Re: copying accounting
Ok. I can use radrelay. But. I do not understand the reason why the replicate-to-realm is being removed from server. There are two operators now wich we have roaming agreements with. But what will we do if their amount grows to 10, 20? We'll have to start up to 20 instances of radrelay. And monitor their states. Not good, is it? Alan DeKok wrote: Alexander Serkin <[EMAIL PROTECTED]> wrote: radrelay seem to do more than i need. So? Replicate-To-Realm won't work. If it does, you're using an older version of the server, and that feature will STOP working when you upgrade. Don't use Replicate-To-Realm. Actually the task is to copy accounting for specific CLID of roaming users to their home AAA server. radrelay works directly with detail file which contains not only roaming CLIDs. So... configure the server to have a variant of the detail module which is used only to log the roaming users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- SY, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database"
I make a mistak in the "radcheck" table. set the "attribute" to "Auth-Type" actually it should be "Password". I update the table and everything is fine. Thanks a lot! Cheers! 引用 nsinit <[EMAIL PROTECTED]>: > > >Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type > 654321 > why Auth-Type 654321 ??? > > > > > Hello World! > > [EMAIL PROTECTED] > 2004-06-17 > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - This mail sent through NZOL Webmail: http://webmail.nzol.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error getting data from database"
I found my Freeradius problem: It is : "Found Auth-Type 654321" Thu Jun 17 11:23:59 2004 : Debug: auth: type "(null)" I check my postgresql Table and found that the radcheck table has a wrong attribute, I set it "Auth-Type" by mistak it should be "Password". Thanks Mike! Thanks! > > Thanks Mike, > > I chance it from "Auth_Type" To "Auth-Type", But now the problem is : auth: > type "(null)" > Here is the deatail. > > Please help me out! > Thanks a lot! > > == > > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): sql_set_user escaped user > --> > 'tom' > Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, > attribute, > value, op FROM radcheck WHERE username = 'tom' ORDER BY id' > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4 > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, > username, attribute, value, op FROM radcheck WHERE username = 'tom' ORDER BY > id > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: > PGRES_TUPLES_OK > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = > Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupcheck.id, > radgroupcheck.GroupName, radgroupcheck.Attribute, > radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE > usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName > ORDER BY radgroupcheck.id' > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT > radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, > radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE > usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName > ORDER BY radgroupcheck.id > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: > PGRES_TUPLES_OK > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = > Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, > attribute, > value, op FROM radreply WHERE username = 'tom'ORDER BY id' > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, > username, attribute, value, op FROM radreply WHERE username = 'tom'ORDER BY > id > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: > PGRES_TUPLES_OK > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = > Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupreply.id, > radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, > radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = > 'tom' > AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT > radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, > radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE > usergroup.Username = 'tom' AND usergroup.GroupName = radgroupreply.GroupName > ORDER BY radgroupreply.id > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: > PGRES_TUPLES_OK > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = > Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Released sql socket id: 4 > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from sql > (rlm_sql) for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "sql" returns > ok > for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files > (rlm_files) for request > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files > (rlm_files) for request 0 > Thu Jun 17 11:23:59 2004 : Debug: users: Matched DEFAULT at 154 > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from > files > (rlm_files) for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "files" > returns > ok for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling mschap > (rlm_mschap) for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from > mschap > (rlm_mschap) for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "mschap" > returns > noop for request 0 > Thu Jun 17 11:23:59 2004 : Debug: modcall: group authorize returns ok for > request 0 > Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type > 654321 > Thu Jun 17 11:23:59 2004 : Debug: auth: type "(null)" > Thu Jun 17 11:23:59 2004 : Debug: auth: Failed to validate the user. > Thu Jun 17 11:23:59 2004 : Auth: Login incorrect: [tom/654321] (from client > ed_radius port 0) > RE > > > Please help me out! > Thanks a lot! > > > 引用 Michael Griego <[EMAIL PROTECTED]>: > > > On Wed, 2004-06-16 at 06:04, [EMAIL PROTECTED] wrote: > > > rlm_sql: unknown attribute Auth_Type > > > > Here's your problem. Auth_Type is not a valid attribute. Change that > > to Auth-Type (dash, not und
Re: Error getting data from database"
>Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type 654321 why Auth-Type 654321 ??? Hello World! [EMAIL PROTECTED] 2004-06-17 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_expr question
Thx! It does work with freeradius-1.0.0-pre2!
as the following in table radreply:
`%{expr: %{Call-Refrence}}`
>
> Then you're probably not using 1.0.0-pre*
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
Hello World!
