do I need upgrade with using EAP-SIM?
Hi~ My radius server isrunning freeradius-0.9.3 right now, and I wish that could support the EAP-SIM. What should I do? Using the snapshot version to take place the 0.9.3? or just only need to add a new module? In addition, when the authencation mechanism is EAP-SIM,isthere any differencebetweento be a home serverand to be a radius proxy server in config, modules, orsomething else? thanks a lot alex
How to pass password via password of radiusd.conf
I want to connect the RAdius server to Active
directory for doing authentication, but I encountered a problem
in passing the Password to the Active
directory server.
The following is part of the radiusd.conf
file:
ldap
{
server =
"192.168.250.25"
identity =
"CN=cbhoh,CN=Users,DC=example,DC=com"
password="%{User-Password}"
# identity = "cn=admin,o=My
Org,c=UA"
# password =
mypass
basedn =
"CN=cbhoh,CN=Users,DC=example,DC=com"
#filter =
"(CN=%{Stripped-User-Name:-%{User-Name}})"
filter = "(CN=%{Stripped-User-Name:-%{User-Name}})"
By running the command, ./radtest cbhoh cbhoh123
127.0.0.1:8000 10 testing123, then authentication fails, and
the following is the log details from
radiusd:
modcall: group authorize returns ok for
request 0 rad_check_password: Found Auth-Type LDAPauth: type
"LDAP"modcall: entering group Auth-Type for request 0rlm_ldap: -
authenticaterlm_ldap: login attempt by "cbhoh" with password
"cbhoh123"radius_xlat: '(CN=cbhoh)'radius_xlat:
'CN=cbhoh,CN=Users,DC=example,DC=com'ldap_get_conn: Got Id: 0rlm_ldap:
attempting LDAP reconnectionrlm_ldap: (re)connect to 192.168.250.25:389,
authentication 0rlm_ldap: bind as
CN=cbhoh,CN=Users,DC=example,DC=com/%{User-Password} to
192.168.250.25:389rlm_ldap: waiting for bind result
...rlm_ldap: LDAP login failed: check login, password settings in ldap
section of radiusd.confrlm_ldap: (re)connection attempt
failedldap_release_conn: Release Id: 0 modcall[authenticate]:
module "ldap" returns fail for request 0modcall: group Auth-Type returns
fail for request 0auth: Failed to validate the
user.
As the log details show that the
%{User-Password} doesn't substituted with the correct value for password passed
by radtest
Is there any idea.. maybe i miss out
something..
regards,
- HOH
MySQL accounting and Cisco-AVPair
Hi,
i'm using FreeRADIUS Version 0.9.3on FreeBSD 4.9
i'm using with a Cisco PIX to AAA internet access
it works fine, but i need to store the Cisco-AVPair info in radacct SQL
table.
As i can see in the detail accounting freeradius store Cisco-AVPair info
-snip-
Cisco-AVPair = ip:source-ip=192.168.0.127
Cisco-AVPair = ip:source-port=4051
Cisco-AVPair = ip:destination-ip=10.10.10.1
Cisco-AVPair = ip:destination-port=23
-snip
but i cannot store this info on sql
I've tried to modify sql.conf as is:
accounting_stop_query_alt = INSERT into ${acct_table2} (RadAcctId,
AcctSessionId... AcctStopDelay) values('', '%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}'... '%{Cisco-AVPair}',
'%{Cisco-AVPair}'..}')
but it returns only the first instance of Cisco-AVPair
(ip:source-ip=192.168.0.127)
how can i store all the values?
--
Federico Pugnaloni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
That was the problem, I solved last night reading an old post. I really
apreciate your help.
But this is not documented in module`s doc file. What is sqlacc3???
Thankyou all!!!
apellido dijo:
To to change the following :
Try to change the following in your sqlcounter dailycounter and
montlycounter.
sqlmod-inst = sqlcca3 sqlmod-inst = sql
- Original Message -
From: Juan Pablo Fava [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 20, 2004 10:18 PM
Subject: Re: sqlcounter: count=0 ?
Here it is.
Thanks!
apellido dijo:
can we take a look at your sqlcounter.conf?
- Original Message -
From: Juan Pablo Fava [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 20, 2004 10:12 AM
Subject: sqlcounter: count=0 ?
Hi, the problem is that my instalation of sqlcounter doesn`t work, i
think
because the counter returns ZERO!!
and i don`t know why, because if i execute sql code by hand, i
doesn`t
get
zero:
radcheck is ok:
mysql select * from radcheck where username='troll';
++--+-++---+
| id | UserName | Attribute | op | Value |
++--+-++---+
| 3 | troll| User-Password | == | troll |
| 5 | troll| Max-Monthly-Session | := | 3600 |
++--+-++---+
2 rows in set (0.11 sec)
mysql SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811';
+---
---+
| SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) |
+---
---+
|
376200 |
+---
---+
1 row in set (0.00 sec)
Now, lets see radiusd output:
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime -
GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '107811''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811''
sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime -
GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM
radacct
WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime
'107811'}'
WARNING: Attempt to use unknown xlat function or attribute in string
%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'}
radius_xlat: ''
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0
= HERE !!
rlm_sqlcounter: Sent Reply-Item for user troll, Type=Session-Timeout,
value=3600
modcall[authorize]: module monthlycounter returns ok for request
5
NO, IT`S NOT OK USER CAN`T LOGIN!! :P
Some one have an idea about what`s going on here?
I doesn`t understand the Warning above...
Thanks in advance, and excuse my english.
--
Juan Pablo Fava
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius backup authentication
Hi! I have a generally question. Is it possible to have more than one authentication method. I know, that the freeradius have multiple possibilities to authenticate, but is it possible to have one as backup. For examble: There is one freeradius Server which have two Authentication Methods: Primary: Mysql Secondary: users file If the primary Authentication fails, because mysql Server is down, then it should take the second authentication. The users file would be dynamicaly generated, everytime the mysql user information has changed. Is this possible ??? Regards, Ahmad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
benchmarks, comparative, claim to be high-performance
I wonder if there are existing benchmarks of freeradius performance compared with other radius servers. Or even non-comparative benchmarks. Also, I'm having trouble finding information about what is unique to freeradius in terms of performance. The website suggests that freeradiius is high performance... but doesn't elaborate. Where does this unqiue-to-freeradius performance come from? is it from its use of threads? it it from its use C as opposed to perl (radiator)? does it compile using OS specific accelerations (kqueue, for example) tariq - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: Authorization based on certificate?
