Re: Problem faced in integrating Domino LDAP Server for authentication with FreeRadius Server
Hi Kostas, Please allow me to explain. I have installed FreeRadius on RedHat Advanced Server 2.1. The Domino Server which has LDAP service running is on another machine. I am able to authenticate this LDAP using tools like LDAP Browser, Outlook Express, Lotus Notes etc. Besides, if you look the log file... rlm_ldap: - authorize > rlm_ldap: performing user authorization for MyUserName > radius_xlat: '(uid=MyUserName)' > radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg' > ldap_get_conn: Got Id: 0 We can see that it has returned back correctly the radius_xlat indicating that the correct username has got verified. I have only put the username as "MyUserName". Can you please clarify what I am missing ? JS Kostas Kalevras <[EMAIL PROTECTED]>To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: Problem faced in integrating Domino LDAP Server for authentication eradius.org with FreeRadius Server 21/04/2004 05:56 PM Please respond to freeradius-users On Wed, 21 Apr 2004, Joseph Silvin wrote: > Hi , > > I am trying to use FreeRadius ACS Server for authentication against IBM > Domino LDAP Server. The following is the error message that I get. I have > reproduced both radiusd.conf and log files. Looking forward to someone who > can help on this front. > > Thanks. > > JS > = > Log file of FreeRadius > > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 127.0.0.1:1026, id=86, length=60 > User-Name = "MyUserName" > User-Password = "MyLDAPPassword" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > modcall: entering group authorize for request 10 > modcall[authorize]: module "preprocess" returns ok for request 10 > modcall[authorize]: module "chap" returns noop for request 10 > modcall[authorize]: module "eap" returns noop for request 10 > rlm_realm: No '@' in User-Name = "MyUserName", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 10 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 10 > modcall[authorize]: module "mschap" returns noop for request 10 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for MyUserName > radius_xlat: '(uid=MyUserName)' > radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 192.168.192.41:389, authentication 0 > rlm_ldap: bind as / to 192.168.192.41:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: LDAP login failed: check login, password settings in ldap section > of radiusd.conf ^^ If that does not help, nothing will... > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 10 > modcall: group authorize returns fail for request 10 > Finished request 10 > Going to the next request > --- Walking the entire request list --- > Nothing to do. Sleeping until we see a request. > = > > DISCLAIMER**
How freeRADIUS handles vendor specific
Hi everyone, Can someone tell me how RADIUS server handles vendor specific attribute. I am sending a packet using radclient with vendor specific attribute and its working. I found that attribute is not in dictionary. I want to know where in the code it checks for the vendor specific attribute. What file and function ? I couldn't figure out myself. I want to add tht attribute in dictionary. Thank, -- Nishant Shah U4 Computer Engineering 979-268-0866 (M)281-222-3176 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing values for LDAP attributes
On Wed, Apr 21, 2004 at 10:13:23PM -0400, Alan DeKok wrote: > Hans Fiedler <[EMAIL PROTECTED]> wrote: > > I can't get the attribute value checking to work. I've tried mapping the > > attribute in the ldap.attrmap file, > > > > checkItem WirelessStatus WirelessStatus > > > > and checking the value in the users file. I'm not getting that to work. > > The ldap.attrmap file maps entries in an LDAP database to RADIUS > attributes. If you haven't defined "WirelessStatus" in the > dictionaries, the LDAP entry won't map to anything. > > Alan DeKok. Sorry I left that off the message, I do have this in the dictionary after the include line for the vendor dictionaries ATTRIBUTE WirelessStatus 299 string I don't have control over the LDAP data but the attribute there is a string, ACT or HLD, or SUS, or DIS. I only really care if it had ACT or not, any others are disabled for various reasons. -- Hans K. Fiedler Information Technology Network Analyst Communications Services [EMAIL PROTECTED] University of Louisville Louisville, Ky. 40292 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does anyone know whether freeradius work with Linksys WRT54G?
On Wed, Apr 21, 2004 at 10:14:16PM -0400, Alan DeKok wrote: > loader <[EMAIL PROTECTED]> wrote: > > Or where can I get a list of APs supported by freeradius? > > The only AP's I've heard of which have problems are Intel. They seem > to think that following the RFC's is unimportant. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Okay, Thank you. Regards, loader - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does anyone know whether freeradius work with Linksys WRT54G?
loader <[EMAIL PROTECTED]> wrote: > Or where can I get a list of APs supported by freeradius? The only AP's I've heard of which have problems are Intel. They seem to think that following the RFC's is unimportant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: testing values for LDAP attributes
Hans Fiedler <[EMAIL PROTECTED]> wrote: > I can't get the attribute value checking to work. I've tried mapping the > attribute in the ldap.attrmap file, > > checkItem WirelessStatus WirelessStatus > > and checking the value in the users file. I'm not getting that to work. The ldap.attrmap file maps entries in an LDAP database to RADIUS attributes. If you haven't defined "WirelessStatus" in the dictionaries, the LDAP entry won't map to anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Believe me when I tell you I do understand what your saying. The problem was that I was tossed in to this after all our fee's were paid to the wholesale dialup provider when he told us they do PAP, and on the day we were ready to start it didn't work. So I was between the rocks and a hard place and was recommended to use mySQL and freeradius, both that I have never used or looked at before a week ago. It has been authenticating fine so far, no problems noticeable, but I still have to leave the two auth-type in the uesrs file or it quits. It works now and I think I'll leave it and hope it doesn't break. Thanks for all your help. Bob Ross - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 2:20 PM Subject: Re: Authentication Help > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? > > I don't recall the details in 0.9.3, but in the latest CVS snapshot > this should work with minimal changes. Once you add the SQL > configuration, the server should do this automatically. > > Remember, it's *designed* to do the right thing in the common > cases. You're working very hard to get it to do "something", but > you're not clear as to how the server works, or how to configure it to > do that something. Rather than fighting with the configuration, your > time would be better spent learning more about how the server works, > so you don't have to fight with the configuration. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does anyone know whether freeradius work with Linksys WRT54G?
