Re: rlm_eap_leap: No User-Password or NT-Password configured for this user
Hi, Any ideas on this error. Waiting anxiously for some pointer to the right direction. rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP Thanks Joseph Joseph Silvin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: rlm_eap_leap: No User-Password or NT-Password configured for this eradius.org user 26/05/2004 04:47 PM Please respond to freeradius-users Hi, Thanks. I have rectified the password_header and now the Password header is gone. But still the EAP is not taking the LDAP password ( rlm_eap_leap: Stage 4). My config: radiusd.conf --- default_eap_type = md5 users --- DEFAULT Auth-Type = LDAP Fall-Through = 1 Instead of this, if I put (as below) manually, the card associated with the AP. (LDAPPassword is the actual password) DEFAULT Auth-Type = LDAP, User-Password = LDAPPassword Fall-Through = 1 Waiting for your comments. Joseph Revised Log below. = rad_recv: Access-Request packet from host 192.168.1.7:21646, id=16, length=125 User-Name = FAnthony Framed-MTU = 1400 Called-Station-Id = 000e.d7b1.008b Calling-Station-Id = 000f.2478.85cf Message-Authenticator = 0xe8f0eb5a20be270bdf42e04b15641dd6 EAP-Message = 0x0202000d0146416e74686f6e79 NAS-Port-Type = Wireless-802.11 NAS-Port = 495 Service-Type = Framed-User NAS-IP-Address = 192.168.1.7 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = FAnthony, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=MyOrg' radius_xlat: '(uid=FAnthony)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.41:389, authentication 0 rlm_ldap: bind as cn=Admin,o=MyOrg/deleted to 192.168.1.41:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) ldap_release_conn: Release Id: 0 radius_xlat: '((uid=FAnthony)(objectclass=top))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=MyLoc,O=MyOrg, with filter ((uid=FAnthony)(objectclass=top)) rlm_ldap::ldap_groupcmp: User found in group OU=MyLoc,O=MyOrg ldap_release_conn: Release Id: 0 users: Matched DEFAULT at 156 users: Matched DEFAULT at 175 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for FAnthony radius_xlat: '(uid=FAnthony)' radius_xlat: 'o=MyOrg' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=MyOrg, with filter (uid=FAnthony) rlm_ldap: checking if remote access for FAnthony is allowed by proposedaltorgunit rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user FAnthony authorized to use remote access
Re: Challenge Response
Barry, Looks like i too am looking at the same problem, but could not find a solution. Can you please help me out on this. I am attaching my mail as a text file. Looking forward to your comments. Joseph (See attached file: details.txt) Barry Stewart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: Challenge Response eradius.org 27/05/2004 01:03 AM Please respond to freeradius-users In case anyone is interested I finally got this working. I downloaded the latest snapshot from CVS. I edited 3 files: In radius.conf I configured the LDAP settings (ie server name, binddn,etc), and uncommented ldap in the Authorize section. In eap.conf I uncommented the peap section and most of the tls section. In clients.conf I simply allowed the class c I am using. Of course I will need to make this more secure by creating my own certs and such. This was also tested with a plain text password in LDAP so I will try using NT passwords (md4 I guess). Barry Stewart wrote: I'm still trying to get PEAP working with LDAP. I'm wondering if the problem is with the client at this point. From the debugging out put and ethereal it looks like the radius server keeps sending access challenges but the client just keeps sending requests in return instead of a response. If someone could confirm this or let me know I'm wrong I would appreciate it. I have pasted the output below. TIA -Barry Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes
VoIP Implementation
Hi people, First of all I want to thank Allan to assist ourselves in any kind of question. I proposed to myself and to my company if the VoIP service can be served with RADIUS. If so, I want to know how it will be possible and the steps to follow. Thanks, Santiago _ Reserva desde ahora tus vacaciones en MSN Viajes. Más cómodo, más barato y más opciones. http://www.msn.es/Viajes/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication against freeradius using wireless VYYO modems
hi there. anyone here had experience on setting up VYYO broadband wireless modem to authenticate its MAC address against freeradius ? i cannot find any docs and source from www.vyyo.com that it can authenticate to Linux OS via freeradius...anyone? //milver
PEAP,TTLS + crypt UNIX password
Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VoIP Implementation
I proposed to myself and to my company if the VoIP service can be served with RADIUS. If so, I want to know how it will be possible and the steps to follow. Yes it is bloody possible. My suggestion would be to gather data with regards to your VOIP box, the attributes and the like so it will be easy for you when you work around with your users file or database..i guess, start building up your freeradius + database first, troubles and challenges will come along the way.goodluck! //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject
Hi all I am trying the freeradius server version 0.9.3. Everything from compiling to installation went fine. When I give radtest localhost testing123 127.0.0.1 10 testing123 it give a Access reject error. Regards Thanks Mahesh S Kudva - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only first Cisco-AVPair entry posted to cisco
I set multi Cisco-AVPair in users file,but only firstisposted to Cisco router . Why ? Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger
Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi I'm a student in computer sciences. In our network security class we are trying to get the 802.1x (dot1x) features of an Enterasys E1 Switch running with a freeradius server. Unfortunately Enterasys is not very talkative about this on their webpage. Does anyone know of an HOWTO or tutorial about this issue? Any help is kindly appreciated. Thanks Manuel Stadelmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Lucent MAX TNT for IVR setup
Ladies/Gents, Second message reference this subject, first one seems to have lost it's way !! Has anyone implemented an IVR application using FreeRadius and Lucent MAX TNT gateways WITHOUT using Lucent's MVAM gatekeeper/controller software ? We successfully have those gateways registering to GnuGK and and FreeRadius for whole sale voice without any problems. Has anyone been able to achieve a calling card platform utilising a similar setup ? Thanks Ahmad Ibrahim Director ABC (Europe) LTD web: www.abc-europe.com [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: RH9 and Freeradius make error (Alan DeKok) 2. Re: FW: Need Assistance please (Alan DeKok) 3. Re: MS-CHAP/PEAP (Alan DeKok) 4. Help - a very different network config (Christopher M Bailey) 5. Freeradius + Mysql Issues! (Alexander Khoo) 6. RE: Freeradius + Mysql Issues! (Manjunath M Prabhu) --__--__-- Message: 1 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RH9 and Freeradius make error Date: Wed, 26 May 2004 21:25:58 -0400 Reply-To: [EMAIL PROTECTED] amar [EMAIL PROTECTED] wrote: I installed RH9 issue of mysql (not dev.) Install the MySQL development RPM. Nothing else will solve the problem. Alan DeKok. --__--__-- Message: 2 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: FW: Need Assistance please Date: Wed, 26 May 2004 21:27:37 -0400 Reply-To: [EMAIL PROTECTED] Rivera, Denis [EMAIL PROTECTED] wrote: Alan, I'd first would like to extend my gratitude for answering my email. No need to be nice... I don't bruise easily. Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRole Users The value should have the operator in it. e.g. +=Users I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItem Login-LAT-Group securityRole That should work. I thought by modifying this line to match the LDAP attribute would return all values for the user (testuser) in the LDAP schema. No. The operators are still important. Alan DeKok. --__--__-- Message: 3 From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: MS-CHAP/PEAP Date: Wed, 26 May 2004 21:29:24 -0400 Reply-To: [EMAIL PROTECTED] Damjan [EMAIL PROTECTED] wrote: What are the differences between PEAP and EAP-TTLS? From a user perspective, both are similar. From a protocol design, PEAP is terrible, and EAP-TTLS is sane. But XP comes with PEAP, so what are you going to do? Which one is more secure? Both are pretty much the same. Which one has broader support in supplicants? XP comes with PEAP. Other than that, most supplicants support both. Can I use both eap-ttls and peap? Yes. Alan DeKok. --__--__-- Message: 4 Subject: Help - a very different network config From: Christopher M Bailey [EMAIL PROTECTED] To: FreeRADIUS [EMAIL PROTECTED] Date: Thu, 27 May 2004 12:40:43 +1000 Reply-To: [EMAIL PROTECTED] Hi all Looking for some help. What I need to find out is how to config a radius to auth all my Wireless traffic before issuing an IP via DHCP, then letting it auth on a Windows, Novell or Apple LAN. the other catch is that I need to authenticate to a LDAP server upstream, while allowing all me hardwired PC's to obtain an IP via DHCP but by passing the radius server. I believe I can do this with FreeRADIUS. I don't want much do I? Thanks, Chris Bailey --__--__-- Message: 5 Date: Wed, 26 May 2004 20:47:28 -0700 (PDT) From: Alexander Khoo [EMAIL PROTECTED] Subject: Freeradius + Mysql Issues! To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] --0-1727261780-1085629648=:78369 Content-Type: text/plain; charset=us-ascii Hi all, My goal is to use Freeradius with the sql module for authenticating users. I'm using version 0.9.3 (installed from rpms i created with the specfile that came with the tarball).I've been working off of this tutorial: http://www.frontios.com/freeradius.html I got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server: radtest alexander jujai localhost 17 password and i get the following result: [EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password Sending Access-Request of id 240 to 127.0.0.1:1812
Re: PEAP,TTLS + crypt UNIX password
On Thu, 27 May 2004, Wilfried QUET wrote: Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? Through peap no, clear text passwords are required as far as i know. With ttls yes. -- -- - Wilfried QUET - - Universit? de Technologie de Compi?gne - - Service Informatique - - t?l. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multilink PPP
On Thu, 27 May 2004, Lee Norvall wrote: Hi I am currently looking into using MLPPP. I have added Simultaneous-Use := 2 but I cannot get this to work with the Cisco nas (setup in naspasswd and naslist and SNMP is working). Is there a diferent/better way to do this, just to allow multi-users? You don't need to set simultaneous-use=2, rather port-limit=2 Rgds --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.691 / Virus Database: 452 - Release Date: 26/05/2004 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_leap: No User-Password or NT-Password configured for this user
On Thu, 27 May 2004, Joseph Silvin wrote: Hi, Any ideas on this error. Waiting anxiously for some pointer to the right direction. rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP Thanks rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items Are you *sure* that the () are needed? rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only first Cisco-AVPair entry posted to cisco
sy sy wrote: I set multi Cisco-AVPair in users file,but only first is posted to Cisco router . Why ? How did you assign the additional entries? Can you post your radius entries? The second and following entries should have the +=-assignment ... -gg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi I'm a student in computer sciences. In our network security class we are trying to get the 802.1x (dot1x) features of an Enterasys E1 Switch running with a freeradius server. Hi, I'm using 802.1x on Enterasys switch, it works, then look : http://www.enterasys.com/support/manuals/hardware/3755_12.pdf, and go to chapter Security Configuration. BE CAREFULL when enabling 802.1x/EAPOL, it activate by default and without confirmation on ALL SWITCH PORTS. Before enabling 802.1x, you have to setup all port whith FORCED AUTHORIZED MODE, and just set AUTO mode on port you need once you are sure that you can connect to manage your switch. By default, It activate RADIUS authentication on the serial port too but it works not well, and I don't find yet how to use or change that, my switch is in production I can't do what I want. Then if you can't connect on serial port, you have to stop your Freeradius server, or cut connection beetween. Then there's a timeout wich allow classical password authentication. I don't want troll but I think 802.1x on Enterasys is not well designit's very easy to do very big mistake. In hope that can help you, I will be interested by return about your work,thx. Fred Unfortunately Enterasys is not very talkative about this on their webpage. Does anyone know of an HOWTO or tutorial about this issue? Any help is kindly appreciated. Thanks Manuel Stadelmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin web pages' buttons problem.