[EMAIL PROTECTED]
2004-06-17
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rewriting attributes based on NAS
Hi, just thought about some things to fix some attributes but didn't find the right glue where to start (probably attr_rewrite). Using lates 1.0 pre-2, I have some NAS giving me attributes in either wrong way or not the way I'd want them ;) - a Cisco L2TP-LAC saying MAS-Port-Type ISDN (2) instead of something meaningful like 5 or 16 How can I rewrite packets a specific way only for a specific NAS ? - again a Cisco, reporting Null with ISDN for Connect-Info (77) (Async reports fine), so I'm looking for a way to probably copy X-Ascend-Data-Rate (which it reports) into Connect-Info if Connect-Info is Null - next one would be to append the data from "Cisco-AVPair = "v92-info=.." to Connect-Info - do something meaningful to log "Cisco-AVPair = "isakmp-group-id=.." and "Cisco-AVPair = "isakmp-initator-ip=.." It's basically all about the same thing. Another thing I came into was to filter outbound attributes in Access-Accept based on NAS(IP). Filtering by realms is easy with attrs but how to filter based on NAS ? Background is, I've static Framed-IP's xDSL-users but they're using also dialin in on other NAS'es where they should get a dynamic Framed-IP from the NAS' local-pool.. Any idea would be appreciated.. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error getting data from database"
Thanks Mike, I chance it from "Auth_Type" To "Auth-Type", But now the problem is : auth: type "(null)" Here is the deatail. Please help me out! Thanks a lot! == Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'tom' Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tom' ORDER BY id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tom' ORDER BY id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tom'ORDER BY id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tom'ORDER BY id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'tom' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: Status: PGRES_TUPLES_OK Thu Jun 17 11:23:59 2004 : Debug: rlm_sql_postgresql: affected rows = Thu Jun 17 11:23:59 2004 : Debug: rlm_sql (sql): Released sql socket id: 4 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from sql (rlm_sql) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "sql" returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jun 17 11:23:59 2004 : Debug: users: Matched DEFAULT at 154 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Jun 17 11:23:59 2004 : Debug: modcall: group authorize returns ok for request 0 Thu Jun 17 11:23:59 2004 : Debug: rad_check_password: Found Auth-Type 654321 Thu Jun 17 11:23:59 2004 : Debug: auth: type "(null)" Thu Jun 17 11:23:59 2004 : Debug: auth: Failed to validate the user. Thu Jun 17 11:23:59 2004 : Auth: Login incorrect: [tom/654321] (from client ed_radius port 0) RE Please help me out! Thanks a lot! 引用 Michael Griego <[EMAIL PROTECTED]>: > On Wed, 2004-06-16 at 06:04, [EMAIL PROTECTED] wrote: > > rlm_sql: unknown attribute Auth_Type > > Here's your problem. Auth_Type is not a valid attribute. Change that > to Auth-Type (dash, not underscore). > > -- > > --Mike > > --- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - This mail sent through NZOL Webmail: http://webmail.nzol.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, > > No. You're trying to get pppd to send radius requests which contain > certain attributes. There is NOTHING you can do to FreeRADIUS which > will make pppd send those attributes. Therefore, this list is NOT the > right place to ask how to configure pppd. > Understood, thanks. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
Sure, Just copy the user's record in the radcheck table to a different table (so you don't lose their login information) then write a bogus password in their record... gm... - Original Message - From: "Linda Pagillo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 16, 2004 6:54 AM Subject: Rejecting Users when using mysql > Good morning everyone: > > I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
"keith" <[EMAIL PROTECTED]> wrote: > So I believe my current hurdle is getting the information from pppd to > freeradius and I believe this is the best list for that. No. You're trying to get pppd to send radius requests which contain certain attributes. There is NOTHING you can do to FreeRADIUS which will make pppd send those attributes. Therefore, this list is NOT the right place to ask how to configure pppd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+AD help
On 6/16/04 2:47 PM, Veerabhushan Hatte at <[EMAIL PROTECTED]> wrote:
> Thank you for your detailed mail. It is very useful. I have couple of minor
> questions in LDAP configuration. Here they are,
> ldap {
> ..
> server = "192.168.2.5"
> identity = "cn=ldapuser,cn=users,dc=foo1,dc=com"
> password = foopass
> basedn = "cn=users,dc=foo1,dc=com"
> ...
> }
> I have created a user called wirelessuser under newgroup on the windows server
> running DNS and LDAP whose domain name is testsci.foo.com.
>
> I am having trouble in configuring identity and basedn parameters. Could you
> help me in filling up these values? Setup is as follows,
>
> wirelessuser 192.168.10.201 192.168.10.203
> wireless client AP freeRADIUS WIndows AD/LDAP
> 192.168.10.200 192.168.10.202 (testsci.foo.com)
>
> newgroup
>
> |
>
> wireless user
>
> password field represents whose password? Is it wireless user or windows
> administrator? I am assuming it belongs to user.
You need a user, in AD, that will be used to authenticate the wireless
users. In my config above, that user is named 'ldapuser'. The password
'foopass' is the password for the 'ldapuser'.
So yours should read:
> server = "192.168.10.203"
> identity = "cn=ldapuser,cn=users,dc=testsci,dc=foo,dc=com"
> password = foopass
> basedn = "cn=users,dc=testsci,dc=foo,dc=com"
Add a user to your AD called 'ldapuser', with password 'foopass' and make
sure the Display Name is also 'ldapuser'.
Then make sure your 'wirelessuser' account is in the basedn above: The Users
container of your AD.
'wirelessuser' should autz and auth. If it still does not look at the debug
output of radiusd (radiusd -xx)to see where it is failing. You may have to
move your user accounts in the AD or change the location of the basedn to
make sure it finds them during authorization.
