=68, length=36 User-Name = infinite Acct-Status-Type = Stop Processing the preacct section of radiusd.conf modcall: entering group preacct for request 2 modcall[preacct]: module preprocess returns noop for request 2 rlm_realm: No '@' in User-Name = infinite, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 2 modcall[preacct]: module files returns noop for request 2 modcall: group preacct returns noop for request 2 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 2 rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address 132.146.197.111,NAS-IP-Address = 132.146.197.111,,User-Name = i nfinite' rlm_acct_unique: Acct-Unique-Session-ID = e017b662ef57e3ce. modcall[accounting]: module acct_unique returns ok for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/ radius/radacct/132.146.197.111/detail-20040322 modcall[accounting]: module detail returns ok for request 2 modcall[accounting]: module unix returns noop for request 2 radius_xlat: '/usr/local/var/log/radius/radutmp' radius_xlat: 'infinite' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 2 radius_xlat: 'infinite' rlm_sql (sql): sql_set_user escaped user -- 'infinite' radius_xlat: 'UPDATE radacct SET AcctStopTime = '2004-03-22 18:39:55', AcctSessionTime = '', AcctInputOctets '', AcctOutputOctets = '', AcctTerminateCause = '', AcctStopDelay = '', ConnectInfo_stop = '' WHERE AcctSessio nId = '' AND UserName = 'infinite' AND NASIPAddress = '132.146.197.111'' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 modcall[accounting]: module sql returns ok for request 2 modcall: group accounting returns ok for request 2 Sending Accounting-Response of id 68 to 132.146.197.111:1646 Finished request 2 Going to the next request --- Walking the entire request list --- Cleaning up request 2 ID 68 with timestamp 405f32fb Nothing to do. Sleeping until we see a request. Regards, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple IP Pools with Ascend APX's
Anson, You need to look at how pool chaining works with the APX. You might also look into the virtual routers. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson RinesmithSent: Wednesday, March 17, 2004 6:04 PMTo: [EMAIL PROTECTED]Subject: Multiple IP Pools with Ascend APX's Im using freeRadius with MySQL In radgroupreply, GroupName, Attribute, op, Value, prio I have multiple ISPs logging into one RAS. First ISP needs to class Cs, pools 1 and 2. Second ISP needs 3 Class Cs, pools 3, 4 5. etc.. Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0 Would I have isp1, X-Ascend-Assign-IP-Pool, :=, 1 isp1, X-Ascend-Assign-IP-Pool, +=, 2 isp2, X-Ascend-Assign-IP-Pool, :=, 3 isp2, X-Ascend-Assign-IP-Pool, +=, 4 isp2, X-Ascend-Assign-IP-Pool, +=, 5 etc.
Precedence of Realms and Groups in raddb/users
have been running FreeRadius at our installation for some time toauthenticate user access to routers.We recently introduced a number of Radius servers for various parts of thenetwork and started using Realms.Also introduced a raddb/users group called "readonly" which gets read onlyservice attributes passed back to NAS which limits the users functionality.We now find that if a username is sent with a suffixed Realm then the usersgroup ("readonly") is bypassed and the DEFAULT group is used.Is there a reference to how I can have a suffix realm observed that stilluses the "readonly" DEFAULT entry in the raddb/users file.Attached is a logon with the same user without and with a suffixed realm.raddb/users entry are:DEFAULT Group == "readonly", Auth-Type := System Login-Service = Telnet, Cisco-AVPair = "shell:priv-lvl=1", ERX-Cli-Initial-Access-Level= "5",DEFAULT Auth-Type := System Login-Service = Telnet, Cisco-AVPair = "shell:priv-lvl=15", Service-Type = 6raddb/realms entry are:# Realm Remote server [:port] Options# - ---rdn LOCALrad_recv: Access-Request packet from host 144.133.144.100:5, id=59,length=83User-Password = "..."User-Name = "bhd3"Acct-Session-Id = "erx :0002097211"Service-Type = Administrative-UserNAS-IP-Address = 144.133.144.100NAS-Identifier = "P_Router"modcall: entering group authorizemodcall[authorize]: module "suffix" returns okHASH: user bhd3 found in hashtable bucket 93085HASH: matched user bhd3 in group readonlyusers: Matched DEFAULT at 7modcall[authorize]: module "files" returns okmodcall: group authorize returns okrad_check_password: Found Auth-Type Systemauth: type "System"modcall: entering group authenticateHASH: user bhd3 found in hashtable bucket 93085modcall[authenticate]: module "unix" returns okmodcall: group authenticate returns okSending Access-Accept of id 59 to 144.133.144.100:5Login-Service = TelnetCisco-AVPair = "shell:priv-lvl=1"ERX-Cli-Initial-Access-Level = "5"Finished request 6Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...