Am Sonntag, 21. März 2004 13:53 schrieb Peter Stamfest: Hello, The problem is that there is no connection between the certificate and the id / User-Name: * The User-Name can be freely chosen by the supplicant. This username is then used for authorization (NOT authentication) * The certificate gets used for authentication (NOT authorization) Trouble is: There is no connection between the two. Assume the following situation: I wrote a patch and submited it to the mailing list. It compares the identity in radius-packet (User-Name) with the identity in the certificat. If they differ the user will be rejected! regards Gunter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Hello Juan, i dont know why and i already ask that in the mailing list. And
if you read old question you've got the answer. rlm_sqlcounter is not yet
stable (experimental). If you want to setup prepaid internet then use
rlm_counter.
question
- Original Message -
From: Juan Pablo Fava [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 22, 2004 8:20 PM
Subject: Re: sqlcounter: count=0 ?
That was the problem, I solved last night reading an old post. I really
apreciate your help.
But this is not documented in module`s doc file. What is sqlacc3???
Thankyou all!!!
apellido dijo:
To to change the following :
Try to change the following in your sqlcounter dailycounter and
montlycounter.
sqlmod-inst = sqlcca3 sqlmod-inst = sql
- Original Message -
From: Juan Pablo Fava [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 20, 2004 10:18 PM
Subject: Re: sqlcounter: count=0 ?
Here it is.
Thanks!
apellido dijo:
can we take a look at your sqlcounter.conf?
- Original Message -
From: Juan Pablo Fava [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, March 20, 2004 10:12 AM
Subject: sqlcounter: count=0 ?
Hi, the problem is that my instalation of sqlcounter doesn`t work, i
think
because the counter returns ZERO!!
and i don`t know why, because if i execute sql code by hand, i
doesn`t
get
zero:
radcheck is ok:
mysql select * from radcheck where username='troll';
++--+-++---+
| id | UserName | Attribute | op | Value |
++--+-++---+
| 3 | troll| User-Password | == | troll |
| 5 | troll| Max-Monthly-Session | := | 3600 |
++--+-++---+
2 rows in set (0.11 sec)
mysql SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811';
+---
---+
| SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) |
+---
---+
|
376200 |
+---
---+
1 row in set (0.00 sec)
Now, lets see radiusd output:
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime -
GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='%{User-Name}' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '107811''
radius_xlat: 'SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811''
sqlcounter_expand: '%{sqlcca3:SELECT SUM(AcctSessionTime -
GREATEST((107811 - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM
radacct
WHERE UserName='troll' AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime
'107811'}'
WARNING: Attempt to use unknown xlat function or attribute in string
%{sqlcca3:SELECT SUM(AcctSessionTime - GREATEST((107811 -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE
UserName='troll'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '107811'}
radius_xlat: ''
rlm_sqlcounter: (Check item - counter) is greater than zero
rlm_sqlcounter: Authorized user troll, check_item=3600, counter=0
= HERE !!
rlm_sqlcounter: Sent Reply-Item for user troll,
Type=Session-Timeout,
value=3600
modcall[authorize]: module monthlycounter returns ok for request
5
NO, IT`S NOT OK USER CAN`T LOGIN!! :P
Some one have an idea about what`s going on here?
I doesn`t understand the Warning above...
Thanks in advance, and excuse my english.
--
Juan Pablo Fava
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP with MS-Chapv2 Problem
Hi Folks,
i have following Problem with my Freeradius:
The Network:
# Laptop
Windows 2000
IP: 192.168.10.23
|
|
# Access Point (W-Lan)
It's a Fujitsu Siemens Connect2Air 2000RDS
IP: 192.168.10.100
|
|
# Freeradius-Server
IP: 192.168.10.1
Version 1.0.0-pre0 (Cause of the PEAP-Support)
Now, my task is to authenticate the Laptop over PEAP-MSCHAPv2 with the
Freeradius-Server.
I use the buildin 802.1X - Support from Windows 2k.
I uploaded the log of the Radius-Server ('radius -X log') and the needed
Config-files for you.
(And Of course: stipped the Comments out)
Debugginglog (with 'radiusd -X'):
http://leenox.net/dateien/ML-errorlog.txt
EAP-Config File: http://leenox.net/dateien/ML-eap.conf
Radius.conf File: http://leenox.net/dateien/ML-radiusd.conf
In the Log I found this Errors:
- At the SSL-Handshake:
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
Comment: I imported the Client-Certificate on my Laptop - Nothing
happened
But the Log shows also that the SSL-Tunnel connects sucessfully.(!?)
- And at the Login
modcall: group authenticate returns reject for request 8
auth: Failed to validate the user.
Login incorrect: [alex/no User-Password attribute] (from client
Wlan-AP port 0 cli 00-02-72-02-86-73)
Comment: I have no idea why the Freeradius get no Password .. :/
Hope, someone can help me.
Thanks in advance
Alex Dornhoefer
(from Germany)
--
+++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++
100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems
no, that's wrong. DON'T force the Auth-Type. do it as i said before. ciao artur Mihai RUSU wrote: Hi again Sorry for the SPAM, I solved my problem after a while, the solution was to have a line like this in users: dizzy Auth-Type := EAP, User-Password = parola On Mon, 22 Mar 2004, Mihai RUSU wrote: Hi I have instaleld xsupplicant version 0.8b and freeradius 0.9.3 on gentoo linux (from portage). I am trying to make my Linux system auth to a Cisco 3550 switch. 1. radius configuration - I have removed any trace of unix module (it didnt worked, probably something to do with radius running as radiusd/radiusd) - I have eap module as from the default radiusd.conf file - I have configured in clients.conf the autheticator with test123 secret, nastype cisco - in users I have this entry before any DEFAULT ones: dizzy Auth-Type += Local, User-Password = parola 2. authenticator configuration: - #sh dot1x Sysauthcontrol= Enabled Dot1x Protocol Version= 1 Dot1x Oper Controlled Directions = Both Dot1x Admin Controlled Directions = Both - #sh running-config interface fastEthernet 0/10 Building configuration... Current configuration : 110 bytes ! interface FastEthernet0/10 switchport access vlan 2 switchport mode access dot1x port-control auto end - I have configured radius-server with test123 key 3. client configuration - eth1 is directly linked to interface 0/10 of the cisco switch I run xsupplicant like: # xsupplicant -i eth1 -u dizzy -p parola -d 255 -m MD5 And I get: (EAPMD5) Initalized (EAPMS-CHAP) Initalized Done with init. Sending EAPOL-Start #1 ## eap_decode_packet ##: Got an EAP request ## eap_decode_packet ##: Type is Identity Connection Established, authenticating... ACQUIRED ## eap_decode_packet ##: Got an EAP failure Failed to Authenticate CONNECTING RADIUS log says: rad_recv: Access-Request packet from host ip-cisco-removed:1812, id=24, length=100 NAS-IP-Address = ip-cisco-removed NAS-Port-Type = Async User-Name = dizzy Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-50-8d-f9-2a-e8 EAP-Message = 0x020a0164697a7a79 Message-Authenticator = 0x605f11bd6926fbbe39dd75d41070183e modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type notification id 0 length 10 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = dizzy, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched dizzy at 148 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'dizzy' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 24 to ip-cisco-removed:1812 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 24 with timestamp 405ee145 Nothing to do. Sleeping until we see a request. Any ideea why it doesnt work ? Please tell me if you need any more information, thanks! -- Mihai RUSUEmail: [EMAIL PROTECTED] GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net Linux is obsolete -- AST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
On Mon, 22 Mar 2004, Artur Hecker wrote:
hi
something to do with radius running as radiusd/radiusd)
(it's not related but yes, it can't read the shadow file as user
'radiusd'. deactivate the caching if wou want it back.)