-Michael Check
--
Solo Group, Inc. # mcheck (at) sologroup (dot) com
Chicago, Illinois # http://www.sologroup.com/
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, Your advise is both followed and appreciated. > > Of course. I *did* say don't set Auth-Type, did I not? I have done this on both servers, my internal test machine and the production machine I can no longer log onto my test machine but the issue I believe is unrelated. > > > radtest works. CHAP does not. > > CHAP works. Fair enough. > > > Pruned Log Follows for pppd. > > And not for the server. Wonderful. The logs for the server merely show that I am not getting a password into the authentication request. As you pointed out before, this will automatically cause a reject. > > I suggest posting your questions on the pppd list, as you don't seem > to have many questions about FreeRADIUS. > pppd itself works. pppd with pptpd works. pppd with pptpd with FreeRadius (without authenication by setting Auth-Type := Accept ) works. So I believe my current hurdle is getting the information from pppd to freeradius and I believe this is the best list for that. Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
"keith" <[EMAIL PROTECTED]> wrote: > Using > +chap > -mschap > -mschap-v2 in the pptpd options file causes a failure with CHAP Then you've done something to break the server. > and changing the Auth-Type to Local. > causes a failure with CHAP. Of course. I *did* say don't set Auth-Type, did I not? > radtest works. CHAP does not. CHAP works. > Pruned Log Follows for pppd. And not for the server. Wonderful. I suggest posting your questions on the pppd list, as you don't seem to have many questions about FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tcpserver
Does anyone use the tcpserver to serve radiusd? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan, > > What Auth Type would I use for the following? > > Generally, you *don't* set Auth-Type. The server will figure it > out. OK. > > > rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 > > Service-Type = Framed-User > > Framed-Protocol = PPP > > User-Name = "keith_xp" > > NAS-IP-Address = 192.168.1.150 > > NAS-Port = 0 > > There's no password, so there's no way to authenticate the request. > I found I can get a password by setting +chap in the pptpd options file. > In this case, "Auth-Type = Reject" is the only thing to do. Agreed. > > > Or do I change the users file? (Which I am about to try ) > > Don't make changes unless you know what you're changing, and why. You've hit the problem on the head, my lack of knowledge in relation to freeradius ...:-) The interesting part for me is I have had some success with two machines (mschap-v2 login ins and accounting - no encryption of data as yet), and the third, the one I have to produce the results on, is somehow different and beyond my current state of knowledge. Now about to try dropping the Auth-Type from the users file. Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
> > Read the *rest* of the debug log, including the part where it prints > > out the attributes in the Access-Request, and none of them are MS-CHAP. > > > What Auth Type would I use for the following? > > rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "keith_xp" > NAS-IP-Address = 192.168.1.150 > NAS-Port = 0 > using -chap -mschap -mschap-v2 in the pptpd options file and changing the Auth-Type to Accept. FreeRadius accepts the request and accounting begins So pptpd, pppd and freeradius work as long as I do not try to authenticate. Using +chap -mschap -mschap-v2 in the pptpd options file causes a failure with CHAP and changing the Auth-Type to Local. causes a failure with CHAP. radtest works. CHAP does not. My current guess/test is the radius plugin is failing to get/set the password. Any pointers appreciated. My current assumptions 1. The Kernel for Suse 8.1 will work without modification (I assumed this for SuSe 9.0 and it is correct for 9.0 ) I do not currently know how to test for this and I really want to avoid compiling a new kernel, (the target machine is 1000km away) I am prepared to drop encyption as all I want from the system is the accounting functions. 2. The source for radiusclient 0.3.2 from Suse will work with Suse pppd 2.4.2 This is the current assumption that I will test by removing the radiusclient and installing Suse binaries from Suse 8.1. 3. CHAP uses the password from /etc/shadow Pruned Log Follows for pppd. Jun 16 17:55:13 kbri-comms pppd[17207]: Plugin radius.so loaded. Jun 16 17:55:13 kbri-comms pppd[17207]: RADIUS plugin initialized. Jun 16 17:55:13 kbri-comms pppd[17207]: pppd 2.4.2 started by root, uid 0 Jun 16 17:55:13 kbri-comms pppd[17207]: using channel 100 Jun 16 17:55:13 kbri-comms pppd[17207]: Using interface ppp0 Jun 16 17:55:13 kbri-comms pptpd[17206]: GRE: Bad checksum from pppd. Jun 16 17:55:16 kbri-comms pppd[17207]: sent [CHAP Challenge id=0x43 , name = "kbri-comms"] Jun 16 17:55:16 kbri-comms pppd[17207]: rcvd [CHAP Response id=0x43 <4a4198eeb36edfebfeef64f0dbebf0bf579c54ba7392c283fa566306189 e229a735573d1fd1bb0dd00>, name = "keith_xp"] Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 11 Jun 16 17:55:16 kbri-comms pppd[17207]: rc_avpair_new: unknown attribute 25 Jun 16 17:55:16 kbri-comms pppd[17207]: Jun 16 17:55:16 kbri-comms pppd[17207]: Peer keith_xp failed CHAP authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
> "Marco Marques" <[EMAIL PROTECTED]> wrote: >> i what to know if its possible to use ippools and sql?? >> i mean having a table with the ippools in the sql database > > Why? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > so i can assing ips from that pool to my users Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user groups in freeradius