Hi Kostas,On Mon, 24 May 2004, you wrote in reply to my posted message below. Youwrote (in reply):Try asking for the corresponding pages directly, like:http://your-machine-name/dialupadmin-dir/accounting.php3I did the above and I still get a blank page as before.You also wrote (in reply):What do you mean by not loading?Sorry for the mislead. I meant that the pages weren't showing what they weresupposed to show and were showing blank pages or just a blank green screen.That is, after clicking on the the buttons like "Accounting", "Statistics","Online", Users", "New User", "Edit Group", and "New Group".In my httpd.conf I have also included: AddType application/x-httpd-php.php3 AddTypeapplication/x-httpd-php .php4I have also made sure that the general_base_dir path inside admin.conf iscorrect.The other buttons like "Home", "User Statistics", "Bad Users", "FailedLogins", "Find User", "Show Groups", "Check Server", "Help" and "About" showproperly when clicked on.Is there anything else I'm missing?Cheers,ShannonOn Sun, 23 May 2004, Shannon Sariman wrote: Hi All, I'm nearly there with dialup_admin being fully operational on my RH 8.0 machine, but some of the buttons like "Accounting", "Statistics", "Online Users", "New User", "Edit Group", and "New Group", aren't loading when I click on them, on my web browser. I have thoroughly (???), gone througheach button's relevant php file and has seen no problem in the file (and so I think). My "include" statements in each respective php file look correct, but the buttons won't load their php files. Am I missing anything here?Try asking for the corresponding pages directly, like:http://your-machine-name/dialupadmin-dir/accounting.php3What do you mean by not loading? Any help is much appreciated. Thanx in advance. ShannonKostas Kalevras Network Operations Center[EMAIL PROTECTED] National Technical University of Athens, GreeceWork Phone: +30 210 7721861'Go back to the shadow' Gandalf
Re: rlm_eap_leap: No User-Password or NT-Password configured for this user
Hi, I am not putting the brackets. It is coming automatically. Also, just check this link and tell me does it have any bearing on what we are trying to achieve. http://forum.cisco.com/eforum/servlet/NetProf?page=netprofCommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee735fc Thanks. Joseph Kostas Kalevras [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: rlm_eap_leap: No User-Password or NT-Password configured for this eradius.org user 27/05/2004 05:09 PM Please respond to freeradius-users On Thu, 27 May 2004, Joseph Silvin wrote: Hi, Any ideas on this error. Waiting anxiously for some pointer to the right direction. rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP Thanks rlm_ldap: Added password (91CA074DSFSD4453936C9A32AF) in check items Are you *sure* that the () are needed? rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server crash
Hi everybody, I'm a new member. I have some problems using freeradius 0.9.3. First of all, i'll give you an overview of my authentication network: Linux redhat workstation: the radius server is installed here. NAS Servers: 1) Cisco router 3000 series (i named it 3000A) 2) Cisco router 3000 series (another one, i called it 3000C) 3) Cisco router 2500 series 4) Cisco router 4000 series 5) Cisco router 3000 series (I named it 3000B) When i want to enter the router, I have to authenticate against radius server before. When I installed (and configured) the radius server for the first time, everyting was ok: the server was able to process every authentications and I was able to enter and configure the routers. Next, a strange problem has occurred on Cisco 2500 router: At the User Access Verification screen (where you have to type user and pass) , if I type an username and/or a password which is defined into users file (and huntgroup too) everyting is still ok, but if I type an user/pass which is NOT defined into user file, or whether it doesn't exist on the system (the authentication type is System), the server goes in Segmentation Fault and crashes. Here, there are the output messages (that i get with radiusd X option): Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 10.255.255.10:1645, id=6, length=73 NAS-IP-Address = 192.168.14.10 NAS-Port = 2 User-Name = fdsfdsf Calling-Station-Id = 192.168.1.25 User-Password = dsfdsf modcall: entering group authorize for request 0 Segmentation fault [EMAIL PROTECTED] raddb]# Note that user and pass actually don't exist, and at the User Acces Verification screen, i get this: User Access Verification Username: fdsfdsf Password: % Backup authentication Previously, this problem didn't occur against any other router, but now this occurs on 3000B and 4000 too (after I re-installed Linux OS and freeradius), while everyting is still ok on 3000A router (It replies with %Authentication Failed message at User access verification screen instead of %Backup Authentication message). Does anyone know the problem? In which way can I solve it? Please, I'm becoming crazy. Bye, Gianluca Ps: Sorry for my bad english : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
On Wed, May 26, 2004 at 11:14:51PM +0200, Dinko Korunic wrote: I've read this list archives throughly, and I've tried most of the stuff people were reporting. Is there anything else I could check? Should I try with NT-hashed passwords? Should I try with auth_ntlm to debug chap responses? I'm posting the additional info on MSCHAPv2 problems with latest FreeRADIUS CVS.. in hope someone (Mr. DeKok?) would help me. Using the radauth (Java-based demo RADIUS client available from http://www.axlradius.com), I've been able to narrow problem the already described problem: * auth types of PAP, CHAP, EAPMD5, MSCHAP (v1) work fine, * auth type of MSCHAPv2 doesn't work. I'm positive I'm not sending any domain name, as following logs show (I've changed real IP's and DNS labels): First, I'll try sending MSCHAPv1 request: c:\Program Files\ntradping\theorem\radius3\examples\radauthC:\Program Files\Ja va\j2re1.4.1_02\\bin\java.exe -classpath ..\..\radclient3.jar com.theorem.rad ius3.radutil.radauth test test123 MSCHAP testhost 1 musaka Radtest running RADIUS client version 3.28 Non-Random Demonstration Version Authentication --- Authenticating: test test123 Sending to server testhost:1812 Sending Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x0001 81 --- Request Packet - 81 Address: 127.0.0.1:1812 Packet Length: 112 Type: Access-Request(1) 01 51 00 70 52 53 54 55 - 56 57 58 59 5A 5B 5C 5D .Q.pRSTU - VWXYZ[\] 5E 5F 60 61 04 06 C1 C6 - 99 1E 05 06 00 00 00 01 ^_`a - 1A 10 00 00 01 37 0B 0A - 62 63 00 01 02 03 04 05 .7.. - bc.. 1A 3A 00 00 01 37 01 34 - 15 01 C4 26 DC 63 E3 B2 .:...7.4 - c.. CA 1F 07 48 91 B1 B9 F3 - 0B 3C 14 A3 22 BB A8 E3 ...H - .. 15 B3 5F 88 EA E1 79 07 - 2B B4 B0 2C 5C 3D 19 54 .._...y. - +..,\=.T 54 36 0D 64 95 B8 00 04 - 3C EB 01 06 74 65 73 74 T6.d - ...test Attributes: NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C 6991E NAS-Port (5), Length: 6, Data: [# 1], 0x0001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Challenge (11), Length: 10, Data: 0x6263000102030405 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-Response (1), Length: 52, Data: 0x1501C426DC63E3B2CA1F074891B1B9F30B3 C14A322BBA8E315B35F88EAE179072BB4B02C5C3D195454360D6495B800043CEB User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 x74657374 81 --- 81 --- Response Packet - 81 Address: 127.0.0.1:1812 Packet Length: 84 Type: Access-Accept(2) 02 51 00 54 07 85 18 11 - A2 D3 DF ED FC 2D AC 3B .Q.T - .-.; 21 0C C2 10 1A 28 00 00 - 01 37 0C 22 A5 37 48 30 !(.. - .7..7H0 DF 9E 11 F7 16 21 2A B1 - B0 FF EC 7F BE 29 8E E0 .!*. - .).. A7 4E 61 D8 3A 29 CD FB - 2A 36 6D 08 1A 0C 00 00 .Na.:).. - *6m. 01 37 07 06 00 00 00 01 - 1A 0C 00 00 01 37 08 06 .7.. - .7.. 00 00 00 06 00 00 00 00 - 00 00 00 00 00 00 00 00 - Attributes: Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-MPPE-Keys (12), Length: 34, Data: 0xA5374830DF9E11F716212AB1B0FFEC7FB E298EE0A74E61D83A29CDFB2A366D08 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Policy (7), Length: 6, Data: [# 1 (PPP)], 0x0001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Types (8), Length: 6, Data: [# 6], 0x0006 81 --- Authenticated Attributes returned from server: Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-CHAP-MPPE-Keys (12), Length: 34, Data: 0xA5374830DF9E11F716212AB1B0FFEC7FB E298EE0A74E61D83A29CDFB2A366D08 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Policy (7), Length: 6, Data: [# 1 (PPP)], 0x0001 Vendor-Specific ID: Microsoft (311), VSA Count: 1 MS-MPPE-Encryption-Types (8), Length: 6, Data: [# 6], 0x0006 FreeRADIUS logs show us the success: modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: Told to do MS-CHAPv1 with NT-Password modcall[authenticate]: module mschap returns ok for request 6 modcall: group Auth-Type returns ok for request 6 Login OK: [test] (from client testgate port 1) Sending Access-Accept of id 91 to 127.0.0.2:3507 Let us now send an MSCHAPv2 request: c:\Program Files\ntradping\theorem\radius3\examples\radauthC:\Program Files\Ja va\j2re1.4.1_02\\bin\java.exe -classpath ..\..\radclient3.jar com.theorem.rad ius3.radutil.radauth test test123 MSCHAP2 testhost 1 musaka Radtest running RADIUS client version 3.28 Non-Random Demonstration Version
Re: PEAP,TTLS + crypt UNIX password
Hello, What the inner protocol that permit to use unix crypt password in ttls? Thanks for your response. Kostas Kalevras wrote: On Thu, 27 May 2004, Wilfried QUET wrote: Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? Through peap no, clear text passwords are required as far as i know. With ttls yes. -- -- - Wilfried QUET - - Universit? de Technologie de Compi?gne - - Service Informatique - - t?l. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP,TTLS + crypt UNIX password
On Thu, 27 May 2004, Wilfried QUET wrote: Hello, What the inner protocol that permit to use unix crypt password in ttls? PAP Thanks for your response. Kostas Kalevras wrote: On Thu, 27 May 2004, Wilfried QUET wrote: Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? Through peap no, clear text passwords are required as far as i know. With ttls yes. -- -- - Wilfried QUET - - Universit? de Technologie de Compi?gne - - Service Informatique - - t?l. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- - Wilfried QUET - - Universit? de Technologie de Compi?gne - - Service Informatique - - t?l. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi Fred Thank you for your response. The PDF will surely be very helpful. Frédéric EVRARD wrote: In hope that can help you, I will be interested by return about your work,thx. Well, I'll point you to our documentation when it's done. I hope you understand german, because that's what it will be written in. Geetings Manuel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql Issues!