But caching is disabled (as in the default config, cache = no) and still
unix module fails to load on server startup or check config (the last
lines):
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
radiusd.conf[545] Failed to link to module 'rlm_unix': file not found
Interesting is that it does find the file (from a strace output) but it
fails on something else, I thought it fails on accessing shadow beeing run
as a non-privileged user.
Here are the relevant part of the strace output:
[pid 8849] access(/usr/lib/rlm_unix.so, R_OK) = 0
[pid 8849] open(/usr/lib/rlm_unix.so, O_RDONLY) = 3
[pid 8849] read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000...,
512) = 512
[pid 8849] fstat64(3, {st_mode=S_IFREG|0755, st_size=53892, ...}) = 0
[pid 8849] mmap2(NULL, 107232, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40243000
[pid 8849] mmap2(0x4024f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0xb) = 0x4024f000
[pid 8849] mmap2(0x40251000, 49888, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40251000
[pid 8849] close(3)= 0
[pid 8849] mprotect(0x40243000, 49152, PROT_READ|PROT_WRITE) = 0
[pid 8849] munmap(0x40243000, 107232) = 0
[pid 8849] time(NULL) = 1079964365
[pid 8849] write(1, radiusd.conf[545] Failed to link..., 71) = 71
Pretty strange huh ? :)
--
Mihai RUSUEmail: [EMAIL PROTECTED]
GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net
Linux is obsolete -- AST
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems
On Mon, 22 Mar 2004, Artur Hecker wrote: no, that's wrong. DON'T force the Auth-Type. do it as i said before. Thanks! I did as you said and it works fine. ciao artur -- Mihai RUSUEmail: [EMAIL PROTECTED] GPG : http://dizzy.roedu.net/dizzy-gpg.txtWWW: http://dizzy.roedu.net Linux is obsolete -- AST - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
hi
But caching is disabled (as in the default config, cache = no) and still
unix module fails to load on server startup or check config (the last
lines):
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
radiusd.conf[545] Failed to link to module 'rlm_unix': file not found
ok, that's on another level, it can't even link the module.
Interesting is that it does find the file (from a strace output) but it
fails on something else, I thought it fails on accessing shadow beeing run
as a non-privileged user.
i'd suppose that i'd complain later in that case but i'm not sure.
anyway, if you want to test it, run as root 'radiusd -s -X'. in that
case, the server will execute with root rights. so, it should be able to
read everything. compare the outputs if it works. if it does not, the
problem is obviously on the system level.
Here are the relevant part of the strace output:
[pid 8849] access(/usr/lib/rlm_unix.so, R_OK) = 0
[pid 8849] open(/usr/lib/rlm_unix.so, O_RDONLY) = 3
[pid 8849] read(3, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20?\0\000...,
512) = 512
[pid 8849] fstat64(3, {st_mode=S_IFREG|0755, st_size=53892, ...}) = 0
[pid 8849] mmap2(NULL, 107232, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40243000
[pid 8849] mmap2(0x4024f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3,
0xb) = 0x4024f000
[pid 8849] mmap2(0x40251000, 49888, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40251000
[pid 8849] close(3)= 0
[pid 8849] mprotect(0x40243000, 49152, PROT_READ|PROT_WRITE) = 0
[pid 8849] munmap(0x40243000, 107232) = 0
[pid 8849] time(NULL) = 1079964365
[pid 8849] write(1, radiusd.conf[545] Failed to link..., 71) = 71
Pretty strange huh ? :)
hmm, try 'ldd rlm_unix.so' and see if it finds everything linked withing
the module itself.
ciao
artur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
hi Acording to strace -s is not enough to execute with root rights, I had to comment the user/group entries from radiusd.conf. Anyway, even running as root it fails the same way :-/ hmm? if you execute it in debug mode as root, it runs as root. it reads but should ignore the rights you set in the config file. but the essential part is that it also fails, that's what i thought. Seems ok # ldd /usr/lib/rlm_unix.so linux-gate.so.1 = (0xe000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x4002c000) libnsl.so.1 = /lib/libnsl.so.1 (0x40059000) libresolv.so.2 = /lib/libresolv.so.2 (0x4006e000) libpthread.so.0 = /lib/libpthread.so.0 (0x40081000) libc.so.6 = /lib/libc.so.6 (0x400d2000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x8000) yes, seems ok to me too. strange. I have noticed one message about this on gentoo-users list but no reply. Either the complainer found the solution or he dropped it. I presume too to be something related to the system (gentoo linux distro) but I would very much apriciate someone with more freeradius experience to guide me where to look for problems, in the end if there really is a problem we get happy people on both sides (gentoo users which will use freeradius ;)). first of all (lame backpedalling :-) ): 1. there is no obligation to use the unix module. 2. in your case, you can't use it even if it worked (EAP/MD5 can't use crypt passwords). 3. there is no EAP method except TTLS/PAP which can use it, and ttls/pap has a Man-in-the-middle problem... all that to say that you hardly need the rlm_unix module anyway. second: the problem is now that radiusd can't link the unix module. thus, it seems to be a compilation/installation/system and not a configuration problem, so perhaps we should wait till Alan wakes up and see what he says :-) should be against 16h00 CET :-) Alan? :) now, in the meantime: 1. i would suggest to recompile all and to try again. 2. also try the newest snapshot. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: do I need upgrade with using EAP-SIM?
Alex Wang [EMAIL PROTECTED] wrote: My radius server is running freeradius-0.9.3 right now, and I wish that could support the EAP-SIM. What should I do? Using the snapshot version to take place the 0.9.3? or just only need to add a new module? Upgrade to the CVS snapshot. A lot more than that module has changed. In addition, when the authencation mechanism is EAP-SIM, is there any difference between to be a home server and to be a radius proxy server in config, modules, or something else? The only difference is that one proxis requests, and the other doesn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter: count=0 ?????