"Lionel Gavage" <[EMAIL PROTECTED]> wrote: > > Because it's not possible for me to use unix group (/etc/group) ! :( > > Read the "man" page for "rlm_passwd". > > The different usernames are stored in LDAP and not exist on the level > system. Perhaps you haven't read my response, or the "man" page for "rlm_passwd". rlm_passwd allows you to define groups *outside* of the normal Unix /etc/group system. The "man" page describes how to do it. Stop arguing with me, and follow the instructions in the man page. It will let you create groups, it will not use the Unix group system, and the users don't have to exist anywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hot to define a "Group"
Hello! I have some attributes I want to add to a group of users. I can define a "DEFAULT"-entry in the /etc/raddb/users file and there check for a "Group"-Attribute. But how do I set this Attribute? A simple "Group = groupname" does not work... I'm sorry if this is a stupid question but I can't find the answer, neither in the FAQ nor in the mailing list archive! I am using beta 2 of Freeradius 1.0.0 on a Fedora Core 2 machine. thanks, tobias - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
"keith" <[EMAIL PROTECTED]> wrote: > What Auth Type would I use for the following? Generally, you *don't* set Auth-Type. The server will figure it out. > rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "keith_xp" > NAS-IP-Address = 192.168.1.150 > NAS-Port = 0 There's no password, so there's no way to authenticate the request. In this case, "Auth-Type = Reject" is the only thing to do. > Or do I change the users file? (Which I am about to try ) Don't make changes unless you know what you're changing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: user groups in freeradius
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 16 juin 2004 16:46 À : [EMAIL PROTECTED] Objet : Re: user groups in freeradius "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > does freeradius server manage the user groups in its config file ? No. Is it on the roadmap ?;) > Because it's not possible for me to use unix group (/etc/group) ! :( Read the "man" page for "rlm_passwd". The different usernames are stored in LDAP and not exist on the level system. Lionel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
Hi Alan > > You set Auth-Type = MS-CHAP. Don't. OK. > > > Any pointers appreciated. > > Read the *rest* of the debug log, including the part where it prints > out the attributes in the Access-Request, and none of them are MS-CHAP. > What Auth Type would I use for the following? rad_recv: Access-Request packet from host 127.0.0.1:32771, id=210, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "keith_xp" NAS-IP-Address = 192.168.1.150 NAS-Port = 0 Or do I change the users file? (Which I am about to try ) Keith Hutchison - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No memory on Solaris
I have a bug prone setup, but here goes: Solaris 2.9 with: Freeradius-1.0.0-pre2 and/or Freeradius-0.9.3 unixODBC 2.2.8 freetds 0.62.3 trying to connect to: MSSQL 7.0 Database via unixODBC I can use tsql and isql to query the database with the select statements I've written and I have the exact same setup working in production on two debian linux boxes, so I know that it "can" work. Anyway, the first radtest I do here's what happens: Wed Jun 16 16:01:26 2004 : Info: Ready to process requests. Wed Jun 16 16:01:26 2004 : Debug: Thread 1 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 2 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 3 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 4 waiting to be assigned a request Wed Jun 16 16:01:26 2004 : Debug: Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32995, id=78, length=57 Wed Jun 16 16:01:54 2004 : Debug: --- Walking the entire request list --- Wed Jun 16 16:01:54 2004 : Debug: Waking up in 31 seconds... Wed Jun 16 16:01:54 2004 : Debug: Threads: total/active/spare threads = 5/0/5 Wed Jun 16 16:01:54 2004 : Debug: Thread 5 got semaphore Wed Jun 16 16:01:54 2004 : Debug: Thread 5 handling request 0, (1 handled so far) User-Name = "steve" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Wed Jun 16 16:01:54 2004 : Debug: Processing the authorize section of radiusd.conf Wed Jun 16 16:01:54 2004 : Debug: modcall: entering group authorize for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Error: Invalid operator for item Suffix: reverting to '==' Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Wed Jun 16 16:01:54 2004 : Debug: rlm_realm: No '@' in User-Name = "steve", looking up realm NULL Wed Jun 16 16:01:54 2004 : Debug: rlm_realm: No such realm "NULL" Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Wed Jun 16 16:01:54 2004 : Debug: users: Matched steve at 80 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module "files" returns ok for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Jun 16 16:01:54 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Wed Jun 16 16:01:54 2004 : Debug: modsingle[authorize]: calling sql (rlm_sql) for request 0 Wed Jun 16 16:01:54 2004 : Debug: radius_xlat: 'steve' Wed Jun 16 16:01:54 2004 : Debug: rlm_sql (sql): sql_set_user escaped user --> 'steve' Wed Jun 16 16:01:54 2004 : Debug: radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM freeradAuthCheck WHERE Username = 'steve' ORDER BY id' Wed Jun 16 16:01:54 2004 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Wed Jun 16 16:01:54 2004 : Debug: query: SELECT id,UserName,Attribute,Value,op FROM freeradAuthCheck WHERE Username = 'steve' ORDER BY id Wed Jun 16 16:02:23 2004 : Error: no memory between the sql query and the no memory statement it eats up a crap load of memory and makes the server unresponsive, but due to good error handling I guess it kills itself gracefully. Obviously 0.9.3 and 1.0.0-pre2 have the problem, I didn't check past that. I know it involves my unixodbc/freetds, but using isql doesn't cause these errors. Can anyone tell me what sort of commands I can do to bring to light more of what's going on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does radius reply to the nas when it can't find a DB handle?