Alexander Khoo [EMAIL PROTECTED] wrote: auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 What part of that message is unclear? The user wasn't found in /etc/passwd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VoIP Implementation
[EMAIL PROTECTED] wrote: I proposed to myself and to my company if the VoIP service can be served with RADIUS. If so, I want to know how it will be possible and the steps to follow. In the latest CVS, see src/billing Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server crash
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: if I type an user/pass which is NOT defined into user file, or whether it doesn't exist on the system (the authentication type is System), the server goes in Segmentation Fault and crashes. See doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
Dinko Korunic [EMAIL PROTECTED] wrote: Using the radauth (Java-based demo RADIUS client available from http://www.axlradius.com), I've been able to narrow problem the already described problem: * auth types of PAP, CHAP, EAPMD5, MSCHAP (v1) work fine, * auth type of MSCHAPv2 doesn't work. Others are using MSCHAPv2 with the latest CVS snapshots. Are you sure that the client is OK? I'm especially confused with following data, extracted from RADIUS response: User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 x74657374 How that *invalid* IP happened to be there? Look at it more closely. Whatever packet sniffer you're using is crappy. It's printing out the username test as though it was an IP address. Note that the first and last numbers are the same, and map to the ASCII value for 't'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Htin Hlaing [EMAIL PROTECTED] wrote: Would it be right to say that a RADIUS server in 802.1X authentication allows a client to be authenticated but can not unauthenticate a authenticated client and let the AP(Nas) know about this unauthentication. Yes. This is in the FAQ. The RADIUS server does not, and can not, kick users offline. So, if I log on with my XP laptop through 802.1X successfully and then a few minutes later, the system admin logged off all users (including me) with the intent to force reauthentications. But, my laptop thinks it's still authenticated and logged in. Is there a way from the RADIUS server to notify the client so, the client detects it's unauthenticated and tries to start 802.1X session again. No. See your AP documentation for possible ways to kick users offline. If there are no methods listed, it's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS win2000
Hi all, I'm using 802.1x/EAP-TLS on FreeRADIUS, it works fine with linux Xsupplicant but not with Win2000 supplicant, when supplicant receives EAP request Identity packet, it doesn't answer anything and nothing happens...There's no logs or I don't know to find them. I've read several HOWTO but nothing help me.If someone has the solution. THX. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius+MySQL+PHP
Hello Folks, Today I'm using FreeRadius getting login information from system user accounts. I wanna migrate the accounts to MySQL, and use FreeRadius+MySQL. I made some test and today everything is working fine with this solution, FreeRadius+MySQL. What I wanna know, is if exist one PHP admin interface or something like it to work with FreeRadius+MySQL. Best Regards, -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 signature.asc Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente
user with more tha one NAS Server
Hi! I have several Cisco Dailin Server(NAS). Some user should be able to dialin wherever they want, some user should only be able to dialin on two or three Dialin Servers and some only to one. Enabling users to dialin wherever they want is really simple, restricting users to dialin only to one NAS Server ist simple too, but how can I let users dialin only to two NAS Server ? Until now I solved this problem by inserting the user twice in the users file with two different NAS Servers (NAS-IP-Address). My question is, is there a better method to do so ? Can I give a user more than one NAS-IP-Address option ? For example: user Auth-Type:= Local, User-Password == **, NAS-IP-Address == 1.1.1.1 , NAS-IP-Address == 1.1.1.2 Regards, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Minimal, focused FreeRADIUS Server
Greetings fellow FreeRADIUS spelunkers! I would like to create a minimal Fedora Core 2 machine to run FreeRADIUS with the ntlm_auth/windbind authentication to Active Directory. If I use the Fedora Core 2 minimal install, what additional libraries do I need to bring down with up2date in order to be able to successfully build the current CVS snapshot? Thanks! Kerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius+MySQL+PHP
Hi Felipe, check out dialup_admin that came with the package. -Original Message- From: Felipe Neuwald [mailto:[EMAIL PROTECTED] Sent: donderdag 27 mei 2004 15:49 To: [EMAIL PROTECTED] Subject: FreeRadius+MySQL+PHP Hello Folks, Today I'm using FreeRadius getting login information from system user accounts. I wanna migrate the accounts to MySQL, and use FreeRadius+MySQL. I made some test and today everything is working fine with this solution, FreeRadius+MySQL. What I wanna know, is if exist one PHP admin interface or something like it to work with FreeRadius+MySQL. Best Regards, -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySql and freeRadius
use mysql 4.0 not 4.1alpha or 5.0alpha. They have a bug in authentication of mysql which might get you into troubles. On 24.03.2004, at 23:30, Kirti S. Bajwa wrote: Hello List: I want to make sure I am installing freeRADIUS MySQL correctly. I installed (test installation) freeRADIUS (0.9.3) and MySQL 5.0.0 (?) from binaries on a RH9 machine. It tested fine. In the next couple of days, I am going to do a final installation of freeRADIUS MySQL (with InnoDB). Questions: == (1) with the above setup, what version of MySQL (binaries or rpm) should I use? (2) Do I still need a develoment package of MySQL to work with freeRADIUS? If YES, what version of MySQL? I am new to MySQL!! Kirti -Original Message- From: Keith Yoder [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 2:36 PM To: [EMAIL PROTECTED] Subject: Re: MySql and freeRadius John Que escreveu: As I understand , I must install the sources of MySql if I want to use rlm_sql in freeRadius (and not install the rpm for mySql Server and client). Actually, you can install the -devel rpms and that will allow you to compile the rlm_sql_mysql module. This will make sure all the libraries and header files get to the right places. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Andreas Fink Global Networks Switzerland AG -- Tel: +41-61-330 Fax: +41-61-334 Mobile: +41-79-2457333 Global Networks, Inc. Clarastrasse 3, 4058 Basel, Switzerland Web: http://www.global-networks.ch/ [EMAIL PROTECTED] -- PGP Fingerprint: B982 00B7 FFB5 0B33 BFF8 0F77 1E23 F3CA B4A3 D0B8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
On Thu, May 27, 2004 at 09:44:35AM -0400, Alan DeKok wrote: Others are using MSCHAPv2 with the latest CVS snapshots. Are you sure that the client is OK? Unfortunately, I can confirm that I've been unsucessful with 4 different Windows boxes using MSCHAPv2 which have been using Java RADIUS client as well as XP supplicant (as well as SecureW2 supplicant). Yet, they're all working fine with MD5/CHAP/MSCHAPv1/PAP.. It could be my mistake, but I'm slightly running out of ideas what to do. I'll try to add some debug into rlm_mschap and see what is exactly happening. Look at it more closely. Whatever packet sniffer you're using is crappy. It's printing out the username test as though it was an IP address. Note that the first and last numbers are the same, and map to the ASCII value for 't'. Yeps, you're absolutely right - seems like a bug in that Java client. Though, it is just a end-point packet dump. -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+MySQL+PHP
On Thu, May 27, 2004 at 10:48:57AM -0300, Felipe Neuwald wrote: What I wanna know, is if exist one PHP admin interface or something like it to work with FreeRadius+MySQL. I've been using PHPMyadmin for Web-based PHP/MySQL interface. Though, it is a pure SQL client and you'll have to know things stated in FreeRADIUS documentation. -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Minimal, focused FreeRADIUS Server
If you're gonna be using winbind then obviously you'll need Samba. :-) You'll need to make sure you've got gcc and related toolchains. For that, I recommend not doing a minimal install, but instead during the installation select samba and select the group of packages for getting gcc (I think they call it application development or something like that). Aside from that, you should look for any errors when you do ./configure. If you see any errors about about missing headers or libraries you can use yum provides filename to find out what RPM provides that file. Then just use yum install packagename to install it. Really what could be easier? On May 27, 2004, at 7:43 AM, Hughes, Kerry (KD) wrote: Greetings fellow FreeRADIUS spelunkers! I would like to create a minimal Fedora Core 2 machine to run FreeRADIUS with the ntlm_auth/windbind authentication to Active Directory. If I use the Fedora Core 2 minimal install, what additional libraries do I need to bring down with up2date in order to be able to successfully build the current CVS snapshot? Thanks! Kerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server crash
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've read it. I also have read the old messages in the mail archive, but my error is: Segmentation fault and not Segmentation fault (core dumped). Can u explain me better what I have to do? Read doc/bugs. It explains what to do if you don't get a core dump. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+MySQL+PHP
Hello Dinko, This isn't the best solution because it's not only me that will have acess to the informations. I think a GUI better than PHPMyAdmin would be good for this. Regards, -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 Em Qui, 2004-05-27 às 11:13, Dinko Korunic escreveu: On Thu, May 27, 2004 at 10:48:57AM -0300, Felipe Neuwald wrote: What I wanna know, is if exist one PHP admin interface or something like it to work with FreeRadius+MySQL. I've been using PHPMyadmin for Web-based PHP/MySQL interface. Though, it is a pure SQL client and you'll have to know things stated in FreeRADIUS documentation. signature.asc Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente
RE: FreeRadius+MySQL+PHP
Thanks Bart, I'll check it. After done, I'll give my opinion to the list. Regards, -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 Em Qui, 2004-05-27 às 10:59, Bart Van Daal escreveu: Hi Felipe, check out dialup_admin that came with the package. -Original Message- From: Felipe Neuwald [mailto:[EMAIL PROTECTED] Sent: donderdag 27 mei 2004 15:49 To: [EMAIL PROTECTED] Subject: FreeRadius+MySQL+PHP Hello Folks, Today I'm using FreeRadius getting login information from system user accounts. I wanna migrate the accounts to MySQL, and use FreeRadius+MySQL. I made some test and today everything is working fine with this solution, FreeRadius+MySQL. What I wanna know, is if exist one PHP admin interface or something like it to work with FreeRadius+MySQL. Best Regards, -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente
Re: Help - a very different network config
Christopher M Bailey [EMAIL PROTECTED] wrote: Looking for some help. What I need to find out is how to config a radius to auth all my Wireless traffic before issuing an IP via DHCP, then letting it auth on a Windows, Novell or Apple LAN. Those three steps are completely independent, and can be configured seperately. Only the first requires FreeRADIUS. The others have nothing to do with RADIUS. the other catch is that I need to authenticate to a LDAP server upstream, FreeRADIUS can do that. while allowing all me hardwired PC's to obtain an IP via DHCP but by passing the radius server. They do this already. You don't have to configure FreeRADIUS for this. I believe I can do this with FreeRADIUS. I don't want much do I? No. What you want is wireless authentication, probably with FreeRADIUS using an LDAP server to get passwords. Configure EAP, EAP-TLS, and PEAP in the server. See the docs and radiusd.conf for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql Issues!