Juan Pablo Fava [EMAIL PROTECTED] wrote: But this is not documented in module`s doc file. What is sqlacc3??? Nothing. It's fixed in the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: benchmarks, comparative, claim to be high-performance
Tariq Rashid [EMAIL PROTECTED] wrote: I wonder if there are existing benchmarks of freeradius performance compared with other radius servers. Only messages posted to the list. Search the archives for details. Also, I'm having trouble finding information about what is unique to freeradius in terms of performance. The website suggests that freeradiius is high performance... but doesn't elaborate. Where does this unqiue-to-freeradius performance come from? It's not claimed that high permormance is unique to FreeRADIUS. It's claimed that FreeRADIUS *is* a high-performance server, and that it's often faster than other servers. There may be another server as high-performance as FreeRADIUS. is it from its use of threads? That's one. it it from its use C as opposed to perl (radiator)? That makes a big difference. does it compile using OS specific accelerations (kqueue, for example) No. The general reasons why it's high performance are that it's designed properly. Since it's a Free Software project, it's designed and written to be independent of any corporate/management/marketing fads. Features go in because they make engineering sense, not because they add another check-box on a marketing slide. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with
Dear List, I'm trying to use mod_auth_radius-2.0.c http://www.freeradius.org/mod_auth_radius/mod_auth_radius-2.0.c with apache httpd-2.0.4. The problem is, that the module doesn't set any cookies. Is there anybody out, who has a working installation of the both apps above? With apache_1.3.29 everything works without problems, Unfortunately I need httpd-2.0.4. regards Thomas -- - [EMAIL PROTECTED] EDAG Engineering + Design AG Phone: +49 661 6000 597 Reesbergstr. 1 Fax: +49 661 6000 592 36039 Fulda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Please Note: Radius does NOT disconnect users, only the NAS can disconnect the user. You will need to figure out how to send a command to your NAS to disconnect the user, and run that program in order to trigger a user disconnect. Graeme Hinchliffe wrote: On Tue, 16 Mar 2004 16:17:03 +0100 Tim Bots [EMAIL PROTECTED] wrote: Hi everyone, I have freeradius working correct at this moment and now is my question how can I enable accounting? I mean: how can I give users more or less time / more or less session bytes with freeradius? I use freeradius version 0.9.3 running on a p1 with 64 mb memory (I guess) with linux slackware. This works perfect. I hope someone can help me, The only way it's possible that I can think of is by doing some crazy hackery. Assuming you get interim accounting updates and monitor these, when they hit a certain level (which you have defined as your cut off) you can trigger a user disconnect, and flag them as unallowed, so they cannot auth again. But this will require hackery on your part, and a dependence on decent accounting updates -- Guy Fraser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SMC 2804WBR PEAP not working
Hello, I am trying to configure a SMC 2804WBR (european V2) AP and an internal WiFi NIC on my laptop for WPA/PEAP network access. No matter what I tried, the login would fail. After dumping some network packets, it seems that, after the identity is sent Freeradius (in an access-request radius packet), it replies with the challenge but nothing happens afterwards. Also, dumping packets on the wireless side, it seems that the challenge does not reach the NIC on the laptop. The login fails after ~10 seconds of inactivity. Looking through the posts, I found some other people reporting a problem with SMC APs when using PEAP. Pavol Zibritamentioned this issue in the 'TLS Setup' post a couple of days ago. Is there any solution? (aside from using EAP/TLS which Pavol says works with SMC) I did not provide network/debug dumps to keep this post small. Thank you, Ionut
Re: unix module (was Re: xsupplicant EAP/MD5 and freeradius 0.9.3 problems)
Artur Hecker [EMAIL PROTECTED] wrote: second: the problem is now that radiusd can't link the unix module. thus, it seems to be a compilation/installation/system and not a configuration problem, so perhaps we should wait till Alan wakes up and see what he says :-) should be against 16h00 CET :-) Read the make and make install process to see if the Unix module. was built, Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Error Message and Postgresql Question
Ugur GUNCER wrote:
Hi
Im my radius server gives Mysql check_error : 1054 received message after
user authorization procc.
What is it mean
My usergroup table is empty !!!
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
radius_xlat: 'dark'
rlm_sql (sql): sql_set_user escaped user -- 'dark'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'dark' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'dark' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql_getvpdata: database query error
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'dark' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = 'dark' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql_getvpdata: database query error
rlm_sql (sql): Released sql socket id: 4
And my second question is
im exporting detail to mysql
But i want to export detail to postgresql
At same time with mysql
i edit my
Radius.conf . Like this
# Include another file that has the SQL-related configuration.
# This is another file solely because it tends to be big.
#
# The following configuration file is for use with MySQL.
#
# For Postgresql, use: ${confdir}/postgresql.conf
# For MS-SQL, use: ${confdir}/mssql.conf
#
$INCLUDE ${confdir}/sql.conf
The line above should be commented out or removed.
$INCLUDE /usr/local/radiusd/etc/raddb/postgresql.conf
# Write a 'utmp' style log file, of which users are currently
# logged in, and where they've logged in from.
#
And postgresql.conf like this
# Connect info
server = localhost
login = puser
password = ppass
# Database table configuration
radius_db = pdata_db
But in postgres radacct table is empty
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Guy Fraser
Network Administrator
The Internet Centre
780-450-6787 , 1-888-450-6787
There is a fine line between genius and lunacy, fear not, walk the
line with pride. Not all things will end up as you wanted, but you
will certainly discover things the meek and timid will miss out on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SMC 2804WBR PEAP not working
Hi Alan, I assumed Freeradius is expecting an answer from the supplicant. Unfortunatelly, there's no option (or I do not know about it) to increase the verbosity and no error message whatsoever is logged. I really do not know what to do - the strange thing is that - apparently - EAP/TLS does work and - afaik - the AP does not understand anything below the EAP message so it doesn't even know whether it's PEAP or TLS. Weird. Thanks for the quick response, Ionut - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 22, 2004 6:55 PM Subject: Re: SMC 2804WBR PEAP not working Ionut Nistor [EMAIL PROTECTED] wrote: I am trying to configure a SMC 2804WBR (european V2) AP and an internal WiFi NIC on my laptop for WPA/PEAP network access. No matter what I tried, the login would fail. After dumping some network packets, it seems that, after the identity is sent Freeradius (in an access-request radius packet), it replies with the challenge but nothing happens afterwards. FreeRADIUS is waiting for the client to respond to the challenge. Also, dumping packets on the wireless side, it seems that the challenge does not reach the NIC on the laptop. The login fails after ~10 seconds of inactivity. So the SMC box is tossing the challenge. If it's not logging any message as to why, there's little you can do to debug the problem. The SMC box doesn't like something in the challenge packet. But without logs, you can't figure out what it doesn't like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem on users file
Reinaldo Silva [EMAIL PROTECTED] wrote: radiusd: FreeRADIUS Version 0.8.1, for host i386-redhat-linux-gnu, built Upgrade to 0.9.3. My users file: ... ricbasto Auth-Type := Local, User-Password == vex12ab benjamim Auth-Type := Local, User-Password == aeco9eek ... /etc/raddb/users[24]: Parse error (reply) for entry amarantep: No token read where we expected an attribute name Put a blank line between the entries, just like the ones in the sample users file. Or, upgrade to 0.9.3. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No User-Password msg although User-Password is defined in users file
I'am using freeradius from CVS (as of Mar 15) and I'am getting: users: Matched teste at 90 // It finds the user 'teste'.. Ok modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Local auth: type Local // Auth-Type .. Ok auth: No User-Password or CHAP-Password attribute in the request No User-Password.. Not Ok! The User-Password is specified in raddb/users, line 90, but it doesn't find it. auth: Failed to validate the user. Thank you for your help, -- Nuno Morgadinho // How is it possible that Honolulu has network connectivity? // - IP over airplane (their ping times are horrible though) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: lower_pass = after problems
Federico Giannici [EMAIL PROTECTED] wrote: I have noticed that the lower_pass = after configuration command is implemented simply executing a second time the entire sequence of authorization/authentication operations. Yes. The feature is a hack, and should be removed from the server. Similarly, the lower_user feature should also be deleted. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
null port name?