Or where can I get a list of APs supported by freeradius? Regards, loader - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing values for LDAP attributes
I need to allow users from a wireless access point by MAC address (it comes
as a userid) and then if the MAC address is not defined in the users file to
check their userid/password against a LDAP database. I now had an
additional requirement put on that I need to check the values of an
attribute in the LDAP database.
I have it working fine checking the MAC address, then if it's not defined
in the local users file, rejecting access if the userid is the form of
a MAC address (12 hex digits), then if it's not a MAC address checking
the userid/password against LDAP.
I can't get the attribute value checking to work. I've tried mapping the
attribute in the ldap.attrmap file,
checkItem WirelessStatus WirelessStatus
and checking the value in the users file. I'm not getting that to work.
I also tried adding the attribute in the LDAP filter in radiusd.conf,
as a long shot), then nothing in LDAP works
filter = "(&(cn=%{User-Name})(WirelessStatus=ACTV))"
with
filter = "(cn=%{User-Name})"
being the working line just doing userid/password checking.
I was hoping someone might have some suggestions. Is the users file
the place to do this, and I just need to get my syntax working, or since
the users file is checked then falls through to LDAP is out of the picture
at that point?
--
Hans K. Fiedler Information Technology
Network Analyst Communications Services
[EMAIL PROTECTED] University of Louisville
Louisville, Ky. 40292
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
On Wed, Apr 21, 2004 at 03:03:26PM -0600, Guy Fraser wrote:
> Paul Hampson wrote:
> ...snip...
> >_I_ haven't tested against the lastest release of FreeBSD. I'd welcome
> >any improvements to the thread-safety of FreeRADIUS, so if you want to
> >test it out and suggest changes that don't break any other versions of
> >FreeBSD, any other BSD flavours, and (if possible) Tru64 and OS/X...
> >
> >However, given that we're ramping up to a release, I'd rather not
> >duplicate the 0.9 series's tendancy to need autoconf fixes for
> >gethostby* immediately after _each_ release. If we have something safe-
> >looking before we start the pre release cycle, and it gets _tested_ by
> >various FreeBSD and other bodies, then maybe. :-)
> >
> ...snip...
> I rebuilt from CVS on 2004Apr20 08:56 MDT, with the usual warnings about
> *_r possibly not being thread safe, but no errors were generated on
> FreeBSD 5.2.1-RELEASE-p1. I did not apply any patches to CVS before I
> compiled.
gethostbyaddr{,_r} is overridden to be BSD-style if we detect FreeBSD...
Try deleting lines 8519 to 8528 inclusive from configure (Pasted below
for comparison) and see if it still builds/runs.
case "$host" in
*-freebsd*)
cat >> confdefs.h <<\EOF
#define GETHOSTBYADDRRSTYLE BSDSTYLE
EOF
gethostbyaddrrstyle=BSD
echo "configure: warning: FreeBSD overridden to BSD-style" 1>&2
;;
esac
gethostbyname{,_r} isn't overridden, and sounds like it's still
BSD-style on FreeBSD. I guess the question is, is it now thread-safe?
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
It tried to send everyone to the mySQL database. Doesn't check the local at all. - Original Message - From: "Guy Fraser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 3:05 PM Subject: Re: Authentication Help > Bob Ross wrote: > > >What is funny, whit checking the diffs on the files, the only thing > >different is in the users file and used the prozy.conf this time also. > > > >I was trying := System or := Local, or == Local. == System, or local on > >first, > > > >But they were always the same also on the Fall-Through either both yes or 1, > >this was the only time I tried different, but if it works. I had asked about > >this once before, and was told it didn't make a difference what they were, > >but maybe they did. > > > >Any ideas if this really could have caused my hang up? > > > >DEFAULT Auth-Type = System > >Fall-Through = yes > > > >DEFAULT Auth-Type = Local > >Fall-Through = 1 > > > Do NOT use Auth-Type at all, it is not needed for most situations. > > If you are trying to use authenticate from SQL it most certainly will > cause you grief if it is used. > > There is tons of information in the archives on this subject, and it > usualy boils down to : Do NOT use Auth-Type . > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
I did. It doesn't work. I commented out both lines on each one. - Original Message - From: "Guy Fraser" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 3:05 PM Subject: Re: Authentication Help > Bob Ross wrote: > > >What is funny, whit checking the diffs on the files, the only thing > >different is in the users file and used the prozy.conf this time also. > > > >I was trying := System or := Local, or == Local. == System, or local on > >first, > > > >But they were always the same also on the Fall-Through either both yes or 1, > >this was the only time I tried different, but if it works. I had asked about > >this once before, and was told it didn't make a difference what they were, > >but maybe they did. > > > >Any ideas if this really could have caused my hang up? > > > >DEFAULT Auth-Type = System > >Fall-Through = yes > > > >DEFAULT Auth-Type = Local > >Fall-Through = 1 > > > Do NOT use Auth-Type at all, it is not needed for most situations. > > If you are trying to use authenticate from SQL it most certainly will > cause you grief if it is used. > > There is tons of information in the archives on this subject, and it > usualy boils down to : Do NOT use Auth-Type . > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Bob Ross wrote: What is funny, whit checking the diffs on the files, the only thing different is in the users file and used the prozy.conf this time also. I was trying := System or := Local, or == Local. == System, or local on first, But they were always the same also on the Fall-Through either both yes or 1, this was the only time I tried different, but if it works. I had asked about this once before, and was told it didn't make a difference what they were, but maybe they did. Any ideas if this really could have caused my hang up? DEFAULT Auth-Type = System Fall-Through = yes DEFAULT Auth-Type = Local Fall-Through = 1 Do NOT use Auth-Type at all, it is not needed for most situations. If you are trying to use authenticate from SQL it most certainly will cause you grief if it is used. There is tons of information in the archives on this subject, and it usualy boils down to : Do NOT use Auth-Type . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