Alexander Khoo wrote: Hi all, My goal is to use Freeradius with the sql module for authenticating users. I'm using version 0.9.3 (installed from rpms i created with the specfile that came with the tarball).I've been working off of this tutorial: http://www.frontios.com/freeradius.html I got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server: ...snip... radius_xlat: 'alexander' rlm_sql (sql): sql_set_user escaped user -- 'alexander' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'alexander' ORDER BY id' Checked for alexander in radcheck. rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Checked for alexander in radgroupcheck and usergroup. radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'alexander' ORDER BY id' Checked for alexander in radreply. radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Checked for alexander in radgroupreply and usergroup. rlm_sql (sql): No matching entry in the database for request from user [alexander] Did not find sufficient information in db. ...snip... And here's the only entry in my radcheck table: ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 1 | alexander| Password | == | password| ++--+---++-+ I think you need an entry in usergroup. This is the sample data I use for testing: NOTE: The delete lines will EMPTY your tables. NOTE: The encrypted password for troll is skunk in MD5. ---8 cuthere 8--- delete from usergroup ; insert into usergroup (username,groupname) values('fredf','ppp-unlimited'); insert into usergroup (username,groupname) values('barneyr','ppp-static'); insert into usergroup (username,groupname) values('troll','ppp-unlimited'); insert into usergroup (username,groupname) values('frog','nas-prompt'); delete from radcheck ; insert into radcheck (username,attribute,op,value) values('fredf','User-Password','==','wilma'); insert into radcheck (username,attribute,op,value) values('barneyr','User-Password','==','betty'); insert into radcheck (username,attribute,op,value) values('troll','Crypt-Password','==','$1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.'); insert into radcheck (username,attribute,op,value) values('frog','User-Password','==','kermit'); delete from radreply ; insert into radreply (username,attribute,op,value) values('barneyr','Framed-IP-Address',':=','10.19.65.38'); insert into radreply (username,attribute,op,value) values('barneyr','Framed-IP-Netmask',':=','255.255.255.252'); delete from radgroupcheck ; delete from radgroupreply ; insert into radgroupreply (groupname,attribute,op,value) values('ppp-unlimited','Framed-Compression',':=','Van-Jacobsen-TCP-IP'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-unlimited','Framed-Protocol',':=','PPP'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-unlimited','Service-Type',':=','Framed-User'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-unlimited','Framed-MTU',':=','1500'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-static','Framed-Compression',':=','Van-Jacobsen-TCP-IP'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-static','Framed-Protocol',':=','PPP'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-static','Service-Type',':=','Framed-User'); insert into radgroupreply (groupname,attribute,op,value) values('ppp-static','Framed-MTU',':=','1500'); insert into radgroupreply (groupname,attribute,op,value) values('nas-prompt','Framed-MTU',':=','1500'); insert into radgroupreply (groupname,attribute,op,value) values('nas-prompt','Framed-Compression',':=','Van-Jacobson-TCP-IP'); insert into radgroupreply (groupname,attribute,op,value) values('nas-prompt','Service-Type',':=','NAS-Prompt'); ---8 cuthere 8--- Hope this helps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + MySQL +EAP-TLS
Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS as authentication protocol. Everything works, but I have a problem (I think it's a problem of configuration) : If I have a client with a valid certificate, even though the sql module doesn't regcognize the client (user-name doesn't existe in check list, the eap module always accept that client so the authorize section always return Acess-Accept!! Here 's part of the debug : rad_recv: Access-Request packet from host 134.214.78.43:6001, id=134, length=1256 User-Name = LEPILLEUR Benjamin NAS-IP-Address = 134.214.78.43 Called-Station-Id = 00-08-02-76-8d-32 Calling-Station-Id = 00-04-23-71-13-4c NAS-Identifier = PTSGSF3 State = 0xc89112eb62ee9f6f95ca9d43f018c9378ff6b54098811a92e7909de796d82c6ebc2dc2c1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205043d0d80043316030104030b0002f30002f2ed308202e930820252a00302010202020805300d06092a864886f70d01010505003045310b300906035504061302465231153013060355040a130c54454c45434f4d2d4c444150311f301d060355040313164944582d504b49204f7065726174696f6e616c204341301e170d3034303332323135343634345a170d3035303332323135343634345a3051310b3009060355040613024652310d300b060355040a1304494e534131163014060355040b130d54656c65636f6d202d20475346311b3019060355040313124c4550494c4c422042656e6a616d696e30819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100b951865a184af898f572fe6c23e93fc536026799577ba60d5b81de327bc451a7ff1d6caac19770ff8a02e0f407263edd970ddd4e15249f664c1cbd1283fd24dead1267fb166db68dc2de9f1cf9af8c9c9d10029d73156bec314ca8e24687401757ac92da50e1fc43d042e509a63b528d24e48891251026e21a1a8a6a911be6eb0203010001a381db3081d8301d0603551d0e041604140a3e625d09037edccffca0b769f7036177330814301f0603551d230418301680146b8d4761901ff704c5d8b7dc07051d49447e30e930280603551d1f0421301f301da01ba0198617687474703a2f2f74632d706b EAP-Message = 0x692f4f7043524c2e63726c302a0603551d1104233021811f62656e6a616d696e2e6c6570696c6c65757240696e73612d6c796f6e2e6672300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030406082b06010505070302301106096086480186f84201010404030205a0300d06092a864886f70d010105050003818100a891927dc519f6f67fec7ffa5d18d58a2715145d9107903b109bfc8b35bc9e554796f83daf95d20bdf00a5e914a84f34d1eeda29a9d7d5541db2b6e67d65479d892bc98a9ae342a6b17b54bf1f2218913dbbfeb6cc93514e02d703afa762df2d43ede10b2e23631b94673374fd8acf338a EAP-Message = 0xde8fb4f97b3bb969e68e4ab80c73bc10820080111d7cb9d30649cac83e726c7c0d3f2513824e554db91feb1cc0c6d9188c625dab13d21750a259d6e53f6375f1687e529d55ae80079b007e163bcff10a6eaac9832d3ec16341eecc335044436e40d9ae4c5011cb6b3fd6730283be164eb76e9c71d5776947acaebda2efef9f5f5712fb222bef84f2fa392505ab50523c04f40b0f820080904cb7af1212010b2d9377082c19aed35a83cdc9cc4a0f8d630c88d7996a86ec897f499caa6cb077b2d31d717211544d9c5e8e813c8b152d2d23f1de6b390873d62b33d2088eb3161acc5ed71c2d7df759c99d231f4af4e92671b30fbd545ebdde10 EAP-Message = 0x8121e1559fea1e3bffa3f781d173bc9147524762908effca4d1e6cb7d83914030100010116030100202e9086427690428d6a55f8e7e92f92a81884b32d074bb23725aca664aedbde6e Message-Authenticator = 0xbd5a866d0c2167835c811f8122ff9ada modcall: entering group authorize for request 3 radius_xlat: 'LEPILLEUR Benjamin' rlm_sql (sql): sql_set_user escaped user -- 'LEPILLEUR Benjamin' radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck radius_xlat: '' radius_xlat: '' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527 modcall[authorize]: module auth_log returns ok for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included rlm_eap_tls: TLS 1.0 Handshake [length 02f7], Certificate chain-depth=1, error=0 -- User-Name = LEPILLEUR Benjamin -- BUF-Name = IDX-PKI Operational CA -- subject = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA -- issuer = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI
Re: user with more tha one NAS Server
My question is, is there a better method to do so ? Can I give a user more than one NAS-IP-Address option ? For example: user Auth-Type:= Local, User-Password == **, NAS-IP-Address == 1.1.1.1 , NAS-IP-Address == 1.1.1.2 Maybe you can use one regexp (=~) instead of multiple plain compares (==). -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject
Set the port number 1812... D - Original Message - From: Mahesh S Kudva To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 10:52 AM Subject: Access Reject Hi allI am trying the freeradius server version 0.9.3. Everything from compilingto installation went fine. When I giveradtest localhost testing123 127.0.0.1 10 testing123it give a Access reject error.Regards ThanksMahesh S Kudva- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql Issues!