i am trying to use freeradius as a proxy between a Cisco gateway and a billing software. Everything worked fine, but then I couldn't dial anything. The billing software returns the error Null portname error. Any insight? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No User-Password msg although User-Password is defined in users file
Nuno Morgadinho [EMAIL PROTECTED] wrote: I'am using freeradius from CVS (as of Mar 15) and I'am getting: users: Matched teste at 90 // It finds the user 'teste'.. Ok modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type Local auth: type Local // Auth-Type .. Ok auth: No User-Password or CHAP-Password attribute in the request Don't set Auth-Type = Local. And read the ENTIRE debug output. The last few lines are interesting, but there will be information elsewhere which is also useful. No User-Password.. Not Ok! The User-Password is specified in raddb/users, line 90, but it doesn't find it. The password sent by the user (if any) is very different than the password the server uses as a known good password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Monitor script.
Hi, Does anybody out there have a quck radius monitor script they'd be willing to share? I have radius/AAA servers behind a CSS. I would like to monitor AAA services and conditionally-act on a failure. I am using radclient to successfully test the service. Thanks a bunch, Ken. == Ken Gage, Qualcomm Inc. 858.651.2737 Happiness is that state of consciousness which proceeds from the achievement of one's values Ayn Rand - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQLCOUNTER Problems
Hi All,
I want to use RLM_SQLCOUNTER with Freeradius.
After compiling RLM_SQLCOUNTER with FreeRadius .. I still cant
see radius trying to update usage statistics in MYSQL tables.
I read doc/rlm_sqlcounter and thought
whenever user uses any minutes out of allocated values RLM_COUNTER will change
statistics by calculating : (Allocated time Used time)= Remaining time.
Am I right here? Any help will be appreciated.
Sqlcounter.conf :
sqlcounter dailycounter {
driver = rlm_sqlcounter
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime
- GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
'%b'
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = monthly
query = SELECT SUM(AcctSessionTime
- GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0))
FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime
'%b'
}
# Query:
# SELECT *
# FROM `radcheck`
#
'id','UserName','Attribute','op','Value'
'[NULL]','infinite','Password','==','infinite'
'[NULL]','infinite','Max-Daily-Session',':=','100'
'[NULL]','infinite','Max-Monthly-Session',':=','1000'
Radiusd Xp 1645 returns..
--- Walking the entire request list ---
Cleaning up request 1 ID 67 with timestamp 405f32ea
Nothing to do. Sleeping until we see
a request.
rad_recv:
Accounting-Request packet from host 132.146.197.111:1646, id=68, length=36
User-Name = infinite
Acct-Status-Type = Stop
Processing the preacct section of radiusd.conf
modcall: entering
group preacct for request 2
modcall[preacct]: module preprocess
returns noop for request 2
rlm_realm: No '@' in User-Name = infinite,
looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 2
modcall[preacct]: module files returns noop for request 2
modcall: group preacct returns noop for request
2
Processing the
accounting section of radiusd.conf
modcall: entering
group accounting for request 2
rlm_acct_unique: WARNING:
Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING:
Attribute Acct-Session-Id was not found in request, unique ID MAY be
inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 132.146.197.111,NAS-IP-Address =
132.146.197.111,,User-Name = i
nfinite'
rlm_acct_unique:
Acct-Unique-Session-ID = e017b662ef57e3ce.
modcall[accounting]:
module acct_unique returns ok for request
2
radius_xlat:
'/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/
radius/radacct/132.146.197.111/detail-20040322
modcall[accounting]:
module detail returns ok for request 2
modcall[accounting]:
module unix returns noop
for request 2
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: 'infinite'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad
will probably not work!
modcall[accounting]:
module radutmp returns noop for request 2
radius_xlat: 'infinite'
rlm_sql (sql): sql_set_user escaped user
-- 'infinite'
radius_xlat: 'UPDATE radacct
SET AcctStopTime = '2004-03-22 18:39:55', AcctSessionTime = '', AcctInputOctets
=
'', AcctOutputOctets = '', AcctTerminateCause
= '', AcctStopDelay = '', ConnectInfo_stop
= '' WHERE AcctSessio
nId = '' AND UserName = 'infinite' AND NASIPAddress
= '132.146.197.111''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]:
module sql returns ok for request 2
modcall: group
accounting returns ok for request 2
Sending Accounting-Response of id 68 to 132.146.197.111:1646
Finished request 2
Going to the next request
--- Walking the entire request list ---
Cleaning up request 2 ID 68 with timestamp 405f32fb
Nothing to do. Sleeping until we see
a request.
Regards,
Sagar
�
RE: Using freeradius to authenticate users to a Windows 2000 AD
OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting CA certificate is not in server certificate chain. So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select Retrieve the CA certificate or CRL radio button? Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate
RE: Using freeradius to authenticate users to a Windows 2000 AD
Would it also matter if my certificate was self-signed as we do not have a need for a third party signed certificate at this time. Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5):
Re: SQLCOUNTER Problems
Fisrt at all replace in sqlcounter.conf this line:
sqlmod-inst = sqlcca3}
whith this one:
sqlmod-inst = sql
The usage statics are updated by rlm_sql. todo this you must have sql in
the accounting section of your radiusd.conf
Juan Pablo
[EMAIL PROTECTED] dijo:
Hi All,
I want to use RLM_SQLCOUNTER with Freeradius.
After compiling RLM_SQLCOUNTER with FreeRadius .. I still can't see
radius trying to update usage statistics in MYSQL tables.