There is a question also. It logs the detail files with the IP address. I really have looked but can't seem to find it. Is there a way I can tell it to use the ras name I assigned to each IP ?, I found the config link, but it didn't give what to call the --- to do this. ras1, ras2, usa1,usa2, etc... Thanks - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 2:20 PM Subject: Re: Authentication Help > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? > > I don't recall the details in 0.9.3, but in the latest CVS snapshot > this should work with minimal changes. Once you add the SQL > configuration, the server should do this automatically. > > Remember, it's *designed* to do the right thing in the common > cases. You're working very hard to get it to do "something", but > you're not clear as to how the server works, or how to configure it to > do that something. Rather than fighting with the configuration, your > time would be better spent learning more about how the server works, > so you don't have to fight with the configuration. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
What is funny, whit checking the diffs on the files, the only thing different is in the users file and used the prozy.conf this time also. I was trying := System or := Local, or == Local. == System, or local on first, But they were always the same also on the Fall-Through either both yes or 1, this was the only time I tried different, but if it works. I had asked about this once before, and was told it didn't make a difference what they were, but maybe they did. Any ideas if this really could have caused my hang up? DEFAULT Auth-Type = System Fall-Through = yes DEFAULT Auth-Type = Local Fall-Through = 1 - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 2:20 PM Subject: Re: Authentication Help > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? > > I don't recall the details in 0.9.3, but in the latest CVS snapshot > this should work with minimal changes. Once you add the SQL > configuration, the server should do this automatically. > > Remember, it's *designed* to do the right thing in the common > cases. You're working very hard to get it to do "something", but > you're not clear as to how the server works, or how to configure it to > do that something. Rather than fighting with the configuration, your > time would be better spent learning more about how the server works, > so you don't have to fight with the configuration. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
"Bob Ross" <[EMAIL PROTECTED]> wrote: > Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? I don't recall the details in 0.9.3, but in the latest CVS snapshot this should work with minimal changes. Once you add the SQL configuration, the server should do this automatically. Remember, it's *designed* to do the right thing in the common cases. You're working very hard to get it to do "something", but you're not clear as to how the server works, or how to configure it to do that something. Rather than fighting with the configuration, your time would be better spent learning more about how the server works, so you don't have to fight with the configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
Paul Hampson wrote: ...snip... _I_ haven't tested against the lastest release of FreeBSD. I'd welcome any improvements to the thread-safety of FreeRADIUS, so if you want to test it out and suggest changes that don't break any other versions of FreeBSD, any other BSD flavours, and (if possible) Tru64 and OS/X... However, given that we're ramping up to a release, I'd rather not duplicate the 0.9 series's tendancy to need autoconf fixes for gethostby* immediately after _each_ release. If we have something safe- looking before we start the pre release cycle, and it gets _tested_ by various FreeBSD and other bodies, then maybe. :-) ...snip... I rebuilt from CVS on 2004Apr20 08:56 MDT, with the usual warnings about *_r possibly not being thread safe, but no errors were generated on FreeBSD 5.2.1-RELEASE-p1. I did not apply any patches to CVS before I compiled. This is what I used to configure : --localstatedir=/var --with-logdir=/var/log/radiusd \ --with-radacctdir=/var/log/radiusd/acct --quiet I made a couple config changes to enable postgresql auth and acct, then started it, and tested an sql users with an encrypted and clear test passwords, and they both worked. Just to make sure I used some wrong passwords and they were rejected. The postauth table did have entries inserted, but I have not yet tested from a real nas to get accounting records. Accounting did work a month ago, but since then I don't have a nas set aside for testing, and I don't want to mess with a prodution nas right now. Hope that helps. I will reconfig for MySQL next and make sure all is well with it too. Have a nice day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Well, actually I did, in the beginning. But so far it looks as if I managed somehow to get it going after deleting everything and starting over. *** First Post I'm told I should be able to do PAP - CHAP on the same server, but have been having one hard time doing so. Anyone have any examples or instruction to get this done. Right now we can only get it to do either one, not both. Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? Any examples of raddb files to help me with? * - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 1:55 PM Subject: Re: Authentication Help > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > I deleted everything to start over again so it's a clean install. It's about > > the third time. > > That's part of your problem. There's no need to delete & > re-install. It's not Windows. > > > Is there any docs or example raddb files that show what I'm trying to do? > > You haven't explained what it is you're trying to do, so the answer > is "No". > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
"Bob Ross" <[EMAIL PROTECTED]> wrote: > I deleted everything to start over again so it's a clean install. It's about > the third time. That's part of your problem. There's no need to delete & re-install. It's not Windows. > Is there any docs or example raddb files that show what I'm trying to do? You haven't explained what it is you're trying to do, so the answer is "No". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PostgreSQL not working
This is what I am using {I am not using 0.9.3, but 1.0-pre0 from CVS}
for radiusd.conf :
...snip...
modules {
...snip...
$INCLUDE ${confdir}/postgresql.conf
...snip...
}
...snip...
authorize {
preprocess
chap
mschap
suffix
eap
# 'files' can be uncommented if you do NOT have a
# default 'Auth-Type' in the 'users' file.
#files
sql
daily
}
...snip...
accounting {
acct_unique
detail
unix
radutmp
sql
}
session {
radutmp
sql
}
post-auth {
sql
}
...snip...
The test data I use is listed below, the password for troll is skunk,
but is
'MD5' encrypted, so linux must be configured to athenticate with MD5.
Here is the test data I use :
... %< cut here ...
COPY radcheck (id, username, attribute, op, value) FROM stdin;
1 fredf User-Password == wilma
2 barneyr User-Password == betty
3 troll Crypt-Password == $1$ODa8qvTP$DWfshR5SI4uSIp68a3DfD1
4 frogUser-Password == kermit
\.
COPY radgroupcheck (id, groupname, attribute, op, value) FROM stdin;
\.