You need to have jujai in your table. --- Alexander Khoo [EMAIL PROTECTED] wrote: Hi all, My goal is to use Freeradius with the sql module for authenticating users. I'm using version 0.9.3 (installed from rpms i created with the specfile that came with the tarball).I've been working off of this tutorial: http://www.frontios.com/freeradius.html I got but then I proceeded to follow the instructions for sql and have run in to some trouble. I followed all of the required steps and am unable to authenticate. I'm using the following command to test the server: radtest alexander jujai localhost 17 password and i get the following result: [EMAIL PROTECTED] root]# radtest alexander jujai localhost 17 password Sending Access-Request of id 240 to 127.0.0.1:1812 User-Name = alexander User-Password = jujai NAS-IP-Address = gk.orbit2000.net NAS-Port = 17 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, length=20 Here is a snippet of the output produced when i run in debug mode: rad_recv: Access-Request packet from host 127.0.0.1:32769, id=240, length=61 User-Name = alexander User-Password = jujai NAS-IP-Address = 255.255.255.255 NAS-Port = 17 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = alexander, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 radius_xlat: 'alexander' rlm_sql (sql): sql_set_user escaped user -- 'alexander' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'alexander' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'alexander' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'alexander' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [alexander] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 modcall: group authenticate returns notfound for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 240 to 127.0.0.1:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 240 with timestamp 40b49ae9 Nothing to do. Sleeping until we see a request. And here's the only entry in my radcheck table: ++--+---++-+ | id | UserName | Attribute | op | Value | ++--+---++-+ | 1 | alexander| Password | == | password| ++--+---++-+ Any suggestions would be greatly appreciated. I've been working on this for several days now and haven't made much progress. I hope I've done enough footwork on my own to keep away the flames :) Thanks in advance, - Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger Yahoo! Messenger - Communicate instantly...Ping your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
On Thu, May 27, 2004 at 10:36:49AM -0400, Alan DeKok wrote: I've tested with the latest CVS snapshot, using a copy of an MS-CHAPv2 session I've had sitting around for months, and which was taken from a non-FreeRADIUS client. It works for me. Are you sure you're running the latest CVS snapshot? Yeps, taken from CVS these days: static const char rcsid[] = $Id: rlm_mschap.c,v 1.58 2004/05/25 19:08:48 aland Exp $; Here's some debug info from code I've added in mschap module. Please, tell me if it does help you: rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password rlm_mschap: peer challenge 43, our challenge 53, username test, chapv1 challenge 6 rlm_mschap: password c5, response a6, calculated c1 rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Source is here: diff -u -r1.58 rlm_mschap.c --- rlm_mschap.c25 May 2004 19:08:48 - 1.58 +++ rlm_mschap.c27 May 2004 15:27:11 - @@ -709,6 +709,7 @@ } lrad_mschap(password-strvalue, challenge, calculated); + DEBUG2( rlm_mschap: password %x, response %x, calculated %x, *(password-strvalue), *response, *calculated); if (memcmp(response, calculated, 24) != 0) { return -1; } @@ -1190,6 +1191,7 @@ DEBUG2( rlm_mschap: Told to do MS-CHAPv2 for %s with NT-Password, username_string); + DEBUG2( rlm_mschap: peer challenge %x, our challenge %x, username %s, chapv1 challenge %x, *(response-strvalue + 2), *(challenge-strvalue), username_string, *mschapv1_challenge); if (do_mschap(inst, request, nt_password, mschapv1_challenge, response-strvalue + 26, nthashhash) 0) { -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Counter module
rlm_counter: Authorized user user, check_item=120, counter=0 rlm_counter: Sent Reply-Item for user user, Type=Session-Timeout, value=120 modcall[authorize]: module daily returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 89 to 172.16.1.2:1059 Service-Type = Login-User Session-Timeout = 120 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 172.16.1.2:1060, id=90, length=130 User-Name = user NAS-IP-Address = 172.16.1.2 NAS-Identifier = 00e081526836 Acct-Status-Type = Start Calling-Station-Id = 00-0c-f1-13-7a-43 Called-Station-Id = 00-e0-81-52-68-36 Acct-Session-Id = 1-000cf1137a43-1085667568-413-3KviFEgY modcall: entering group preacct for request 2 modcall[preacct]: module preprocess returns noop for request 2 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 2 modcall[preacct]: module files returns noop for request 2 modcall: group preacct returns noop for request 2 modcall: entering group accounting for request 2 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 172.16.1.2,NAS-IP-Address = 172.16.1.2,Acct-Session-Id = 1-000cf1137a43-1085667568-413-3KviFEgY,User-Name = user' rlm_acct_unique: Acct-Unique-Session-ID = 0d62303b8e51c196. modcall[accounting]: module acct_unique returns ok for request 2 radius_xlat: '/var/log/radius/radacct/172.16.1.2/detail-20040527' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.16.1.2/detail-20040527 modcall[accounting]: module detail returns ok for request 2 rlm_counter: We only run on Accounting-Stop packets. modcall[accounting]: module daily returns noop for request 2 modcall[accounting]: module unix returns noop for request 2 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'user' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 2 modcall: group accounting returns ok for request 2 Sending Accounting-Response of id 90 to 172.16.1.2:1060 Finished request 2 Going to the next request Cleaning up request 2 ID 90 with timestamp 40b5faea rl_next: returning NULL Waking up in 6 seconds... Here is the debug of radiusd -X for the logging out: rad_recv: Accounting-Request packet from host 172.16.1.2:1061, id=71, length=136 User-Name = user NAS-IP-Address = 172.16.1.2 NAS-Identifier = 00e081526836 Acct-Status-Type = Stop Calling-Station-Id = 00-0c-f1-13-7a-43 Called-Station-Id = 00-e0-81-52-68-36 Acct-Session-Id = 1-000cf1137a43-1085667568-413-3KviFEgY Acct-Session-Time = 126 modcall: entering group preacct for request 3 modcall[preacct]: module preprocess returns noop for request 3 rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 3 modcall[preacct]: module files returns noop for request 3 modcall: group preacct returns noop for request 3 modcall: entering group accounting for request 3 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 172.16.1.2,NAS-IP-Address = 172.16.1.2,Acct-Session-Id = 1-000cf1137a43-1085667568-413-3KviFEgY,User-Name = user' rlm_acct_unique: Acct-Unique-Session-ID = 0d62303b8e51c196. modcall[accounting]: module acct_unique returns ok for request 3 radius_xlat: '/var/log/radius/radacct/172.16.1.2/detail-20040527' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.16.1.2/detail-20040527 modcall[accounting]: module detail returns ok for request 3 rlm_counter: Packet Unique ID = '0d62303b8e51c196' rlm_counter: Could not find Service-Type attribute in the request. Returning NOOP. modcall[accounting]: module daily returns noop for request 3 modcall[accounting]: module unix returns noop for request 3 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'user' rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! modcall[accounting]: module radutmp returns noop for request 3 modcall: group accounting returns ok for request 3 Sending Accounting-Response of id 71 to 172.16.1.2:1061 Finished request 3 Going to the next request
clients.conf
Hi, How should I configure the clients.conf if I would like that each nas, which want to connect to my Radius can do it. Beacuse they have dinamic ip address, so I can't set this in the clients.conf. client 0.0.0.0{ secret= mysecret } any other attributes? Thanks, David
RE: Multilink PPP
Hi I have added port-limit=2, but the user is still getting error 52, duplicate name exists on network. I tried this in both group-check group-reply. Rgds Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: 27 May 2004 12:38 To: [EMAIL PROTECTED] Subject: Re: Multilink PPP On Thu, 27 May 2004, Lee Norvall wrote: Hi I am currently looking into using MLPPP. I have added Simultaneous-Use := 2 but I cannot get this to work with the Cisco nas (setup in naspasswd and naslist and SNMP is working). Is there a diferent/better way to do this, just to allow multi-users? You don't need to set simultaneous-use=2, rather port-limit=2 Rgds --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.691 / Virus Database: 452 - Release Date: 26/05/2004 -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.691 / Virus Database: 452 - Release Date: 26/05/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.691 / Virus Database: 452 - Release Date: 26/05/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fail-Over
Hello, i have read configurable_failover for three times but i can not do that freeradius failover with ippool. I have two pools that i want to use then for all my users. I need that freradius start to asign IPs from the second Pool whe the first is full. I do not known what i must read to do it. Can somebody help me? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Alan DeKok, there is bug in MS-CHAPv2 if do_ntlm_auth configured: /* * Update the NT hash hash, from the NT key. */ if (hex2bin(buffer + 8, nthashhash, 16) != 16) { Buffer hash nthash, additional md4() is required to get nthashhash from nthash. I don't understand why nthashhash computation is moved to do_mschap, because it's only required in MS-CHAPv2. I have no chance to test, so I do not risk to apply patch by myself. This bug have nothing to do with problems discussed. --Thursday, May 27, 2004, 6:36:49 PM, you wrote to [EMAIL PROTECTED]: AD Dinko Korunic [EMAIL PROTECTED] wrote: Unfortunately, I can confirm that I've been unsucessful with 4 different Windows boxes using MSCHAPv2 which have been using Java RADIUS client as well as XP supplicant (as well as SecureW2 supplicant). Yet, they're all working fine with MD5/CHAP/MSCHAPv1/PAP.. It could be my mistake, but I'm slightly running out of ideas what to do. AD I've tested with the latest CVS snapshot, using a copy of an AD MS-CHAPv2 session I've had sitting around for months, and which was AD taken from a non-FreeRADIUS client. It works for me. AD Are you sure you're running the latest CVS snapshot? AD Alan DeKok. AD - AD List info/subscribe/unsubscribe? See AD http://www.freeradius.org/list/users.html -- ~/ZARAZA , - ! () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Dinko Korunic, --Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]: DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP DK 116.101.115.116], 0 x74657374 Look at Length carefully. It must be 4 bytes, not 6, probably it's a bug of your client. Unlike MS-CHAPv1, MS-CHAPv2 uses username in response calculation. Your client adds some noise (probably nulls) to username, and probably uses additional bytes in response calculation (Java uses no NULLs in strings) while FreeRADIUS ignores trailing NULLs. -- ~/ZARAZA ... . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Dinko Korunic, --Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]: DK NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C DK 6991E DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 DK x74657374 DK How that *invalid* IP happened to be there? Isn't that a bug? From all the DK info, seems that latest rlm_chap isn't working properly with MSCHAPv2. Is there DK anything I can do? It's same problem. NAS-IP-Address has a length of 6 bytes, but it must be 4. Ask client software developers to correct this. -- ~/ZARAZA , . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: FreeRADIUS and mschapv2 problems