I read doc/rlm_sqlcounter and thought whenever user uses any minutes out
of allocated values RLM_COUNTER will change statistics by calculating :
(Allocated time - Used time)= Remaining time.
Am I right here? Any help will be appreciated
Sqlcounter.conf :
sqlcounter dailycounter {
driver = rlm_sqlcounter
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = daily
query = SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b'
}
sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
sqlmod-inst = sqlcca3
key = User-Name
reset = monthly
query = SELECT SUM(AcctSessionTime - GREATEST((%b -
UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}'
AND UNIX_TIMESTAMP(AcctStartTime) +
AcctSessionTime '%b'
}
# Query:
# SELECT *
# FROM `radcheck`
#
'id','UserName','Attribute','op','Value'
'[NULL]','infinite','Password','==','infinite'
'[NULL]','infinite','Max-Daily-Session',':=','100'
'[NULL]','infinite','Max-Monthly-Session',':=','1000'
Radiusd -Xp 1645 returns
--- Walking the entire request list ---
Cleaning up request 1 ID 67 with timestamp 405f32ea
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 132.146.197.111:1646,
id=68, length=36
User-Name = infinite
Acct-Status-Type = Stop
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 2
modcall[preacct]: module preprocess returns noop for request 2
rlm_realm: No '@' in User-Name = infinite, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 2
modcall[preacct]: module files returns noop for request 2
modcall: group preacct returns noop for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address
132.146.197.111,NAS-IP-Address = 132.146.197.111,,User-Name = i
nfinite'
rlm_acct_unique: Acct-Unique-Session-ID = e017b662ef57e3ce.
modcall[accounting]: module acct_unique returns ok for request 2
radius_xlat:
'/usr/local/var/log/radius/radacct/132.146.197.111/detail-20040322'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/
radius/radacct/132.146.197.111/detail-20040322
modcall[accounting]: module detail returns ok for request 2
modcall[accounting]: module unix returns noop for request 2
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: 'infinite'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 2
radius_xlat: 'infinite'
rlm_sql (sql): sql_set_user escaped user -- 'infinite'
radius_xlat: 'UPDATE radacct SET AcctStopTime = '2004-03-22 18:39:55',
AcctSessionTime = '', AcctInputOctets '', AcctOutputOctets = '',
AcctTerminateCause = '', AcctStopDelay = '',
ConnectInfo_stop = '' WHERE AcctSessio
nId = '' AND UserName = 'infinite' AND NASIPAddress = '132.146.197.111''
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]: module sql returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 68 to 132.146.197.111:1646
Finished request 2
Going to the next request
--- Walking the entire request list ---
Cleaning up request 2 ID 68 with timestamp 405f32fb
Nothing to do. Sleeping until we see a request.
Regards,
Sagar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple IP Pools with Ascend APX's
Anson, You need to look at how pool chaining works with the APX. You might also look into the virtual routers. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anson RinesmithSent: Wednesday, March 17, 2004 6:04 PMTo: [EMAIL PROTECTED]Subject: Multiple IP Pools with Ascend APX's Im using freeRadius with MySQL In radgroupreply, GroupName, Attribute, op, Value, prio I have multiple ISPs logging into one RAS. First ISP needs to class Cs, pools 1 and 2. Second ISP needs 3 Class Cs, pools 3, 4 5. etc.. Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0 Would I have isp1, X-Ascend-Assign-IP-Pool, :=, 1 isp1, X-Ascend-Assign-IP-Pool, +=, 2 isp2, X-Ascend-Assign-IP-Pool, :=, 3 isp2, X-Ascend-Assign-IP-Pool, +=, 4 isp2, X-Ascend-Assign-IP-Pool, +=, 5 etc.
Precedence of Realms and Groups in raddb/users
have been
running FreeRadius at our installation for some time toauthenticate user
access to routers.We recently introduced a number of Radius servers for
various parts of thenetwork and started using Realms.Also introduced a
raddb/users group called "readonly" which gets read onlyservice attributes
passed back to NAS which limits the users functionality.We now find that
if a username is sent with a suffixed Realm then the usersgroup ("readonly")
is bypassed and the DEFAULT group is used.Is there a reference to how I can
have a suffix realm observed that stilluses the "readonly" DEFAULT entry in
the raddb/users file.Attached is a logon with the same user without and with
a suffixed realm.raddb/users entry are:DEFAULT Group == "readonly",
Auth-Type := System Login-Service
= Telnet, Cisco-AVPair =
"shell:priv-lvl=1",
ERX-Cli-Initial-Access-Level= "5",DEFAULT Auth-Type :=
System Login-Service =
Telnet, Cisco-AVPair =
"shell:priv-lvl=15", Service-Type
= 6raddb/realms entry are:#
Realm
Remote server
[:port]
Options#
-
---rdn
LOCALrad_recv: Access-Request packet from host 144.133.144.100:5,
id=59,length=83User-Password =
"..."User-Name =
"bhd3"Acct-Session-Id = "erx :0002097211"Service-Type =
Administrative-UserNAS-IP-Address = 144.133.144.100NAS-Identifier =
"P_Router"modcall: entering group authorizemodcall[authorize]: module
"suffix" returns okHASH: user bhd3 found in hashtable bucket 93085HASH:
matched user bhd3 in group readonlyusers: Matched DEFAULT at
7modcall[authorize]: module "files" returns okmodcall: group authorize
returns okrad_check_password: Found Auth-Type Systemauth: type
"System"modcall: entering group authenticateHASH: user bhd3 found in
hashtable bucket 93085modcall[authenticate]: module "unix" returns
okmodcall: group authenticate returns okSending Access-Accept of id 59
to 144.133.144.100:5Login-Service = TelnetCisco-AVPair =
"shell:priv-lvl=1"ERX-Cli-Initial-Access-Level = "5"Finished request
6Going to the next request--- Walking the entire request list
---Waking up in 6 seconds...--- Walking the entire request list
---Cleaning up request 6 ID 59 with timestamp 405d3194Nothing to do.
Sleeping until we see a request.Second use with @realmrad_recv:
Access-Request packet from host 144.133.144.100:5,
id=60,length=87User-Password =
""User-Name = "[EMAIL PROTECTED]"Acct-Session-Id = "erx :0002097212"Service-Type =
Administrative-UserNAS-IP-Address = 144.133.144.100NAS-Identifier =
"P_Router"modcall: entering group authorizemodcall[authorize]: module
"suffix" returns okusers: Matched DEFAULT at 65modcall[authorize]:
module "files" returns okmodcall: group authorize returns
okrad_check_password: Found Auth-Type Systemauth: type
"System"modcall: entering group authenticateHASH: user bhd3 found in
hashtable bucket 93085modcall[authenticate]: module "unix" returns
okmodcall: group authenticate returns okSending Access-Accept of id 60
to 144.133.144.100:5Login-Service = TelnetCisco-AVPair =
"shell:priv-lvl=15"Service-Type = Administrative-UserFinished request
7Going to the next request--- Walking the entire request list
---Waking up in 6 seconds...--- Walking the entire request list
---Cleaning up request 7 ID 60 with timestamp 405d31a8Nothing to do.