--- Walking the entire request list ---Cleaning up request 6 ID 59 with timestamp 405d3194Nothing to do. Sleeping until we see a request.Second use with @realmrad_recv: Access-Request packet from host 144.133.144.100:5, id=60,length=87User-Password = ""User-Name = "[EMAIL PROTECTED]"Acct-Session-Id = "erx :0002097212"Service-Type = Administrative-UserNAS-IP-Address = 144.133.144.100NAS-Identifier = "P_Router"modcall: entering group authorizemodcall[authorize]: module "suffix" returns okusers: Matched DEFAULT at 65modcall[authorize]: module "files" returns okmodcall: group authorize returns okrad_check_password: Found Auth-Type Systemauth: type "System"modcall: entering group authenticateHASH: user bhd3 found in hashtable bucket 93085modcall[authenticate]: module "unix" returns okmodcall: group authenticate returns okSending Access-Accept of id 60 to 144.133.144.100:5Login-Service = TelnetCisco-AVPair = "shell:priv-lvl=15"Service-Type = Administrative-UserFinished request 7Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...--- Walking the entire request list ---Cleaning up request 7 ID 60 with timestamp 405d31a8Nothing to do. Sleeping until we see a request.
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve What you need is the Windows root CA cert that you placed on to the FreeRadius box. Use the same PEM file as input on the box you are executing the LDAP/Browser/Editor (LBE) from - this is the c:\temp\somedc.ca.pem file I refer to in the documentation below. I used LBE from a Windows box with the Sun Java run time installed - works just fine. Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 6:36 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting CA certificate is not in server certificate chain. So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select Retrieve the CA certificate or CRL radio button? Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To[EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Alan, Thanks very much. I'll pull down the files from CVS first chance I get and let you know how things go. Alan DeKok wrote: ... The latest CVS snapshot has had all references to inet_pton() and inet_ntop() removed. Until the server supports IPv6 completely, they're not needed. ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to pass password via password of radiusd.conf
- Original Message - From: Alexei Vasilyev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:34 PM Subject: Re: How to pass password via password of radiusd.conf Hey c c password=%{User-Password} c Here must be cleartext password for AD. E.g. password=cbhoh123 Is there a way to pass dynamic password from different users? The problem is that the user a/c in AD is having a different password. Thank! -- Best regards, Alexei Vasilyevmailto:[EMAIL PROTECTED] OJSC Mobile TeleSystems Kirov, Russia Technical Specialist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
Hello, Ive been havin problems with the ippool, the freeradius seems to authorize the dialer client but my NAS doesnt. What could be wrong? Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2000128 Cel. +507-6744093
RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got it going here too, just some login syntax issues with the ldabrowser. Now I can login with ssl there but am still getting errors with freeradius radtest. On a side note radtest is now working with identical radiusd.conf without ssl. To roll this out I need SSL to work. Here's Debug: Thanks again for all your help!! rad_recv: Access-Request packet from host 127.0.0.1:49066, id=128, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password test radius_xlat: '(SamAccountName=test)' radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636, authentication 0 rlm_ldap: setting TLS mode to 1 ldap_err2string rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us to cityhalldc1.ci.bend.or.us:636 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying 192.168.19.40:636 ldap_connect_timeout: fd: 7 tm: 5 async: 0 ldap_ndelay_on: 7 ldap_is_sock_ready: 7 ldap_ndelay_off: 7 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 10 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: cityhalldc1.ci.bend.or.us port: 636 (default) refcnt: 2 status: Connected last used: Mon Mar 22 15:55:54 2004 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ber_get_next failed. rlm_ldap: ldap_result() ldap_err2string rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us