Dear 3APA3A, --Thursday, May 27, 2004, 8:29:05 PM, you wrote to [EMAIL PROTECTED]: 3 Buffer hash nthash, additional md4() is required to get nthashhash from 3 nthash. Typo. I mean buffer _has_ (contains) nthash, to convert nthash to nthashhash additional MD4 is required. -- ~/ZARAZA , . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
hi strictly spoken, the server-to-client communication is not defined within RADIUS protocol which follows the client-server comm. model. this possibility does exist in DIAMETER (if you find an NAS which understands it, please shout!) practically, cisco does something like that in RADIUS (but it's of course proprietary to the cisco equipment) and you can disconnect by using scripts etc., i.e. basically by leaving the radius context. ciao artur Damjan wrote: Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Obviously that depends from NAS to NAS, for ex. I can telnet into my dial-up access server and kick a user by his ID. btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by Admin can/would log off the logged in clients on the domain that the RADIUS server resides. What would that accomplish (I dont even understand how do you think that will work?!?) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS win2000
i think the problem is that you are trying to use WEP within your access point but no WEP is configured within the 802.11 client on the terminal (which is NOT included in Win2k). use the external 802.11 client of your wireless network adapter and activate WEP (whichever form of it). that will permit the WinéK built-in 802.1X client to communicate. ciao artur Frédéric EVRARD wrote: Hi all, I'm using 802.1x/EAP-TLS on FreeRADIUS, it works fine with linux Xsupplicant but not with Win2000 supplicant, when supplicant receives EAP request Identity packet, it doesn't answer anything and nothing happens...There's no logs or I don't know to find them. I've read several HOWTO but nothing help me.If someone has the solution. THX. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL +EAP-TLS
yes, that's normal since the authentication works for ALL validly certified clients. you have to explicitly REJECT the users NOT in your data base. ciao artur NGUYEN Tuan Anh wrote: Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS as authentication protocol. Everything works, but I have a problem (I think it's a problem of configuration) : If I have a client with a valid certificate, even though the sql module doesn't regcognize the client (user-name doesn't existe in check list, the eap module always accept that client so the authorize section always return Acess-Accept!! Here 's part of the debug : rad_recv: Access-Request packet from host 134.214.78.43:6001, id=134, length=1256 User-Name = LEPILLEUR Benjamin NAS-IP-Address = 134.214.78.43 Called-Station-Id = 00-08-02-76-8d-32 Calling-Station-Id = 00-04-23-71-13-4c NAS-Identifier = PTSGSF3 State = 0xc89112eb62ee9f6f95ca9d43f018c9378ff6b54098811a92e7909de796d82c6ebc2dc2c1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205043d0d80043316030104030b0002f30002f2ed308202e930820252a00302010202020805300d06092a864886f70d01010505003045310b300906035504061302465231153013060355040a130c54454c45434f4d2d4c444150311f301d060355040313164944582d504b49204f7065726174696f6e616c204341301e170d3034303332323135343634345a170d3035303332323135343634345a3051310b3009060355040613024652310d300b060355040a1304494e534131163014060355040b130d54656c65636f6d202d20475346311b3019060355040313124c4550494c4c422042656e6a616d696e30819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100b951865a184af898f572fe6c23e93fc536026799577ba60d5b81de327bc451a7ff1d6caac19770ff8a02e0f407263edd970ddd4e15249f664c1cbd1283fd24dead1267fb166db68dc2de9f1cf9af8c9c9d10029d73156bec314ca8e24687401757ac92da50e1fc43d042e509a63b528d24e48891251026e21a1a8a6a911be6eb0203010001a381db3081d8301d0603551d0e041604140a3e625d09037edccffca0b769f7036177330814301f0603551d230418301680146b8d4761901ff704c5d8b7dc07051d49447e30e930280603551d1f0421301f301da01ba0198617687474703a2f2f74632d706b EAP-Message = 0x692f4f7043524c2e63726c302a0603551d1104233021811f62656e6a616d696e2e6c6570696c6c65757240696e73612d6c796f6e2e6672300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030406082b06010505070302301106096086480186f84201010404030205a0300d06092a864886f70d010105050003818100a891927dc519f6f67fec7ffa5d18d58a2715145d9107903b109bfc8b35bc9e554796f83daf95d20bdf00a5e914a84f34d1eeda29a9d7d5541db2b6e67d65479d892bc98a9ae342a6b17b54bf1f2218913dbbfeb6cc93514e02d703afa762df2d43ede10b2e23631b94673374fd8acf338a EAP-Message = 0xde8fb4f97b3bb969e68e4ab80c73bc10820080111d7cb9d30649cac83e726c7c0d3f2513824e554db91feb1cc0c6d9188c625dab13d21750a259d6e53f6375f1687e529d55ae80079b007e163bcff10a6eaac9832d3ec16341eecc335044436e40d9ae4c5011cb6b3fd6730283be164eb76e9c71d5776947acaebda2efef9f5f5712fb222bef84f2fa392505ab50523c04f40b0f820080904cb7af1212010b2d9377082c19aed35a83cdc9cc4a0f8d630c88d7996a86ec897f499caa6cb077b2d31d717211544d9c5e8e813c8b152d2d23f1de6b390873d62b33d2088eb3161acc5ed71c2d7df759c99d231f4af4e92671b30fbd545ebdde10 EAP-Message = 0x8121e1559fea1e3bffa3f781d173bc9147524762908effca4d1e6cb7d83914030100010116030100202e9086427690428d6a55f8e7e92f92a81884b32d074bb23725aca664aedbde6e Message-Authenticator = 0xbd5a866d0c2167835c811f8122ff9ada modcall: entering group authorize for request 3 radius_xlat: 'LEPILLEUR Benjamin' rlm_sql (sql): sql_set_user escaped user -- 'LEPILLEUR Benjamin' radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck radius_xlat: '' radius_xlat: '' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527 modcall[authorize]: module auth_log returns ok for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included rlm_eap_tls: TLS 1.0 Handshake [length 02f7], Certificate chain
Question regarding shared secret ..!!
Hi All, I would like to as a general question about RADIUS Server. Case 1: N1=NAS Client R1=RADIUS Server N1shared secret=1 R1shared secret =2 Then should it be the case that there should be a silent discard at R1 for a request. or R1 should respond to N1 and N1 should check the authenticator and on the mismatch the packet should be dropped at N1 while returning. Case 2: N1=NAS Client P1=Proxy RADIUS Server R1=RADIUS Server N1shared secret=1 P1shared secret =1 R1shared secret =2 Then in this case should the packet should be dropped at R1 or it should be retuned from R1 to P1 and then dropped. What should be the answer for case 1 and 2 and WHY. Your Answers are valuable for me. Regards, Asif Mekrani
Re: Access Reject
congratulations, your server works as it should. Access Reject is NOT an error, it's what the server is supposed to do for the unknown users. ciao artur ps [EMAIL PROTECTED]:~$ radtest --help Usage: radtest user passwd radius-server[:port] nas-port-number secret i don't think you have a user named localhost with passwd testing123. Mahesh S Kudva wrote: Hi all I am trying the freeradius server version 0.9.3. Everything from compiling to installation went fine. When I give radtest localhost testing123 127.0.0.1 10 testing123 it give a Access reject error. Regards Thanks Mahesh S Kudva - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge Response
I'm no expert with freeradius as a matter of fact I'm a newbie. I was able to get it working with PEAP and LDAP after a few days of banging my head against the wall. I got help from several people on this mailing list. The last thing I did (I was almost ready to give up) was download the latest snapshot from CVS. I had played around with the conf files enough to know this part by heart. For the most part it's just the way I described it. What is your setup? Are you trying to authenticate Windows XP clients? If so, mschap/peap is built into it so you're stuck using it. I didn't see peap in your output but I did see leap. If you trying to authenticate XP clients this is wrong (at least I think it is). Joseph Silvin wrote: Barry, Looks like i too am looking at the same problem, but could not find a solution. Can you please help me out on this. I am attaching my mail as a text file. Looking forward to your comments. Joseph (See attached file: details.txt) Barry Stewart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED]Subject: Re: Challenge Response eradius.org 27/05/2004 01:03 AM Please respond to freeradius-users In case anyone is interested I finally got this working. I downloaded the latest snapshot from CVS. I edited 3 files: In radius.conf I configured the LDAP settings (ie server name, binddn,etc), and uncommented ldap in the Authorize section. In eap.conf I uncommented the peap section and most of the tls section. In clients.conf I simply allowed the class c I am using. Of course I will need to make this more secure by creating my own certs and such. This was also tested with a plain text password in LDAP so I will try using NT passwords (md4 I guess). Barry Stewart wrote: I'm still trying to get PEAP working with LDAP. I'm wondering if the problem is with the client at this point. From the debugging out put and ethereal it looks like the radius server keeps sending access challenges but the client just keeps sending requests in return instead of a response. If someone could confirm this or let me know I'm wrong I would appreciate it. I have pasted the output below. TIA -Barry Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main:
Re: FreeRADIUS and mschapv2 problems
Dinko Korunic [EMAIL PROTECTED] wrote: Are you sure you're running the latest CVS snapshot? Yeps, taken from CVS these days: Hmmm.. try: User-Name = aland MS-CHAP-Challenge = 0x06bc3119daab4d9bb26be8d3ae4d958b616c616e64 MS-CHAP2-Response = 0x54002726aa4c6f5935925a8c659c4c476e5fe0630fa5b3284eb1c9e06b824c50c20fd23eb9305b1c1d38 The clear-text password is aland. If that doesn't work, then I think there's something wrong with your local install. Try it on another machine, and see if it's any better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: Need Assistance please
Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers Alan DeKok wrote: The value should have the operator in it. e.g. +=Users is the value you've mentioned in the LDAP schema (LDAP config file)? Or in radiusd.conf? or ldap.attrmap? I've modified the file ldap.attrmap as follow (this is the only change I've made) replyItemLogin-LAT-Group securityRole That should work. I thought by modifying this line to match the LDAP attribute would return all values for the user (testuser) in the LDAP schema. Alan DeKok wrote: No. The operators are still important. Alan DeKok. Alright... so this maybe a misconfiguration in LDAP? -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