Sleeping until we see a request.
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve What you need is the Windows root CA cert that you placed on to the FreeRadius box. Use the same PEM file as input on the box you are executing the LDAP/Browser/Editor (LBE) from - this is the c:\temp\somedc.ca.pem file I refer to in the documentation below. I used LBE from a Windows box with the Sun Java run time installed - works just fine. Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 6:36 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting CA certificate is not in server certificate chain. So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select Retrieve the CA certificate or CRL radio button? Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To[EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from non-Windows-native clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun = Doc - is a sample session C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\binkeytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: date until: date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\binkeytool -list -keystore C:\Tools\ldapbrowser\lbecacerts Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Alan, Thanks very much. I'll pull down the files from CVS first chance I get and let you know how things go. Alan DeKok wrote: ... The latest CVS snapshot has had all references to inet_pton() and inet_ntop() removed. Until the server supports IPv6 completely, they're not needed. ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to pass password via password of radiusd.conf
- Original Message -
From: Alexei Vasilyev [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 22, 2004 6:34 PM
Subject: Re: How to pass password via password of radiusd.conf
Hey
c
c password=%{User-Password}
c
Here must be cleartext password for AD. E.g.
password=cbhoh123
Is there a way to pass dynamic password from different users? The problem is
that the user a/c in AD is having a different password.
Thank!
--
Best regards,
Alexei Vasilyevmailto:[EMAIL PROTECTED]
OJSC Mobile TeleSystems
Kirov, Russia
Technical Specialist
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPPOOL
Hello, Ive been havin problems with the ippool, the freeradius seems to authorize the dialer client but my NAS doesnt. What could be wrong? Rogelio Alvarado Anchisi Ing. de Sistemas Galaxy Communications Corp. Tel. +507-2000128 Cel. +507-6744093
RE: Using freeradius to authenticate users to a Windows 2000 AD
OK I got it going here too, just some
login syntax issues with the ldabrowser. Now I can login with ssl
there but am still getting errors with freeradius radtest. On a side
note radtest is now working with identical radiusd.conf without ssl. To
roll this out I need SSL to work. Here's Debug:
Thanks again for all your help!!
rad_recv: Access-Request packet from
host 127.0.0.1:49066, id=128, length=56
User-Name
= test
User-Password
= test
NAS-IP-Address
= 255.255.255.255
NAS-Port
= 1
modcall: entering group authorize for
request 0
modcall[authorize]: module preprocess
returns ok for request 0
modcall[authorize]: module chap
returns noop for request 0
modcall[authorize]: module eap
returns noop for request 0
rlm_realm: No '@' in User-Name
= test, looking up realm NULL
rlm_realm: No such realm
NULL
modcall[authorize]: module suffix
returns noop for request 0
users: Matched DEFAULT
at 152
modcall[authorize]: module files
returns ok for request 0
modcall[authorize]: module mschap
returns noop for request 0
modcall: group authorize returns ok
for request 0
rad_check_password: Found
Auth-Type LDAP
auth: type LDAP
modcall: entering group Auth-Type for
request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by test
with password test
radius_xlat: '(SamAccountName=test)'
radius_xlat: 'dc=ci,dc=bend,dc=or,dc=us'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:636,
authentication 0
rlm_ldap: setting TLS mode to 1
ldap_err2string
rlm_ldap: could not set LDAP_OPT_X_TLS
option Success
rlm_ldap: bind as cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us/freerad1us
to cityhalldc1.ci.bend.or.us:636
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP cityhalldc1.ci.bend.or.us:636
ldap_new_socket: 7
ldap_prepare_socket: 7
ldap_connect_to_host: Trying 192.168.19.40:636
ldap_connect_timeout: fd: 7 tm: 5 async:
0
ldap_ndelay_on: 7
ldap_is_sock_ready: 7
ldap_ndelay_off: 7
ldap_open_defconn: successful
ldap_send_server_request
rlm_ldap: waiting for bind result ...
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (timeout 10 sec, 0 usec), msgid
1
wait4msg continue, msgid 1, all 1
** Connections:
* host: cityhalldc1.ci.bend.or.us port:
636 (default)
refcnt: 2 status: Connected
last used: Mon Mar 22 15:55:54
2004
** Outstanding Requests:
* msgid 1, origid 1, status
InProgress
outstanding referrals 0,
parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next failed.
rlm_ldap: ldap_result()
ldap_err2string
rlm_ldap: cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us
bind to cityhalldc1.ci.bend.or.us:636 failed: Can't contact LDAP server
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
rlm_ldap: (re)connection attempt failed
ldap_release_conn: Release Id: 0
modcall[authenticate]: module
ldap returns fail for request 0
modcall: group Auth-Type returns fail
for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Sending Access-Reject of id 128 to 127.0.0.1:49066
Waking up in 4 seconds...
--- Walking the entire request list
---
Cleaning up request 0 ID 128 with timestamp
405f7d0a
Nothing to do. Sleeping until
we see a request.
Here's ldap.conf:
[snip]
# Active Directory SSL options
ssl on
# OpenLDAP SSL options
# Require and verify server certificate
(yes/no)
tls_checkpeer no
# CA certificates for server certificate
verification
TLS_CACERT /usr/local/ssl/certs/cacertder.pem
[snip]
here's radiusd.conf:
[snip]
ldap {
server = cityhalldc1.ci.bend.or.us
port = 636
identity = cn=freeradius,cn=users,dc=ci,dc=bend,dc=or,dc=us
password = freerad1us
basedn = dc=ci,dc=bend,dc=or,dc=us
#filter = (cn=%u)
#filter = (sAMAccountName=%u)
filter = (SamAccountName=%{Stripped-User-Name:-%{User-Name}})
#filter = ((SamAccountName=%{Stripped-User-Name:-%{User-Name}}
)(memberOf=cn=RemoteUser,cn=Users,dc=ci,dc=bend,dc=or,dc=us))
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
#tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 10
#groupname_attribute = cn
#groupmembership_filter = ((objectClass=Group)(member=%{Ldap-U
serDn}))
timeout =
Re: does the 0.9.3 support EAP-SIM proxy?