Matthew Schumacher wrote: Or does it drop it altogether causing the nas to resend the packet? Sorry, I noticed you answered this question just after I sent this post: For others this missed it and for the archive: >> Are you sure? My understanding is that radius replys but finds that >> it doesn't have a DB connection handle and drops insert. > > The server shouldn't reply if there's a problem storing the > accounting data. > >> If your right then much of my concerns are not valid. If radius >> didnt' reply then packets dropped due to lack of DB time would be >> retransmitted. > > In theory, yes. In practice, you don't want accounting packets to > be lost, say if your NAS goes down. > It would be better to *always* log the accounting packets > *somewhere*. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does radius reply to the nas when it can't find a DB handle?
Or does it drop it altogether causing the nas to resend the packet? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Baystack 350's and 450's
I'm running freeradius 1.0.0-pre1 and need to support Baystack 350's and 450's. Can anyone give me any useful hints, including what nastype to specify in clients.conf? TIA, Pat Rebert __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Matthew Schumacher <[EMAIL PROTECTED]> wrote: > Kostas Kalevras wrote: > > > > radrelay will send packets as fast as possible but will slow down > > if it does not get responses. ... > Are you sure? My understanding is that radius replys but finds that it > doesn't have a DB connection handle and drops insert. The server shouldn't reply if there's a problem storing the accounting data. > If your right then much of my concerns are not valid. If radius didn't > reply then packets dropped due to lack of DB time would be retransmitted. In theory, yes. In practice, you don't want accounting packets to be lost, say if your NAS goes down. It would be better to *always* log the accounting packets *somewhere*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
"Marco Marques" <[EMAIL PROTECTED]> wrote: > i what to know if its possible to use ippools and sql?? > i mean having a table with the ippools in the sql database Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+AD help
On 6/15/04 7:18 PM, Veerabhushan Hatte at <[EMAIL PROTECTED]> wrote:
> I was going through the mail responses and I am facing some problem for the
> same configuration. I have few questions and your help is greatly appreciated.
> 1. Do I need enable pam authentication to use LDAP?
I don't think so. We do not have PAM active on our instance of radiusd.
> 2. If I need to use pam, do I need to install OpenLDAP to run LDAP on
> freeRADIUS?
I think you may need openLDAP installed when you compile radiusd. We run
radiusd on OSX so we already had LDAP installed. I think I saw your
original email that you were having trouble starting radiusd and one user
suggested that you needed openLDAP prior to compilation. If it does in fact
now start, you can use the follwing edits to adjust you configs. Our works
like a charm now.
One pitfall we had is that when the user is looked up in AD, the cn= LDAP
property looks at AD's Display Name. This means that if Michael Check is
logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same
as the account name (user name). The default in AD is to set cn as 'Michael
Check'. You need to change it to 'mcheck'.
The same goes for the account that radiusd uses to look up the information
in the AD. In our case ldapuser and radiusserver.
We still haven't figured out if there is an LDAP property that maps the
username to AD's account (user) name. If you or others know of it, I'd like
to know.
> If you could send me the configuration file for LDAP configuration, it would
> be really helpful.
The following setup allows users to be authenticated off 2 diff AD LDAP
servers depending on the domain (realm). Users without a domain are
athenticated off the first AD LDAP server.
The requests come from a ras and a vpn concentrator on the foo1 network to
radiusd which is also on the foo1 network.
We use the AD property access_attr="msNPAllowDialin" to determine whether
the user can log in. This is the boolean in AD whether to allow VPN/Dial-in
under the account properties.