bind to cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed rlm_ldap: (re)connection attempt failed ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 128 to 127.0.0.1:49066 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 128 with timestamp 405f7d0a Nothing to do. Sleeping until we see a request. Here's ldap.conf: [snip] # Active Directory SSL options ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) tls_checkpeer no # CA certificates for server certificate verification TLS_CACERT /usr/local/ssl/certs/cacertder.pem [snip] here's radiusd.conf: [snip] ldap { server = cityhalldc1.ci.bend.or.us port = 636 identity = cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us password = freerad1us basedn = dc=ci,dc=bend,dc=or,dc=us #filter = (cn=%u) #filter = (sAMAccountName=%u) filter = (SamAccountName=%{Stripped-User-Name:-%{User-Name}}) #filter = ((SamAccountName=%{Stripped-User-Name:-%{User-Name}} )(memberOf=cn=RemoteUser,cn=Users,dc=ci,dc=bend,dc=or,dc=us)) # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no #tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 10 #groupname_attribute = cn #groupmembership_filter = ((objectClass=Group)(member=%{Ldap-U serDn})) timeout =
Re: does the 0.9.3 support EAP-SIM proxy?
Alex Wang [EMAIL PROTECTED] wrote: my radius server is running 0.9.3 now, and I wish that can support EAP-SIM proxy. If you mean proxying EAP-SIM to another RADIUS server, sure. But to do that, it means you probably won't be able to use EAP at all. The latest CVS snapshot allows a little finer grained control. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Frank Seesink [EMAIL PROTECTED] wrote: I have downloaded the CVS files and tried building FreeRADIUS under Cygwin, and I'm all the way down to the build step where it attempts to make radiusd.exe (the daemon itself). Unfortunately, it blows up on something quite simple: undefined _crypt reference. Edit src/main/Makefile. Look for the line building radiusd. There's a $(LCRYPT) there. It's not enough. Add a *second* $(LCRYPT) as the last entry on the build line, after the $(MODULE_LIBS). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Fri, Mar 19, 2004 at 06:35:17PM +0200, Kostas Kalevras wrote: On Fri, 19 Mar 2004, Robert Banniza wrote: In looking at the dictionary.juniper file, I notice there are 5 attributes in this file: ATTRIBUTE Juniper-Local-User-Name 1 string Juniper ATTRIBUTE Juniper-Allow-Commands 2 string Juniper ATTRIBUTE Juniper-Deny-Commands 3 string Juniper ATTRIBUTE Juniper-Allow-Configuration 4 string Juniper ATTRIBUTE Juniper-Deny-Configuration 5 string Juniper With that said, I'm using OpenLDAP to authenticate and would also like to use LDAP to control who has access to which commands within JUNOS. Therefore, can I place these attributes in my OpenLDAP ldif and have radius read themIn doing this, don't these attributes need to be defined within the RADIUS-LDAPv3.schema or some other schema? Is anyone doing this currently to show me where I need to go next? I have searched the web and there is little info on Juniper/Freeradius. You can either define a few new ldap attributes for the corresponding Juniper RADIUS attributes and add them to your ldap schema. Or you can use the generic attributes provided in the current schema: radiusReplyItem: Juniper-Local-User-Name := username and so on I'm not sure I'm following you...Let's say I want to add the Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile within OpenLDAP. Wouldn't I have to define these attributes within some LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other schema in order for OpenLDAP to know how to interpret the attribute? I guess the knowledge gap I'm having is to determine how/where to make Freeradius understand these attributes within OpenLDAP the same way Freeradius knows about these attributes through the dictionary.juniper file. Along those same lines, in which file do I put radiusReplyItem: Juniper-Local-User-Name := username? Thanks Robert Thanks Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Mon, 22 Mar 2004, Robert Banniza wrote: I'm not sure I'm following you...Let's say I want to add the Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile within OpenLDAP. Wouldn't I have to define these attributes within some LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other schema in order for OpenLDAP to know how to interpret the attribute? I can't talk about how freeradius interprets the juniper values, but openldap will need to have attribute and objectclass definitions to match what juniper has most likely. I am not that