Hello Dinko, Wednesday, May 26, 2004, 11:14:51 PM, you wrote: DK Hi. I've been using FreeRadius recent CVS version to authenticate DK wireless Windows XP/2k users via EAP and Cisco AP1000 series. I've so DK far suceeded in EAP/TLS and EAP/TTLS, as well as with non-EAP modules DK (PAP and CHAP) just to test if it is all properly setup. DK However, I'm failing with EAP/PEAP. Certificates are fine (as stated DK above), however MS-CHAPv2 (rlm_mschap) seems to be causing problems: DK rlm_eap: Request found, released from the list DK rlm_eap: EAP/mschapv2 DK rlm_eap: processing type mschapv2 DK Processing the authenticate section of radiusd.conf DK modcall: entering group Auth-Type for request 6 Hi. Don't use md5 or any other hashing protocol creating mysql passwords. You will not be able to authenticate incoming MS-CHAPv2 connections (already encrypted). DK rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password DK rlm_mschap: FAILED: MS-CHAP2-Response is incorrect DK Passwords are stored in MySQL, but they're proven to be read correctly DK (and I've tried with users file too). DK I've read this list archives throughly, and I've tried most of the stuff DK people were reporting. Is there anything else I could check? Should I DK try with NT-hashed passwords? Should I try with auth_ntlm to debug chap DK responses? DK TIA. -- Best regards, M.Jessamailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multilink PPP
On 27 May 2004 at 17:12, Lee Norvall wrote: Hi I have added port-limit=2, but the user is still getting error 52, duplicate name exists on network. I tried this in both group-check group-reply. Rgds Lee Try something like this... Multilink PPP user statement example, Fast_Users + PAP + Crypt_Password: begin User AA Statement USER Auth-Type := PAP,Crypt-Password ==_J9..0L9TUumS50RW8vo, Simultaneous-Use := 2 Port-Limit = 2, Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 28800, Framed-Compression = Van-Jacobson-TCP-IP, end User AA statement Be sure not to fall through to any DEFAULT Simultaneous-Use = 1 or DEFAULT Port-Limit = 1 statements. -- Bernie / [EMAIL PROTECTED] Chief Technology Architect / Chief Security Officer Euclidean Systems, Inc. *** // There is no expedient to which a man will not go //to avoid the pure labor of honest thinking. // Honest thought, the real business capital. // Observe Think Plan Think Do Think *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
On Thu, May 27, 2004 at 01:55:52PM -0400, Alan DeKok wrote: If that doesn't work, then I think there's something wrong with your local install. Try it on another machine, and see if it's any better. I have, in fact. You're not going to like the answer - it seems that current rlm_mschap isn't endian-clean. I've emptied all of the conf to have only PAP/CHAP/MSCHAP autorization and cleartext user/password pair in users file. I've tried again on that machine (Compaq Alpha DS10 with Linux 2.4.26) with no luck. I've copied that *exact* configuration on two other x86-based machines with same 0.9.3 Debian packages - and all works there. I've copied again that configuration on another Alpha-based server (an older DEC Alphastation 2/2100) and *surprise* it isn't working there. Since I've tried both CVS and 0.9.3 versions with no luck, seems that's either something to do with kernel (which I doubt, since I've turned off all protection for freeradius, just in case) or code or SSL functions you're using (SHA1 encryption, if I'm correct). -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
Dinko Korunic [EMAIL PROTECTED] wrote: I have, in fact. You're not going to like the answer - it seems that current rlm_mschap isn't endian-clean. That's at least an explanation as to why it doesn't work. Now that we know that, it's possible to track down the problem. You can use the test attributes I posted earlier, and hack rlm_mschap so that it prints out a bunch of numbers it's calculated. e.g. MSCHAP: Step 1 879 MSCHAP: Step 2 58721674267 ... You can then run it on two machines, use 'grep' to pull out the MSCHAP lines from the debug log, and then use 'diff' to see where they differ. This will let you track down where the problem occurs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
quintum VSA
I have seen that the latest CVS snapshot accepts cisco VSA hacks to aid in voIP billing. Is there any plan to embed quintum as well ? regards, Apu __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + MySQL +EAP-TLS
What do you mean explicitly REJECT? How can I do it? Thanks a lot! Ciao Tuan anh Artur Hecker wrote: yes, that's normal since the authentication works for ALL validly certified clients. you have to explicitly REJECT the users NOT in your data base. ciao artur NGUYEN Tuan Anh wrote: Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS as authentication protocol. Everything works, but I have a problem (I think it's a problem of configuration) : If I have a client with a valid certificate, even though the sql module doesn't regcognize the client (user-name doesn't existe in check list, the eap module always accept that client so the authorize section always return Acess-Accept!! Here 's part of the debug : rad_recv: Access-Request packet from host 134.214.78.43:6001, id=134, length=1256 User-Name = LEPILLEUR Benjamin NAS-IP-Address = 134.214.78.43 Called-Station-Id = 00-08-02-76-8d-32 Calling-Station-Id = 00-04-23-71-13-4c NAS-Identifier = PTSGSF3 State = 0xc89112eb62ee9f6f95ca9d43f018c9378ff6b54098811a92e7909de796d82c6ebc2dc2c1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205043d0d80043316030104030b0002f30002f2ed308202e930820252a00302010202020805300d06092a864886f70d01010505003045310b300906035504061302465231153013060355040a130c54454c45434f4d2d4c444150311f301d060355040313164944582d504b49204f7065726174696f6e616c204341301e170d3034303332323135343634345a170d3035303332323135343634345a3051310b3009060355040613024652310d300b060355040a1304494e534131163014060355040b130d54656c65636f6d202d20475346311b3019060355040313124c4550494c4c422042656e6a616d696e30819f300d06092a8648 EAP-Message = 0x86f70d010101050003818d0030818902818100b951865a184af898f572fe6c23e93fc536026799577ba60d5b81de327bc451a7ff1d6caac19770ff8a02e0f407263edd970ddd4e15249f664c1cbd1283fd24dead1267fb166db68dc2de9f1cf9af8c9c9d10029d73156bec314ca8e24687401757ac92da50e1fc43d042e509a63b528d24e48891251026e21a1a8a6a911be6eb0203010001a381db3081d8301d0603551d0e041604140a3e625d09037edccffca0b769f7036177330814301f0603551d230418301680146b8d4761901ff704c5d8b7dc07051d49447e30e930280603551d1f0421301f301da01ba0198617687474703a2f2f74632d706b EAP-Message = 0x692f4f7043524c2e63726c302a0603551d1104233021811f62656e6a616d696e2e6c6570696c6c65757240696e73612d6c796f6e2e6672300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030406082b06010505070302301106096086480186f84201010404030205a0300d06092a864886f70d010105050003818100a891927dc519f6f67fec7ffa5d18d58a2715145d9107903b109bfc8b35bc9e554796f83daf95d20bdf00a5e914a84f34d1eeda29a9d7d5541db2b6e67d65479d892bc98a9ae342a6b17b54bf1f2218913dbbfeb6cc93514e02d703afa762df2d43ede10b2e23631b94673374fd8acf338a EAP-Message = 0xde8fb4f97b3bb969e68e4ab80c73bc10820080111d7cb9d30649cac83e726c7c0d3f2513824e554db91feb1cc0c6d9188c625dab13d21750a259d6e53f6375f1687e529d55ae80079b007e163bcff10a6eaac9832d3ec16341eecc335044436e40d9ae4c5011cb6b3fd6730283be164eb76e9c71d5776947acaebda2efef9f5f5712fb222bef84f2fa392505ab50523c04f40b0f820080904cb7af1212010b2d9377082c19aed35a83cdc9cc4a0f8d630c88d7996a86ec897f499caa6cb077b2d31d717211544d9c5e8e813c8b152d2d23f1de6b390873d62b33d2088eb3161acc5ed71c2d7df759c99d231f4af4e92671b30fbd545ebdde10 EAP-Message = 0x8121e1559fea1e3bffa3f781d173bc9147524762908effca4d1e6cb7d83914030100010116030100202e9086427690428d6a55f8e7e92f92a81884b32d074bb23725aca664aedbde6e Message-Authenticator = 0xbd5a866d0c2167835c811f8122ff9ada modcall: entering group authorize for request 3 radius_xlat: 'LEPILLEUR Benjamin' rlm_sql (sql): sql_set_user escaped user -- 'LEPILLEUR Benjamin' radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck radius_xlat: '' radius_xlat: '' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 3 radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527 modcall[authorize]: module auth_log returns ok for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 3 rlm_eap: EAP packet type notification id 5 length 1085 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls
Need Assistance please
Alan, the User Change Password Administrator etc., are already part of the LDAP schema (under the attribute securityRole) e.g. Uid=testuser Attribute Value securityRoleUsers Alan DeKok wrote: The value should have the operator in it. e.g. +=Users Is the value you've mentioned in the LDAP schema (LDAP config file)? Or in radiusd.conf? or ldap.attrmap? Where do I make the change? Thank you, -denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: quintum VSA
Apu islam [EMAIL PROTECTED] wrote: I have seen that the latest CVS snapshot accepts cisco VSA hacks to aid in voIP billing. Is there any plan to embed quintum as well ? Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius+PAM+LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, I've been working on having radius authenticate through PAM which is getting it's authentication info from LDAP. This is so I can use pam_tally to monitor failed logins. I actually have the system working, but with one show stopping problem. I am able to authenticate through PAM, but certain attributes such as FilterId, SessionTimeout, and IdleTimeout are not being passed from PAM to radius. Setting Freeradius to authenticate directly to LDAP will pass these attributes with no trouble, so the problem must be with PAM. I am using Debian Stable, so the packages are not the most recent, and some I had to build: PAM 0.72 LDAP 3.0 Freeradius 0.9.1 Any Ideas? - -BillT -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAtny0uLPldPuWZnARAjj9AKDq7XwJemhRKVuBX8S/aU2jK3qQYQCeLLn0 V6F+h4inJzd0PDNex1hcpIw= =bmuD -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