clients.conf
#
client 192.168.2.28 {
secret= secretpass
shortname= vpn.foo1.com
nastype= cisco
}
client 192.168.2.29 {
secret= secretpass
shortname= ras.foo1.com
nastype= patton
}
#
proxy.conf
realm foo1.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm foo2.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
users
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULTAuth-Type := system
#Fall-Through = 1
#
# Setup all accounts to be checked against the MAI-LDAP module
# This is for users that do not specify a realm (ie. @foo.com)
#
DEFAULTAutz-Type := FOO1
Auth-Type := FOO1,
Fall-Through = 1
DEFAULT Realm == "NULL", Autz-Type := FOO1, Auth-Type := FOO1
DEFAULT Realm == "foo1.com", Autz-Type := FOO1, Auth-Type := FOO1
DEFAULTRealm == "foo2.com", Autz-Type := FOO2, Auth-Type := FOO2
radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap FOO1 {
server = "192.168.2.5"
identity = "cn=ldapuser,cn=users,dc=foo1,dc=com"
password = foopass
basedn = "cn=users,dc=foo1,dc=com"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
access_attr="msNPAllowDialin"
password_attribute=userPassword
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
ip pool
Hi All , i what to know if its possible to use ippools and sql?? i mean having a table with the ippools in the sql database best regards Marco Marques
Re: Rate limit radius requests
Alan DeKok wrote: Kostas Kalevras <[EMAIL PROTECTED]> wrote: You don't need to do code changes. Just use configurable failover with the sql and detail modules. In 1.0.0, very true. The only problem then comes in having an external program read the "detail" file, and add the information to the database. This should probably NOT send the requests back through the server... Any suggestions for a script to do this? Alan DeKok. Okay, I'll start reading up on getting the config together, as far as a script to read in the over flow that is trivial to do in perl. Sounds like the code I was looking for is already there. schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Kostas Kalevras wrote: radrelay will send packets as fast as possible but will slow down if it does not get responses. The algorithm: if (r->retrans_num > 20) r->retrans = now + 70; else r->retrans = now + 3 + (3 * r->retrans_num); so if your db is not fast enough radrelay will slow down according to your radius server response time. Are you sure? My understanding is that radius replys but finds that it doesn't have a DB connection handle and drops insert. If your right then much of my concerns are not valid. If radius didn't reply then packets dropped due to lack of DB time would be retransmitted. schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius versus Radiator study
Nuno Morgadinho <[EMAIL PROTECTED]> wrote: > I'am doing a non-fundamentalist study about Freeradius versus Radiator > (http://www.open.com.au/radiator/), costs not-involved, to see what to > use at work. > > I looking for other studys, experiences, papers, opinions, etc.. to > cross notes on advantages and disadvantages of each. There isn't much publicly available. It really depends on what you want out of a server. FreeRADIUS is *much* faster than RADIATOR, and will scale much better in high-load situations. Radiator (being written in Perl) is probably easier for the average person to customize. But FreeRADIUS is designed so that 99% of what people do is in the default config, and Just Works. > In terms of funcionalities, we want to have PEAP and MS-CHAPv2 support. 1.0.0 has this, and is interoperable with many clients. > A administration tool, like dialup_admin is greatly appreciated since in > the end, it will be a large system. That will administer users, but you'll still have to edit the servers other configuration files by hand. FreeRADIUS is currently being used in many systems with 10^6 or more users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_expr question
"nsinit" <[EMAIL PROTECTED]> wrote:
> > You have to put the Value in back-quotes: `%{expr: %{Call-Refrence}`
>
> I have tried it, but it didn't work.
Then you're probably not using 1.0.0-pre*
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: No MS-CHAP-Challenge in the request
"keith" <[EMAIL PROTECTED]> wrote: > rad_check_password: Found Auth-Type MS-CHAP > auth: type "MS-CHAP" > modcall: entering group Auth-Type for request 0 > rlm_mschap: No MS-CHAP-Challenge in the request You set Auth-Type = MS-CHAP. Don't. > Any pointers appreciated. Read the *rest* of the debug log, including the part where it prints out the attributes in the Access-Request, and none of them are MS-CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using free radius with TTLS/PEAP with MD5 hashed passwords
Robert Yeo <[EMAIL PROTECTED]> wrote: > After reading the documentation, it seems that when TTLS or PEAP is used, > there needs to be a text file or database with usernames and passwords in > clear text No. TTLS & PEAP have tunneled authentication methods. Those tunneled authentication methods have restrictions on what passwords they take. PAP: clear-text or encrypted passwords CHAP: clear-text MS-CHAP (and variants): clear-text or NT-Password EAP-MD5: clear-text EAP-GTC: clear-text > Currently, what we have is a MSSQL database which has a table of usernames > and passwords hashed using MD5... Then you can't use many of the authentication methods listed above, independent of them being in TTLS or PEAP. > My question is can we use PAP with TTLS or PEAP ... so that the password > is encrypted over the air, decrypted by freeradius (or the access point > and forwarded to freeradius ) and then freeradius encrypts the > cleartext password into MD5 for a comparison with the database? TTLS supports tunneled PAP. But the client has to be configured to use PAP in the tunnel, and the server CANNOT tell the client to use PAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user groups in freeradius
"Lionel Gavage" <[EMAIL PROTECTED]> wrote: > does freeradius server manage the user groups in its config file ? No. > Because it's not possible for me to use unix group (/etc/group) ! :( Read the "man" page for "rlm_passwd". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Kostas Kalevras <[EMAIL PROTECTED]> wrote: > You don't need to do code changes. Just use configurable failover > with the sql and detail modules. In 1.0.0, very true. The only problem then comes in having an external program read the "detail" file, and add the information to the database. This should probably NOT send the requests back through the server... Any suggestions for a script to do this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