COPY radgroupreply (id, groupname, attribute, op, value) FROM stdin;
1 ppp-unlimited Framed-Compression := Van-Jacobsen-TCP-IP
2 ppp-unlimited Framed-Protocol := PPP
3 ppp-unlimited Service-Type:= Framed-User
4 ppp-unlimited Framed-MTU := 1500
5 ppp-static Framed-Compression := Van-Jacobsen-TCP-IP
6 ppp-static Framed-Protocol := PPP
7 ppp-static Service-Type:= Framed-User
8 ppp-static Framed-MTU := 1500
9 nas-prompt Framed-MTU := 1500
10 nas-prompt Framed-Compression := Van-Jacobson-TCP-IP
11 nas-prompt Service-Type:= NAS-Prompt
\.
COPY radreply (id, username, attribute, op, value) FROM stdin;
1 barneyr Framed-IP-Address := 10.19.65.38
2 barneyr Framed-IP-Netmask := 255.255.255.252
\.
COPY usergroup (id, username, groupname) FROM stdin;
1 fredf ppp-unlimited
2 barneyr ppp-static
3 troll ppp-unlimited
4 frognas-prompt
\.
... %< cut here ...
Note : Spaces are supposed to be TAB's
VoipOne NOC wrote:
Hi
I have freeradius 0.9.3, compiled on a Debian Unstable system for PostgreSQL
support.
Once I installe everything, it seems to work right. Following is the final
output from "freeradius -xxyz -l stdout" :
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
And when I try to send the radius packets for accounting from my Cisco
router, it just doesn't work
I have the following lines changed in my radiusd.conf:
with_cisco_vsa_hack = yes
$INCLUDE ${confdir}/postgresql.conf
#unix (wtmp file) * commented out
#radutmp * commented out
Added sql instead of the unix accounting method.
If anyone has experience with this, please let me know what I can do.
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
As I said I deleted everything, I mean everything related to free radius was deleted. All directories it created. When I go to start over I start over from scratch. If one way doesn't work, I don't want the problems of one config conflicting with another. I'm back to the way it was when I first extracted it to start. I can only hope someone else has done it the way I'm trying to. If not I'll just have to run to different radius's on the server until I get around to putting them on two different ones. I'm told I should be able to do PAP - CHAP on the same server, but have been having one hard time doing so. Anyone have any examples or instruction to get this done. Right now we can only get it to do either one, not both. Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? Any examples of raddb files to help me with? Thanks Bob Ross - Original Message - From: "Milver S. Nisay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 9:31 AM Subject: Re: Authentication Help > > Since I have only started working with FreeRadius, and have not touched a > > radius file for 7 years, I have to say No, because I have no idea what > your > > asking. > > > google helps both technical and non-technical on planet earth a REALLY lot. > you might want to share us your radiusd.conf and sql.conf to light a new way > for you. > how about a book? (just kidding) :) share it to me offlist and let me see > what i can do for you. > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
I'm not experienced in this area. I only started using FreeRadius a week ago, and have not touched radius for 7 years other than upgrades to Cistron. Other than that I have not needed to know any more about it except that it was working, and no it's So you have me lost. I deleted everything to start over again so it's a clean install. It's about the third time. One of these times it will start to work. Just need guidance to do so. Is there any docs or example raddb files that show what I'm trying to do? Thanks Bob - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 21, 2004 10:47 AM Subject: Re: Authentication Help > "Bob Ross" <[EMAIL PROTECTED]> wrote: > > I'm told I should be able to do PAP - CHAP on the same server, but have been > > having one hard time doing so. > > The server does this out of the box. > > The larger problem is I don't think you're clear on WHY some > requests do PAP, and others do CHAP. If you can tell the two apart, > it should be trivial to configure the server to handle them > differently. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: OS for FreeRADIUS
Hi, well don?t lmow how well it runs on the others. I run it on Solaris 2.6 and 2.8 and it works well. Bye Holger [EMAIL PROTECTED] <> wrote on : > Is there a recommended OS for freeradius? > Is there really a difference (performance or otherwise) between running > freeradius on FreeBSD compared to a distrobution of Linux (RedHat, > Gentoo, etc...)? > > Evan Stenmark > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
"Bob Ross" <[EMAIL PROTECTED]> wrote: > I'm told I should be able to do PAP - CHAP on the same server, but have been > having one hard time doing so. The server does this out of the box. The larger problem is I don't think you're clear on WHY some requests do PAP, and others do CHAP. If you can tell the two apart, it should be trivial to configure the server to handle them differently. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Appending a user name.
"J Thomas Hancock" <[EMAIL PROTECTED]> wrote:
> We are running freeradius-0.9.3 on a Linux box. Due to a specific need of
> one of our clients, we need to be able to authenticate a user based on their
> Called-Station-ID and their username/password without specifying a domain.
> The usernames are stored in our MySQL database as [EMAIL PROTECTED] I
> am having problems configuring the users file to append @domainname.com to
> the username based on their Called-Station-Id. Does anyone have any
> experience doing this sort of thing?