On Thu, May 27, 2004 at 05:03:26PM -0400, Alan DeKok wrote: Dinko Korunic [EMAIL PROTECTED] wrote: You can then run it on two machines, use 'grep' to pull out the MSCHAP lines from the debug log, and then use 'diff' to see where they differ. This will let you track down where the problem occurs. More/less I've done what you've told me to. I've hacked around rlm_mschap (code is at the end of mail) to verbosely print hex values of important values, and used FreeRADIUS radclient for proven correct attribute (sorry, I've used mine which succeeded in authorisation just to be sure) sending.. Attributes: User-Name=aland MS-CHAP-Challenge=0x303132333435363738393A3B3C3D3E3F MS-CHAP2-Response=0x3C00202122232425262728292A2B2C2D2E2F6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF Unsucessful log: CHAPDBG: challenge length 16 rlm_mschap: doing MS-CHAPv2 with NT-Password CHAPDBG: peer challenge 202122232425262728292A2B2C2D2E2F CHAPDBG: auth challenge 303132333435363738393A3B3C3D3E3F CHAPDBG: username aland CHAPDBG: nt password B8CB804B59CAB90FA682D579C7FD9009 CHAPDBG: challenge 6C7C02695D6C6D7F CHAPDBG: calculated 445D54B8A44023A305D59E18DCD6F78CCAA9E79046FB7601 CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Successful log: CHAPDBG: challenge length 16 rlm_mschap: doing MS-CHAPv2 with NT-Password CHAPDBG: peer challenge 202122232425262728292A2B2C2D2E2F CHAPDBG: auth challenge 303132333435363738393A3B3C3D3E3F CHAPDBG: username aland CHAPDBG: nt password B8CB804B59CAB90FA682D579C7FD9009 CHAPDBG: challenge CC8E988B421E3260 CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF As we can see, initial challenge calculation has gone wrong somewhere.. which is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1 functions. Doh. I thought at least OpenSSL should be endian-clean.. === patch follows === --- rlm_mschap.c-orig 2004-05-28 02:23:53.0 +0200 +++ rlm_mschap.c2004-05-28 02:26:42.0 +0200 @@ -94,6 +94,17 @@ } } +char * bin2hex2 (const unsigned char *szBin, int len) +{ + int i; + static char szHex2[1024]; + for (i = 0; i len; i++) { + szHex2[i1] = letters[szBin[i] 4]; + szHex2[(i1) + 1] = letters[szBin[i] 0x0F]; + } + szHex2[(i1)] = 0; + return szHex2; +} /* Allowable account control bits */ #define ACB_DISABLED 0x0001 /* 1 = User account disabled */ @@ -233,11 +244,20 @@ char *response) { char challenge[8]; - + + DEBUG2(CHAPDBG: peer challenge %s, bin2hex2(peer_challenge, 16)); + DEBUG2(CHAPDBG: auth challenge %s, bin2hex2(auth_challenge, 16)); + DEBUG2(CHAPDBG: username %s, user_name); + DEBUG2(CHAPDBG: nt password %s, bin2hex2(nt_password, 16)); + challenge_hash(peer_challenge, auth_challenge, user_name, challenge); + DEBUG2(CHAPDBG: challenge %s, bin2hex2(challenge, 8)); + lrad_mschap(nt_password, challenge, response); + + DEBUG2(CHAPDBG: calculated %s, bin2hex2(response, 24)); } /* @@ -819,6 +839,7 @@ /* * MS-CHAPv2 challenges are 16 octets. */ + DEBUG2(CHAPDBG: challenge length %d, challenge-length); if (challenge-length 16) { radlog(L_AUTH, rlm_mschap: MS-CHAP-Challenge has the wrong format.); return RLM_MODULE_INVALID; @@ -853,6 +874,7 @@ mschap2(response-strvalue + 2, challenge-strvalue, request-username-strvalue, nt_password-strvalue, calculated); + DEBUG2(CHAPDBG: response %s, bin2hex2(response-strvalue + 26, 24)); if (memcmp(response-strvalue + 26, calculated, 24) != 0) { DEBUG2( rlm_mschap: FAILED: MS-CHAP2-Response is incorrect); add_reply(request-reply-vps, *response-strvalue, -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only first Cisco-AVPair entry posted to cisco
Thank you for the reply, I know how to do nowGarry Glendown [EMAIL PROTECTED] wrote: sy sy wrote: I set multi Cisco-AVPair in users file,but only first is posted to Cisco router . Why ?How did you assign the additional entries? Can you post your radius entries? The second and following entries should have the "+="-assignment ...-gg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do you Yahoo!?Friends. Fun. Try the all-new Yahoo! Messenger
Re: FreeRADIUS and mschapv2 problems
On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote: As we can see, initial challenge calculation has gone wrong somewhere.. which is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1 functions. Doh. I thought at least OpenSSL should be endian-clean.. To prove my wording, here is some more of debug info. Already first SHA1 hash is different. However, I'm not sure if challenge-grabbing (20 octets) from end SHA1-hash is wrong, or SHA1 is wrong.. Could anyone help? Unsuccessful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 41D03A478398AF4E7B18306592E77B8C8F99E76B CHAPDBG, challenge_hash: sha1-2 88E8358965B10060C8BEEC85FA03A49E75CC0AAD CHAPDBG, challenge_hash: sha1-3 E234830DFF297968936E5BA5A6022D31B32B2AE2 CHAPDBG, challenge_hash: end hash 389A5773F16E40A37FFB45A5DAEC13829A709102 CHAPDBG: challenge 389A5773F16E40A3 CHAPDBG: calculated 0CCC41AB13690C2C83BA7D143C12D758D34762A2194D663F CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Successful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 5C3F75DDA77EB61EF6D04B5045BDF661F4FA608C CHAPDBG, challenge_hash: sha1-2 9502711A5B6468A0400D095480515D9610F327AC CHAPDBG, challenge_hash: sha1-3 CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG, challenge_hash: end hash CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG: challenge CC8E988B421E3260 CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: adding MS-CHAPv2 MPPE keys -- | |--..-. Dinko 'kreator' Korunic #include stddisclaimer.h || _| -__| http://www.srce.hr/~kreator/ | http://kre.deviantart.com |__|__|__| |_| PGP:0xEA160D0B | IRC:kre | ICQ:16965294 | AIM:kreatorMoo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
The SHA1 functions are implemented in src/lib/sha1.c --Mike On Thu, 2004-05-27 at 20:31, Dinko Korunic wrote: On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote: As we can see, initial challenge calculation has gone wrong somewhere.. which is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1 functions. Doh. I thought at least OpenSSL should be endian-clean.. To prove my wording, here is some more of debug info. Already first SHA1 hash is different. However, I'm not sure if challenge-grabbing (20 octets) from end SHA1-hash is wrong, or SHA1 is wrong.. Could anyone help? Unsuccessful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 41D03A478398AF4E7B18306592E77B8C8F99E76B CHAPDBG, challenge_hash: sha1-2 88E8358965B10060C8BEEC85FA03A49E75CC0AAD CHAPDBG, challenge_hash: sha1-3 E234830DFF297968936E5BA5A6022D31B32B2AE2 CHAPDBG, challenge_hash: end hash 389A5773F16E40A37FFB45A5DAEC13829A709102 CHAPDBG: challenge 389A5773F16E40A3 CHAPDBG: calculated 0CCC41AB13690C2C83BA7D143C12D758D34762A2194D663F CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Successful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 5C3F75DDA77EB61EF6D04B5045BDF661F4FA608C CHAPDBG, challenge_hash: sha1-2 9502711A5B6468A0400D095480515D9610F327AC CHAPDBG, challenge_hash: sha1-3 CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG, challenge_hash: end hash CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG: challenge CC8E988B421E3260 CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: adding MS-CHAPv2 MPPE keys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
Looks like this might be an updated version of this file that handles endian issues: http://gtk-gnutella.sourceforge.net/tools/sha1/sha1.c --Mike On Thu, 2004-05-27 at 20:58, Michael Griego wrote: The SHA1 functions are implemented in src/lib/sha1.c --Mike On Thu, 2004-05-27 at 20:31, Dinko Korunic wrote: On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote: As we can see, initial challenge calculation has gone wrong somewhere.. which is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1 functions. Doh. I thought at least OpenSSL should be endian-clean.. To prove my wording, here is some more of debug info. Already first SHA1 hash is different. However, I'm not sure if challenge-grabbing (20 octets) from end SHA1-hash is wrong, or SHA1 is wrong.. Could anyone help? Unsuccessful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 41D03A478398AF4E7B18306592E77B8C8F99E76B CHAPDBG, challenge_hash: sha1-2 88E8358965B10060C8BEEC85FA03A49E75CC0AAD CHAPDBG, challenge_hash: sha1-3 E234830DFF297968936E5BA5A6022D31B32B2AE2 CHAPDBG, challenge_hash: end hash 389A5773F16E40A37FFB45A5DAEC13829A709102 CHAPDBG: challenge 389A5773F16E40A3 CHAPDBG: calculated 0CCC41AB13690C2C83BA7D143C12D758D34762A2194D663F CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Successful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 5C3F75DDA77EB61EF6D04B5045BDF661F4FA608C CHAPDBG, challenge_hash: sha1-2 9502711A5B6468A0400D095480515D9610F327AC CHAPDBG, challenge_hash: sha1-3 CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG, challenge_hash: end hash CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG: challenge CC8E988B421E3260 CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: adding MS-CHAPv2 MPPE keys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and mschapv2 problems
Try the attached patch to the sha1.c file and see if that takes care of the problem. --Mike On Thu, 2004-05-27 at 20:31, Dinko Korunic wrote: On Fri, May 28, 2004 at 02:34:48AM +0200, Dinko Korunic wrote: As we can see, initial challenge calculation has gone wrong somewhere.. which is happening in challenge_hash(), function whish is strictly using OpenSSL SHA1 functions. Doh. I thought at least OpenSSL should be endian-clean.. To prove my wording, here is some more of debug info. Already first SHA1 hash is different. However, I'm not sure if challenge-grabbing (20 octets) from end SHA1-hash is wrong, or SHA1 is wrong.. Could anyone help? Unsuccessful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 41D03A478398AF4E7B18306592E77B8C8F99E76B CHAPDBG, challenge_hash: sha1-2 88E8358965B10060C8BEEC85FA03A49E75CC0AAD CHAPDBG, challenge_hash: sha1-3 E234830DFF297968936E5BA5A6022D31B32B2AE2 CHAPDBG, challenge_hash: end hash 389A5773F16E40A37FFB45A5DAEC13829A709102 CHAPDBG: challenge 389A5773F16E40A3 CHAPDBG: calculated 0CCC41AB13690C2C83BA7D143C12D758D34762A2194D663F CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Successful: CHAPDBG, challenge_hash: username aland CHAPDBG, challenge_hash: peer_challenge 202122232425262728292A2B2C2D2E2F CHAPDBG, challenge_hash: auth_challenge 303132333435363738393A3B3C3D3E3F CHAPDBG, challenge_hash: sha1-1 5C3F75DDA77EB61EF6D04B5045BDF661F4FA608C CHAPDBG, challenge_hash: sha1-2 9502711A5B6468A0400D095480515D9610F327AC CHAPDBG, challenge_hash: sha1-3 CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG, challenge_hash: end hash CC8E988B421E3260801E39F23C3CAA402C02F2B8 CHAPDBG: challenge CC8E988B421E3260 CHAPDBG: calculated 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF CHAPDBG: response 6649E30199C56F7B1413EBA10A19D963D03165C1AEA0EBBF rlm_mschap: adding MS-CHAPv2 MPPE keys --- sha1.c.save 2004-05-27 21:26:12.0 -0500 +++ sha1.c 2004-05-27 21:34:01.0 -0500 @@ -9,6 +9,7 @@ #include autoconf.h #include string.h +#include endian.h #ifdef HAVE_SYS_TYPES_H #include sys/types.h @@ -24,14 +25,19 @@ #include sha1.h -#define blk0(i) (block-l[i] = htonl(block-l[i])) #define rol(value, bits) (((value) (bits)) | ((value) (32 - (bits /* blk0() and blk() perform the initial expand. */ /* I got the idea of expanding during the round function from SSLeay */ -#define blk0(i) (block-l[i] = htonl(block-l[i])) +# if __BYTE_ORDER == __BIG_ENDIAN +# define blk0(i) (block-l[i] = (rol(block-l[i],24)0xFF00FF00) \ + |(rol(block-l[i],8)0x00FF00FF)) +# else /* __BYTE_ORDER == __LITTLE_ENDIAN */ +# define blk0(i) block-l[i] +# endif + #define blk(i) (block-l[i15] = rol(block-l[(i+13)15]^block-l[(i+8)15] \ ^block-l[(i+2)15]^block-l[i15],1))
Re: Access Reject
Hi I am trying the freeradius server version 0.9.3. Everything from = compiling to installation went fine. When I give radtest localhost testing123 127.0.0.1 10 testing123 it give a Access reject error. The port is set to 1812 Here is a sample output with the default configuration after the fresh installation. [EMAIL PROTECTED] raddb]# radtest localhost testing123 127.0.0.1 1812 testing123 Sending Access-Request of id 207 to 127.0.0.1:1812 User-Name = localhost User-Password = testing123 NAS-IP-Address = redhat.tester.com NAS-Port = 1812 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=207, length=20 Regards Thanks Mahesh S Kudva - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html