"Linda Pagillo" <[EMAIL PROTECTED]> wrote: > I have a quick questions. I was reading the FAQ and i saw the > instructions for rejecting users from authenticating when their > account is suspended etc.. but from what i see, the instructions in > the FAQ are for people using the "users" file for authentication. I > have set my freeradius to use mysql instead of the users file. Does > anyone know what i need to do to reject users in this case? You can put similar entries in the SQL database. It takes username, operator, and value, just like the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > Since the atrr_rewrite module and the preproxy_users are said to be > 'experimental' which one would you recommend for use in a production > environment? Is any of this going to go away in 1.0.0 or the future? I would recommend preproxy_users, simply because it's easier to configure. The only reason that both are marked "experimental" is that they weren't heavily tested. They're probably OK now (~8 months or more after they were written.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval
Dale Tan Lee Cheong <[EMAIL PROTECTED]> wrote: > I set the acct-interim-interval in access-reply as acct-interim-interval > = 300 ... And the NAS doesn't do what you tell it. Fix the NAS. There's nothing you can do to the server that will make the NAS send accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + Cisco AP1100
Nuno Miguel Pais Fernandes <[EMAIL PROTECTED]> wrote: > The problems seems to be here.. ... > auth: No authenticate method (Auth-Type) configuration found for the > request: Rejecting the user That would appear to be informative. You didn't tell the server how to authenticate the tunneled session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using free radius with TTLS/PEAP with MD5 hashed passwords
On Wed, 16 Jun 2004, Robert Yeo wrote: > After reading the documentation, it seems that when TTLS or PEAP is used, > there needs to be a text file or database with usernames and passwords in > clear text PEAP needs clear text TTLS depends on the inner authentication mechanism. If you use PAP you don't need clear text password you can have them encrypted in any form you want. > ... > > Currently, what we have is a MSSQL database which has a table of usernames > and passwords hashed using MD5... there is also a procedure on the MSSQL > which can MD5 hash any given string ... > > My question is can we use PAP with TTLS or PEAP ... so that the password > is encrypted over the air, decrypted by freeradius (or the access point > and forwarded to freeradius ) and then freeradius encrypts the > cleartext password into MD5 for a comparison with the database? Why not just always keep the passwords encrypted? This on demand encryption does not have any real point. > > Appreciate any pointers that you may have ... :) > > What I would like to have is: > > 1. Passwords are encrypted in the air ... (from WiFi Card to AP, > preferably with rotating keys) > 2. Passwords are decrypted by either AP or freeradius ... so that we can > do MD5 on the clear text passwords ... > > Is this possible? > > -- > Robert Yeo > Victoria Junior College > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_mschap: No MS-CHAP-Challenge in the request
freeradius 0.9.3 . rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type for request 0 rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module "mschap" returns reject for request 0 Any pointers appreciated. Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About "rlm_sql (sql): Error getting data from database"
On Wed, 2004-06-16 at 06:04, [EMAIL PROTECTED] wrote: > rlm_sql: unknown attribute Auth_Type Here's your problem. Auth_Type is not a valid attribute. Change that to Auth-Type (dash, not underscore). -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting Users when using mysql
- Original Message - From: "Linda Pagillo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 16, 2004 12:54 PM Subject: Rejecting Users when using mysql > Good morning everyone: Good afternoon. > > I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. If you just want "suspended", then I would add a column suspended and edit the sql query in sql.conf If you need more complex checking that can't be done with sql queries, then you might look at the exec or perl modules to execute external scripts. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Assuming you are running Linux. You would do rate limiting in the OS. Check this out: http://lartc.org/howto/lartc.qdisc.html Matthew Schumacher wrote: List, Is there a way to rate limit radius requests in the freeradius server? Whenever the router guy kicks a router full of DSL connections we get a flood of radius accounting messages which overloads the database server causing "There are no DB handles to use!" error messages. While the DB can handle the current load, it can get overrun in certain circumstances. I figure some form of rate limiting causing the radius server to only handle so many requests per second might be the solution to this. Another question I have is what exactly happens with that error message is logged? Does radius retry to insert the accounting record or does it simply drop it? Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using free radius with TTLS/PEAP with MD5 hashed passwords
After reading the documentation, it seems that when TTLS or PEAP is used, there needs to be a text file or database with usernames and passwords in clear text ... Currently, what we have is a MSSQL database which has a table of usernames and passwords hashed using MD5... there is also a procedure on the MSSQL which can MD5 hash any given string ... My question is can we use PAP with TTLS or PEAP ... so that the password is encrypted over the air, decrypted by freeradius (or the access point and forwarded to freeradius ) and then freeradius encrypts the cleartext password into MD5 for a comparison with the database? Appreciate any pointers that you may have ... :) What I would like to have is: 1. Passwords are encrypted in the air ... (from WiFi Card to AP, preferably with rotating keys) 2. Passwords are decrypted by either AP or freeradius ... so that we can do MD5 on the clear text passwords ... Is this possible? -- Robert Yeo Victoria Junior College - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with C++
Hi all, I'm trying to add a rlm_ module in C++ (freeradius 0.9.3). I have no problem for the compilation and installation but when I try to start Radius using radiusd -X, I have the message : radiusd.conf[504] Failed to link to module 'rlm_test': file not found I don't understand why it doesn't work. The modules are in /usr/local/lib as the other... And this module was functionnal when using C. Please help me. Thanks in advance. Laurent PS: if you need other information, I will them send after but no right now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About "rlm_sql (sql): Error getting data from database"