It shouldn't be necessary. You can use rlm_passwd to map
Called-Station-Id to a domain, and then edit the SQL queries. Where
they say:
%{User-Name}
Replace it with:
[EMAIL PROTECTED]
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
> Since I have only started working with FreeRadius, and have not touched a > radius file for 7 years, I have to say No, because I have no idea what your > asking. google helps both technical and non-technical on planet earth a REALLY lot. you might want to share us your radiusd.conf and sql.conf to light a new way for you. how about a book? (just kidding) :) share it to me offlist and let me see what i can do for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
Since I have only started working with FreeRadius, and have not touched a radius file for 7 years, I have to say No, because I have no idea what your asking. I did do what it said to about getting rid of the old files no longer used and enabling the /etc/passwd - /etc/shadow - /etc/group files. I followed the directions inside those the best I thought they were telling me, and what I found on the net. I already deleted the freeradius tree to start over from scratch so it's a clean system. It's not that big of a deal, I have already done this 3 times. Helps with the learning curve sometimes, but this one is definitely different. I have been installing it in a test directory to not interfere with the current running radius. When I have something to test, I turn one off and this one on or just have them running on different ports until I'm ready to test with actual log ins from both sides. > > have you tried combining or enabling both configuration with the > radiusd.conf? > what is the freeradius debug message? > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
On Wed, Apr 21, 2004 at 08:49:47AM -0400, Gary McKinney wrote: > I realize this is not a direct FreeRadius issue but possibly could be indirectly > related if the > actual problem still exists with thread locking... > I checked the FreeBSD site for any PR listings for what you have described... did > not find > anything - have you checked against the latest release of FreeBSD for the problem??? http://lists.cistron.nl/archives/freeradius-users/2003/09/frm00212.html * http://lists.cistron.nl/archives/freeradius-users/2003/09/msg00212.html http://lists.cistron.nl/archives/freeradius-users/2003/09/frm00434.html http://lists.cistron.nl/archives/freeradius-devel/2003/09/frm00093.html _I_ haven't tested against the lastest release of FreeBSD. I'd welcome any improvements to the thread-safety of FreeRADIUS, so if you want to test it out and suggest changes that don't break any other versions of FreeBSD, any other BSD flavours, and (if possible) Tru64 and OS/X... However, given that we're ramping up to a release, I'd rather not duplicate the 0.9 series's tendancy to need autoconf fixes for gethostby* immediately after _each_ release. If we have something safe- looking before we start the pre release cycle, and it gets _tested_ by various FreeBSD and other bodies, then maybe. :-) Whoops. While trawling the list archives from September I found someone who asked me a question, and I never answered. :-( I hope he found enlightenment eventually, and didn't leave us for Radiator. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Help
> I'm told I should be able to do PAP - CHAP on the same server, but have been > having one hard time doing so. > > Anyone have any examples or instruction to get this done. Right now we can > only get it to do either one, not both. have you tried combining or enabling both configuration with the radiusd.conf? what is the freeradius debug message? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication Help
I'm told I should be able to do PAP - CHAP on the same server, but have been having one hard time doing so. Anyone have any examples or instruction to get this done. Right now we can only get it to do either one, not both. Meaning, PAP with /passwd/shadow files and CHAP with the mySQL files? Any examples of raddb files to help me with? Thanks Bob Ross - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Appending a user name.
> We are running freeradius-0.9.3 on a Linux box. Due to a specific need of > one of our clients, we need to be able to authenticate a user based on their > Called-Station-ID and their username/password without specifying a domain. > The usernames are stored in our MySQL database as [EMAIL PROTECTED] I > am having problems configuring the users file to append @domainname.com to > the username based on their Called-Station-Id. Does anyone have any > experience doing this sort of thing? your username attribute from MySQL is an exact matching login name that will be searched by freeradius based from your realms configuration coming from MySQL database. freeradius assumes that the requests coming in have @domains.com appended from their usernames during the time of request and after the radiusd.conf was loaded. i think, i have not done it though, that your MySQL structures conflicts with the username request (from clients) coming in. that setup will not pass from authenticaion process. give a ring to google. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Appending a user name.
We are running freeradius-0.9.3 on a Linux box. Due to a specific need of one of our clients, we need to be able to authenticate a user based on their Called-Station-ID and their username/password without specifying a domain. The usernames are stored in our MySQL database as [EMAIL PROTECTED] I am having problems configuring the users file to append @domainname.com to the username based on their Called-Station-Id. Does anyone have any experience doing this sort of thing? Any help with the matter would be much appreciated. Thank you, Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/CHAP
Sorry to bother you. when you said this we thought you were on the development. No he hasn't left us. He just as stumped. ** no realm or with realm, freeradius does not care, it will do what we design its radiusd.conf to be. ** - Original Message - From: "Milver S. Nisay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 20, 2004 12:34 PM Subject: Re: PAP/CHAP > > I was told that FreeRadius can answer PAP/CHAP at the same > > time that it didn't care. > > Yes, freeradius does not care what authentication request are coming in, > whether PAP/CHAP or system authenticated > accounts. If freeradius was configured properly, it will reply as it was > tasked to do. > > > The problem I'm having is if a user loges in with no realm (PAP) and > > there user name is in the system files, it doesn't work. If I use a > > different user and log in to our wholesale(CHAP) side the user name in the > mysql > > database does fine. > > no realm or with realm, freeradius does not care, it will do what we design > its radiusd.conf to be. > there's a work around, PAP accounts can be configured to be authenticated > based from account names, password and > expiration attributes and others inside MySQL database too, without ofcourse > using /etc/passwd and /etc/shadow files. > > > How do I tell FreeRadius to look in the system file first and then the > > Local (mySQL) second if not found in the System files? > > it does and that is why you don't need to.. > > > I did not really want to run two radius on the same machine on different > > ports if at all possible. > > if you like it that way, it can be worked out without considering pros and > cons. > > > > Other than this little snag, I have all my tools to work everything from > the > > command prompt. Add, Disable, Enable, Remove, etc.. > > hope this helps. > > //milver > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2 benchmarking tools attached for you to use / comment on/ improve
2 benchmarking tools (code and output is resdable and self-evident) attached for you to use / comment on/ improve. python uses pyrad module, C uses libradius from standard BSD install (a static version exists for linux). comments appreciated. thread_test_linear.py Description: thread_test_linear.py thread_test.c Description: thread_test.c
Re: Re[3]: how to create check attribute dinamically?