Alex Wang [EMAIL PROTECTED] wrote: my radius server is running 0.9.3 now, and I wish that can support EAP-SIM proxy. If you mean proxying EAP-SIM to another RADIUS server, sure. But to do that, it means you probably won't be able to use EAP at all. The latest CVS snapshot allows a little finer grained control. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Frank Seesink [EMAIL PROTECTED] wrote: I have downloaded the CVS files and tried building FreeRADIUS under Cygwin, and I'm all the way down to the build step where it attempts to make radiusd.exe (the daemon itself). Unfortunately, it blows up on something quite simple: undefined _crypt reference. Edit src/main/Makefile. Look for the line building radiusd. There's a $(LCRYPT) there. It's not enough. Add a *second* $(LCRYPT) as the last entry on the build line, after the $(MODULE_LIBS). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Fri, Mar 19, 2004 at 06:35:17PM +0200, Kostas Kalevras wrote: On Fri, 19 Mar 2004, Robert Banniza wrote: In looking at the dictionary.juniper file, I notice there are 5 attributes in this file: ATTRIBUTE Juniper-Local-User-Name 1 string Juniper ATTRIBUTE Juniper-Allow-Commands 2 string Juniper ATTRIBUTE Juniper-Deny-Commands 3 string Juniper ATTRIBUTE Juniper-Allow-Configuration 4 string Juniper ATTRIBUTE Juniper-Deny-Configuration 5 string Juniper With that said, I'm using OpenLDAP to authenticate and would also like to use LDAP to control who has access to which commands within JUNOS. Therefore, can I place these attributes in my OpenLDAP ldif and have radius read themIn doing this, don't these attributes need to be defined within the RADIUS-LDAPv3.schema or some other schema? Is anyone doing this currently to show me where I need to go next? I have searched the web and there is little info on Juniper/Freeradius. You can either define a few new ldap attributes for the corresponding Juniper RADIUS attributes and add them to your ldap schema. Or you can use the generic attributes provided in the current schema: radiusReplyItem: Juniper-Local-User-Name := username and so on I'm not sure I'm following you...Let's say I want to add the Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile within OpenLDAP. Wouldn't I have to define these attributes within some LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other schema in order for OpenLDAP to know how to interpret the attribute? I guess the knowledge gap I'm having is to determine how/where to make Freeradius understand these attributes within OpenLDAP the same way Freeradius knows about these attributes through the dictionary.juniper file. Along those same lines, in which file do I put radiusReplyItem: Juniper-Local-User-Name := username? Thanks Robert Thanks Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Juniper Attributes and OpenLDAP
On Mon, 22 Mar 2004, Robert Banniza wrote: I'm not sure I'm following you...Let's say I want to add the Juniper-Allow-Commands and Juniper-Deny-Commands to my user's profile within OpenLDAP. Wouldn't I have to define these attributes within some LDAP schema whether it be in the RADIUS-LDAPv3.schema or some other schema in order for OpenLDAP to know how to interpret the attribute? I can't talk about how freeradius interprets the juniper values, but openldap will need to have attribute and objectclass definitions to match what juniper has most likely. I am not that familiar with much about Juniper or FreeRadius but I have been working with ldap some. http://www.juniper.net/techpubs/software/management/sdx/sdx400/sw-sdx-install/html/sw-sdx-installTOC.html search down to openldap they have instructions on how to load the openldap server, I assume that installs the schema too which is what defines all the juniper attributes for you and you should be off to the races with the correct attributes and objectclasses. The rest of this is crap I wrote if you have to do it the hard way, which it doesn't look like you do but i am including it so _I_ don't forget what I am doing. The another way to get these is to set up the Juniper LDAP server, perform an ldapsearch on their database equivalent to an dump of the database into LDIF format. I don't know how well jumipers ldap server will respond to that. Sun's responded fairly well. You migh poke around and find a schema or an ldif file in the Juniper install media too. basically you need a lot of the attributes like on: http://www.juniper.net/techpubs/software/management/sdx/sdx310/sdx310-sw-developer/html/ldap-object-mapping6.html You need to figure out what they are looking for for the attribute syntax, since you need the long number representation of it. but you can cross reference from http://www.faqs.org/rfcs/rfc2252.html section 4.3.2 lists them. The rest of it is fairly straightforward if you look at another schema. The object identifier (OID) number _technically_ just has to be unique, but they supply one for you, I would use it only for the fact you wont have to worry about getting stuff mixed up if you try to do something else with the server. (technically the Juniper ones should be registered aand unique. C You will find examples of the syntax of the matching rules in the openldap schema. It isn't particularly hard just tedious as all hell. Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: How to pass password via password of radiusd.conf
c
c password=%{User-Password}
c
c Here must be cleartext password for AD. E.g.
c password=cbhoh123
c Is there a way to pass dynamic password from different users? The problem is
c that the user a/c in AD is having a different password.
c Thank!
This password is for user (dn) which your radius server is using for
binding AD to perform search, etc. E.g. for such dn:
identity = cn=freeradius,ou=admins,ou=radius,dc=kirov,dc=mts,dc=ru
password = secret
There is another parameter for users from AD to Auth. If in your AD
passwords are in attribute userPassword, so you have to use such
config line for ldap module in radiusd.conf:
password_attribute = userPassword
--
Best regards,
Alexei Vasilyevmailto:[EMAIL PROTECTED]
OJSC Mobile TeleSystems
Kirov, Russia
Technical Specialist
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FOR FREERADIUS DEVELOPERS: Building FreeRADIUS under Cygwin
Alan, I have downloaded the CVS files and tried building FreeRADIUS under Cygwin, and I'm all the way down to the build step where it attempts to make radiusd.exe (the daemon itself). Unfortunately, it blows up on something quite simple: undefined _crypt reference. Now, there's a -crypt flag in the gcc line, libcrypt.a exists in /lib and /usr/lib (they're the same in Cygwin), and all I can guess is that the autoconf generated files are a bit out of date/sync. I've tried modifying Make.inc at the root level to include all possibly necessary info, but still no go. I am currently rerunning configure after having run autoconf to regenerate it, but I'm afraid my experience with automake/autoconf/etc. is limited. I'm an old dinosaur when it comes to Makefiles and my experience is limited to the older, more manual approach I'm afraid. I'm tinkering with code once again, and thes scripts look like quite an improvement for those looking to build on multiple systems, but I just don't have much experience with them yet. I'm so close I can smell it, but just not there yet. If you have any advice on how to make sure the build files (configure, Makefiles, etc.) are as up-to-date as possible, please advise. Note that results of $ cygcheck -c autoconf automake m4 Cygwin Package Information Package VersionStatus autoconf 2.59-1 OK automake 1.7.9-1OK m4 1.4-1 OK This is as up-to-date as it gets in the Cygwin world, so hopefully we're not too far behind. Frank Seesink wrote: Alan, Thanks very much. I'll pull down the files from CVS first chance I get and let you know how things go. Alan DeKok wrote: ... The latest CVS snapshot has had all references to inet_pton() and inet_ntop() removed. Until the server supports IPv6 completely, they're not needed. ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