familiar with much about Juniper or FreeRadius but I have been working with ldap some. http://www.juniper.net/techpubs/software/management/sdx/sdx400/sw-sdx-install/html/sw-sdx-installTOC.html search down to openldap they have instructions on how to load the openldap server, I assume that installs the schema too which is what defines all the juniper attributes for you and you should be off to the races with the correct attributes and objectclasses. The rest of this is crap I wrote if you have to do it the hard way, which it doesn't look like you do but i am including it so _I_ don't forget what I am doing. The another way to get these is to set up the Juniper LDAP server, perform an ldapsearch on their database equivalent to an dump of the database into LDIF format. I don't know how well jumipers ldap server will respond to that. Sun's responded fairly well. You migh poke around and find a schema or an ldif file in the Juniper install media too. basically you need a lot of the attributes like on: http://www.juniper.net/techpubs/software/management/sdx/sdx310/sdx310-sw-developer/html/ldap-object-mapping6.html You need to figure out what they are looking for for the attribute syntax, since you need the long number representation of it. but you can cross reference from http://www.faqs.org/rfcs/rfc2252.html section 4.3.2 lists them. The rest of it is fairly straightforward if you look at another schema. The object identifier (OID) number _technically_ just has to be unique, but they supply one for you, I would use it only for the fact you wont have to worry about getting stuff mixed up if you try to do something else with the server. (technically the Juniper ones should be registered aand unique. C You will find examples of the syntax of the matching rules in the openldap schema. It isn't particularly hard just tedious as all hell. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: How to pass password via password of radiusd.conf
c c password=%{User-Password} c c Here must be cleartext password for AD. E.g. c password=cbhoh123 c Is there a way to pass dynamic password from different users? The problem is c that the user a/c in AD is having a different password. c Thank! This password is for user (dn) which your radius server is using for binding AD to perform search, etc. E.g. for such dn: identity = cn=freeradius,ou=admins,ou=radius,dc=kirov,dc=mts,dc=ru password = secret There is another parameter for users from AD to Auth. If in your AD passwords are in attribute userPassword, so you have to use such config line for ldap module in radiusd.conf: password_attribute = userPassword -- Best regards, Alexei Vasilyevmailto:[EMAIL PROTECTED] OJSC Mobile TeleSystems Kirov, Russia Technical Specialist - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Alan, I have downloaded the CVS files and tried building FreeRADIUS under Cygwin, and I'm all the way down to the build step where it attempts to make radiusd.exe (the daemon itself). Unfortunately, it blows up on something quite simple: undefined _crypt reference. Now, there's a -crypt flag in the gcc line, libcrypt.a exists in /lib and /usr/lib (they're the same in Cygwin), and all I can guess is that the autoconf generated files are a bit out of date/sync. I've tried modifying Make.inc at the root level to include all possibly necessary info, but still no go. I am currently rerunning configure after having run autoconf to regenerate it, but I'm afraid my experience with automake/autoconf/etc. is limited. I'm an old dinosaur when it comes to Makefiles and my experience is limited to the older, more manual approach I'm afraid. I'm tinkering with code once again, and thes scripts look like quite an improvement for those looking to build on multiple systems, but I just don't have much experience with them yet. I'm so close I can smell it, but just not there yet. If you have any advice on how to make sure the build files (configure, Makefiles, etc.) are as up-to-date as possible, please advise. Note that results of $ cygcheck -c autoconf automake m4 Cygwin Package Information Package VersionStatus autoconf 2.59-1 OK automake 1.7.9-1OK m4 1.4-1 OK This is as up-to-date as it gets in the Cygwin world, so hopefully we're not too far behind. Frank Seesink wrote: Alan, Thanks very much. I'll pull down the files from CVS first chance I get and let you know how things go. Alan DeKok wrote: ... The latest CVS snapshot has had all references to inet_pton() and inet_ntop() removed. Until the server supports IPv6 completely, they're not needed. ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html