> AL> Well, it doesn't matter how it will work. Then i need to split > AL> users in two groups - one with some traffic left and another > AL> with zero or negative traffic value and then give them different > AL> addresses from different pools according to the group names. the users file and grouping, be it as flat file or based from MySQL groupings should work if properly configured. and ip pooling can be configured from freeradius or by cisco box (if you are using one), be static or dynamic, or even by individial special user case using MySQL or flat users file. freeradius is care free whichever case. > AL> how can i do it dinamically? I mean, value of traffic is > AL> calculating when user login, so if he have no octets left, he > AL> must have address from 192.168.222.0/24 network, and if he have > AL> some octets left, he must have address from 192.168.111.0/24 > AL> network. So, the main question is - where and what should i write > AL> to make this scheme work? nobody, yet from the list, has done this, as far as i know. this must call for a script that will do and catch the case and the scenario you want, but with the current freeradius modules, this will not work, unless the special script case is made. i have not done this before. hope this helps. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: how to create check attribute dinamically?
Hello Alexander, Monday, April 19, 2004, 1:49:22 PM, you wrote: AL> Hello Milver, AL> Monday, April 19, 2004, 1:30:05 PM, you wrote: >>> I need to create a check attribute depending on how much seconds or >>> octets user have. Ideal, i would like to equate reply attribute to a >>> newly created check attribute or to turn reply to check attribute. I >>> need this to differentiate users by their limits and give them >>> ip addresses from a different networks, so i can manage their >>> connections with firewall. I already posted this question here >>> (subject "different pools for user with and without traffic"), but >>> have no answers. All i need is that i could write in 'users' file >>> something like this: >>> >>> DEFAULT Check-Traffic-Limit <= 0, Pool-Name := "illegal_pool" >>> MSN>> you might want to use groupings with your database. so replies MSN>> sent depends on the user groups an account belongs to. MSN>> if an account belongs to subnet1, you could sent them the group attributes MSN>> such as MSN>> specific IP for them, traffic limit, framed-mtu, protocol, expiration, MSN>> compression and more... AL> Well, it doesn't matter how it will work. Then i need to split AL> users in two groups - one with some traffic left and another AL> with zero or negative traffic value and then give them different AL> addresses from different pools according to the group names. But AL> how can i do it dinamically? I mean, value of traffic is AL> calculating when user login, so if he have no octets left, he AL> must have address from 192.168.222.0/24 network, and if he have AL> some octets left, he must have address from 192.168.111.0/24 AL> network. So, the main question is - where and what should i write AL> to make this scheme work? Nobody knows, how to do that? Is it possible at all to assign value to check attribute? Maybe rlm_perl (which i never used and have not found any docs)? Please, help me or say it is not possible. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tagged Attributes and attribute filter does not work correctly
Hi, like to bothere you again about Taged Attributes. (0.9.3) Its not like i complain about. I work arounded it differently vor myself but hopefully someone is intressed in seening this. If i add some more of those Attributes in the usersfile like Tunnel-Endpoint:1 += 1.2.3.4 Tunnel-Endpoint:2 += 1.2.3.5 and then using in attr_filter Tunnel-Endpoint =* ANY we end up with Tunnel-Endpoint:0 += 1.2.3.4 Tunnel-Endpoint:0 += 1.2.3.5 ^ + now we have a 0 here at least the reply log is telling that. Bye Holger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RV: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.
Dear Alejandro Martínez Marcos, In order to use rlm_mschap with LDAP you must store either cleartext or NT or LM password in LDAP schema. See ldap.attrmap, doc/ldap_howto.txt and doc/rlm_ldap. --Wednesday, April 21, 2004, 3:16:40 PM, you wrote to [EMAIL PROTECTED]: AMM> Hi again, AMM>I keep on trying to solve this problem. I have realized that the problem AMM> only occurs when I use LDAP to authorize. It seems that freeradius is unable AMM> to retrieve the attribute "User-Password" from LDAP. AMM>When I use the users file, in that case it goes ok. I just added the users AMM> to the users file like this, as I have seen in a previous e-mail from Alan AMM> DeKok. For example: AMM>tunnel-user User-Password = "password" AMM>Unfortunately, I MUST use LDAP...Please help!! AMM> Best regards, AMM>Alejandro AMM> -Mensaje original- AMM> De: [EMAIL PROTECTED] AMM> [mailto:[EMAIL PROTECTED] nombre de AMM> Alejandro Martínez Marcos AMM> Enviado el: miércoles, 21 de abril de 2004 10:05 AMM> Para: Lista Freeradius AMM> Asunto: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password. AMM> Hello, AMM>I am trying to authenticate using PEAP against a LDAP server. I am getting AMM> the following errors: AMM> rlm_mschap: No User-Password configured. Cannot create LM-Password. AMM> rlm_mschap: No User-Password configured. Cannot create NT-Password. AMM>Could anyone tell me what are these passwords? I don't know whether I have AMM> a problem with the client configuration or if I have missing fields in LDAP AMM> (but I do have a "userPassword" one). AMM> thanks in advance, AMM>Alejandro AMM> - AMM> List info/subscribe/unsubscribe? See AMM> http://www.freeradius.org/list/users.html AMM> - AMM> List info/subscribe/unsubscribe? See AMM> http://www.freeradius.org/list/users.html -- ~/ZARAZA Èòàê, ÿ áóäó êðàòîê. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
Hi Paul, I realize this is not a direct FreeRadius issue but possibly could be indirectly related if the actual problem still exists with thread locking... I checked the FreeBSD site for any PR listings for what you have described... did not find anything - have you checked against the latest release of FreeBSD for the problem??? Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: [EMAIL PROTECTED] (Paul Hampson) Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Apr 2004 20:28:20 +1000 >On Tue, Apr 20, 2004 at 09:39:14PM -0600, stenmark wrote: > >> Is there a recommended OS for freeradius? > >> Is there really a difference (performance or otherwise) between >> running freeradius on FreeBSD compared to a distrobution of Linux >> (RedHat, Gentoo, etc...)? > >FreeBSD has locking issues with threads, in the DNS resolver libraries. > >If you want to see the discussion, dig around the list archives for the >time of the 0.9.1 release. > >-- >Paul "TBBle" Hampson, who was reading those archives the other day. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >--- >[This E-mail scanned for viruses by Declude Ant-Virus Scanner] > > Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
im trying to use mschap through peap. i think im having trouble getting tls
to run. i have no idea how to set up certificates. can anyone give me some
advice?
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "(null)"
tls: certificate_file = "(null)"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "(null)"
tls: dh_file = "(null)"
tls: random_file = "(null)"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
2873:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTIFICATE
2873:error:0200100E:system library:fopen:Bad
address:bss_file.c:259:fopen('','r')
2873:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
2873:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:513:
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.
_
Check out MSN PC Safety & Security to help ensure your PC is protected and
safe. http://specials.msn.com/msn/security.asp
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
Gary McKinney wrote: Hi Paul, I realize this is not a direct FreeRadius issue but possibly could be indirectly related if the actual problem still exists with thread locking... I checked the FreeBSD site for any PR listings for what you have described... did not find anything - have you checked against the latest release of FreeBSD for the problem??? I'm running FreeRadius under FreeBSD 4.x about two years and never met such problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem faced in integrating Domino LDAP Server for authentication with FreeRadius Server
On Wed, 21 Apr 2004, Joseph Silvin wrote: > Hi , > > I am trying to use FreeRadius ACS Server for authentication against IBM > Domino LDAP Server. The following is the error message that I get. I have > reproduced both radiusd.conf and log files. Looking forward to someone who > can help on this front. > > Thanks. > > JS > = > Log file of FreeRadius > > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 127.0.0.1:1026, id=86, length=60 > User-Name = "MyUserName" > User-Password = "MyLDAPPassword" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1 > modcall: entering group authorize for request 10 > modcall[authorize]: module "preprocess" returns ok for request 10 > modcall[authorize]: module "chap" returns noop for request 10 > modcall[authorize]: module "eap" returns noop for request 10 > rlm_realm: No '@' in User-Name = "MyUserName", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 10 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 10 > modcall[authorize]: module "mschap" returns noop for request 10 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for MyUserName > radius_xlat: '(uid=MyUserName)' > radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 192.168.192.41:389, authentication 0 > rlm_ldap: bind as / to 192.168.192.41:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: LDAP login failed: check login, password settings in ldap section > of radiusd.conf ^^ If that does not help, nothing will... > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 10 > modcall: group authorize returns fail for request 10 > Finished request 10 > Going to the next request > --- Walking the entire request list --- > Nothing to do. Sleeping until we see a request. > = > > DISCLAIMER* This message and any > attachments (hereinafter referred to as the 'mail content') is intended > solely for the addressee. The 'mail content' is confidential and may be > privileged and is also prohibited from disclosure. Access, use, copying, > distribution or re-use of the 'mail content' by anyone except the > addressee is unauthorized. If you are not the intended addressee, please > destroy all copies of the 'mail content' in your possession and also > delete the same from your computer. Any views expressed in the 'mail > content' are those of the individual sender except where the sender, with > due authority of Jyoti Structures Ltd., specifically states them to be > the views of Jyoti Structures Ltd. Nothing contained in the 'mail > content' is capable or intended to create any legally binding > obligations on the sender, Jyoti Structures Ltd. The sender, Jyoti > Structures Ltd., accepts no responsibility, whatsoever, for loss or damage > from the use of the 'Said Information' including damage from viruses. > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem faced in integrating Domino LDAP Server for authentication with FreeRadius Server
Hi ,
I am trying to use FreeRadius ACS Server for authentication against IBM
Domino LDAP Server. The following is the error message that I get. I have
reproduced both radiusd.conf and log files. Looking forward to someone who
can help on this front.
Thanks.
JS
Contents of radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap {
server = 192.168.192.41
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=MyDept,ou=SBULocation,o=MyOrg"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
=
Log file of FreeRadius
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=86, length=60
User-Name = "MyUserName"
User-Password = "MyLDAPPassword"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
modcall[authorize]: module "eap" returns noop for request 10
rlm_realm: No '@' in User-Name = "MyUserName", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 10
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_ldap: - authorize
rlm_ldap: performing user authorization for MyUserName
radius_xlat: '(uid=MyUserName)'
radius_xlat: 'ou=MyDept,ou=SBULocation,o=MyOrg'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.192.41:389, authentication 0
rlm_ldap: bind as / to 192.168.192.41:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check login, password settings in ldap section
of radiusd.conf
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 10
modcall: group authorize returns fail for request 10
Finished request 10
Going to the next request
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
=
DISCLAIMER* This message and any
attachments (hereinafter referred to as the 'mail content') is intended
solely for the addressee. The 'mail content' is confidential and may be
privileged and is also prohibited from disclosure. Access, use, copying,
distribution or re-use of the 'mail content' by anyone except the
addressee is unauthorized. If you are not the intended addressee, please
destroy all copies of the 'mail content' in your possession and also
delete the same from your computer. Any views expressed in the 'mail
content' are those of the individual sender except where the sender, with
due authority of Jyoti Structures Ltd., specifically states them to be
the views of Jyoti Structures Ltd. Nothing contained in the 'mail
content' is capable or intended to create any legally binding
obligations on the sender, Jyoti Structures Ltd. The sender, Jyoti
Structures Ltd., accepts no responsibility, whatsoever, for loss or damage
from the use of the 'Said Information' including damage from viruses.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RV: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.
Hi again, I keep on trying to solve this problem. I have realized that the problem only occurs when I use LDAP to authorize. It seems that freeradius is unable to retrieve the attribute "User-Password" from LDAP. When I use the users file, in that case it goes ok. I just added the users to the users file like this, as I have seen in a previous e-mail from Alan DeKok. For example: tunnel-user User-Password = "password" Unfortunately, I MUST use LDAP...Please help!! Best regards, Alejandro -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Alejandro Martínez Marcos Enviado el: miércoles, 21 de abril de 2004 10:05 Para: Lista Freeradius Asunto: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password. Hello, I am trying to authenticate using PEAP against a LDAP server. I am getting the following errors: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. Could anyone tell me what are these passwords? I don't know whether I have a problem with the client configuration or if I have missing fields in LDAP (but I do have a "userPassword" one). thanks in advance, Alejandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OS for FreeRADIUS
On Tue, Apr 20, 2004 at 09:39:14PM -0600, stenmark wrote: > Is there a recommended OS for freeradius? > Is there really a difference (performance or otherwise) between > running freeradius on FreeBSD compared to a distrobution of Linux > (RedHat, Gentoo, etc...)? FreeBSD has locking issues with threads, in the DNS resolver libraries. If you want to see the discussion, dig around the list archives for the time of the 0.9.1 release. -- Paul "TBBle" Hampson, who was reading those archives the other day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3127 - 4 msgs
Hello folks.
I have install freeradius and configure it to use mysql accounts, but if no
success.
I´m running debian 3.4 stable. 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002
i686 GNU/Linux
I have configure using this:
./configure --localstatedir=/var --sysconfdir=/etc --enable-ltdl-install
--with-rlm-mysql-lib-dir=/usr/local/lib/mysql
--with-rlm-mysql-include-dir=/usr/local/include/mysql
(thanks to apellido)
Here is the error in debug mode:
ol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'"
sql: connect_failure_retry_delay = 60
sql: simul_count_query = ""
sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM
radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search
path of your system's ld.
radiusd.conf[14]: sql: Module instantiation failed.
hotspot:/usr/local#
I´v searched by my error in google and i´v seed someone saying something about
mysql headers or includes, i tryed to search were they are in debian, but with
no sucess. /usr/local/mysql/include i didn´t find the mysql includes.
ml url:
http://lists.cistron.nl/pipermail/freeradius-users/2001-June/000954.html
If anyone could help me i apreciate.
Thank you
Rui Oliveira
Portugal
http://www.segurmelis.pt
This message was sent using IMP, the Internet Messaging Program.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS / Windows XP SP1
Ok: I solved the problem. I've transferring the files using ASCII mode instead of binary mode. Now XP understands them!!! Thank you, Giuliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS / Windows XP SP1
Hi list, I'm trying to set up the eap-tls authentication method for a wireless lan, following some howto I found in the Net (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm and http://www.dslreports.com/forum/remark,9286052). I've successfully compiled and launched (not without experiencing some frustration...) freeradius-0.9.3 with openssl-0.9.7d, so the server seems ok. My problem is that my client Windows XP SP1 doesn't understand the certificates root.der and cert-clt.p12, that I generated using the CA.all script. When I double-click on them it says that they are not valid (the messages are in French for my settings, so I try to translate them: "This file isn't valid as a security certificate" for root.der and "This file isn't valid for the exchange of personal informations" for cert-clt.p12). I've tried to modify the root.pem (not root.der !) file, leaving only -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- , renamed it to root.cer and XP let me install it without problems (as shown in the guides). However this method doesn't work for the client certificate (XP says that it has not enough information to verify its validity). Has anybody experienced this kind of problems? Thank you sincerely for your help, Giuliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.
Hello, I am trying to authenticate using PEAP against a LDAP server. I am getting the following errors: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. Could anyone tell me what are these passwords? I don't know whether I have a problem with the client configuration or if I have missing fields in LDAP (but I do have a "userPassword" one). thanks in advance, Alejandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration attribute
It is easy for with my method. I suposse that you have RADIUS counts with a specific login, if you want that a count expires in 30 days after its activation, you only have to get the activation date (you know with NOW() in mysql) and add to this date 30 in MySQL sentences. This calculated date is save in the radcheck table in the field ExpitationDate. Santiago "Milver S. Nisay" <[EMAIL PROTECTED]> wrote: > The next challenge for a prepaid dialup would be , is there a possibility > that an > account's expiration would be modified, using MsSQL queries inside > sqlcounter.conf, on the first successful authentication I would suggest running an external program to do that. > For Ex. An prepaid dialup card is to expire within 30 days starting May 1, > but the user who bought it used the prepaid dialup account on the May 29, is > there an attribute that will modify or prolong the expiration for 29 days > more since it was used successfully on the 29th day of the month, therefore > activating the dialup account on the first successful usage. That is a *very* specialized requirement, and is not possible with the default modules. You should be able to write a simple shell script to catch that case, and update the database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Protege tu correo del spam y los virus con MSN 8. Prueba gratis dos meses MSN 8. http://join.msn.com/?pgmarket=es-es&XAPID=199&DI=1055 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius in C++
Hello, Thank you for this good advice, i will follow it ! best regards At 11:26 20/04/2004, you wrote: Hi, I had a similar problem but took a slightly different approach. I had a C++ library that I needed to use from inside an rlm_eap subtype module. Instead of bringing C++ into rlm_eap, I wrote a C wrapper around the C++ API, and call the C function from within freeradius. The wrapper function needs to be C++ so it can invoke methods on C++ objects, and the wrapper header has to have the "#ifdef __cplusplus" so both freeradius and the wrapper body can use it. In the Makefile, you need to add your C++ library and -lstdc++ to RLM_LIBS. One problem I ran into here is that I have to dynamically link freeradius while my C++ library is statically linked. When I link my rlm, the linker gives a warning but it seems to work. Ideally freeradius will get a fix for the problem that prevents static link for modules that have submodules. :) Dave Aurélien Magniez wrote: Hi, I also wrote a C++ module under FreeRadius. Look at this page : http://lists.cistron.nl/archives/freeradius-devel/2004/04/msg1.html Aurélien Magniez <[EMAIL PROTECTED]> wrote: At 11:41 19/04/2004, you wrote: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Does anyone know how I could compile freeradius in C++ using g++ instead of > gcc ? Why? There's no C++ code in FreeRADIUS, so there's no point in using a C++ compiler. I am writing a module that need to use C++ files that I wish I did not need to rewrite... > I am not very familiar with the underlying configure mechanism , all i know > is to type 'configure' an then 'make' ... Then you're definitely not going to want to use a C++ compiler. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