Hi, I am a fresh user, I config the Freeradius 0.93 in my linux box. it can work with the users file authentication but not with my postgreSQL. How Can I do, Here is the message, Please help me! = rad_recv: Access-Request packet from host 10.0.0.9:32769, id=61, length=58 User-Name = "george" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name = "george", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: 'george' rlm_sql (sql): sql_set_user escaped user --> 'george' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'george' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'george' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'george' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'george' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql: unknown attribute Auth_Type rlm_sql (sql): Error getting data from database = Here is the FreeRadius startup log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/postgresql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1645 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = yes main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) : dead_time = 120 Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm
user groups in freeradius
Hi, does freeradius server manage the user groups in its config file ? Because it's not possible for me to use unix group (/etc/group) ! :( So, i tested this: # Autorise certains login DEFAULT Auth-Type := LDAP, NAS-IP-Address == "xxx.xxx.xxx.xxx", User-Name =~ "id1|id2|id3|id4" Fall-Through = No But the problem was the line is too long (about 50 usernames). And thus I would like to create a group with all these usernames. Thks Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
On Tue, 15 Jun 2004, Matthew Schumacher wrote: > Alan DeKok wrote: > > Matthew Schumacher <[EMAIL PROTECTED]> wrote: > > ... > > > > http://lists.freeradius.org/pipermail/freeradius-users/2004-June/032678.html > > > > Alan DeKok. > > > > I never saw that and assumed my message never made it... After fighting > with the list trying to make it work I subscribed with another account > and asked again. Sorry... > > Anyway: > > > > Or, if the rate gets too high, *stop* logging to the database, and > > use a "detail" file. Then, when the rate drops, feed the detail file > > back into the server. > > I know how to feed the detail file back to the server with the radrelay > util, but wouldn't that require me to run two radius servers? One > configured to accept accounting from the NAS logging to a detail file, > and another configured to write to the DB? Also, say I did all that, > the radrelay tool sends radius accounting messages even faster than the > nas. Perhaps I'm missing something, but AFAIK the only way to ensure radrelay will send packets as fast as possible but will slow down if it does not get responses. The algorithm: if (r->retrans_num > 20) r->retrans = now + 70; else r->retrans = now + 3 + (3 * r->retrans_num); so if your db is not fast enough radrelay will slow down according to your radius server response time. > that the data is put in the database is to have a very fast database > that can handle the connection rate of radrelay or a fast NAS with a > zillion clients authenticating at once. It would be great if the server > would reject accounting messages if there isn't a DB handle that way > accounting would fail over to the secondary where the message is queued > to be forwarded back to the primary when it comes back. This would make > having a DB backend much more accurate for accounting. > > I suppose sending everything to a server acting as a accounting proxy > with network rate limiting between it and the server with the DB backend > could work but that solution seems more complex than it should be. > > thanks, > > schu > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
On Tue, 15 Jun 2004, Matthew Schumacher wrote:
> Alan DeKok wrote:
> > "Gary McKinney" <[EMAIL PROTECTED]> wrote:
> >
> >>From following this thread I am wondering how many transactions a
> >>second can a DB handle successfully perform before the system starts
> >>to lose information???
> >
> >
> > That depends on the DB. Oracle is fast, PostGreSQL is fast, MySQL
> > is less fast.
> >
> >
> >>I am wondering for a given platform and OS (such as linux or FreeBSD
> >>running on a 2.0Ghz based system with 1-Gig of RAM and fast SCSI
> >>hard-drive subsystem) how many transactions can the FreeRadius
> >>system handle in a second???
> >
> >
>
> I use postgres and have done a bit of tuning so it's as fast as it's
> going to be on this hardware, but even with very fast servers there is
> only so much inserts you can do at a time before you run out of DB
> connection handles and this is almost always going to happen long before
> radius reaches it's processing limits, especially when you have several
> million rows like I do.
>
> I think the most graceful way to handle this would be to add a function
> to rlm_sql that writes the accounting packet to a detail log then call
> that before returning RLM_MODULE_FAIL. The name of the file could be
> defined in the sql {} part of the config file. This way any sql based
> failures will at least be written somewhere instead of lost forever.
> This detail file could be fed back to the server at some other point in
> time.
You don't need to do code changes. Just use configurable failover with the sql
and detail modules.
>
> I'm a very poor C programmer so before I start looking into this further
> perhaps Alan and comment on any problems he sees with this and describe
> any problems I may run into with calling rlm_detail from rlm_sql.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Change the proxy access-accept into a access-reject
"Sylvain Toe" <[EMAIL PROTECTED]> wrote: >> I want my PROXY radius to: >> - Send an access-reject when receiving an access-accept from the REMOTE >> radius. >> - Send an access-accept when receiving an access-reject from the REMOTE >> radius. >> Is it something possible (with freeradius 0.9.3)? > Not really. > > If you create your own module, you should be able to do this. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Does someone have an idea how to start this? Which files define the logic of the proxy process in source code? Thanks Sylvain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting Users when using mysql
Good morning everyone: I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
At Tue, 15 Jun 2004 11:55:00 -0400, Alan DeKok wrote: > > Please don't CC me on messages. I already read the list, and I > don't need to see the same message twice. > Sorry Alan (replied to all by accident) > > I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr > > attributes (Location-Id, LocationName and LogoffUrl) to the access request > > packets and 2 attributes (Location-Id, Location-Name) to the > > accounting packets before they get proxied to the home radius. > > In preproxy_users, you should be able to do: > > #--- > DEFAULT User-Name =~ "@testrealm$", Packet-Type == Access-Request > Wispr-Location-Id = "foo", > Wispr-LocationName = "bar", > ... > After adding the files module in pre-proxy section, worked like a charm. Wonderful and elegant configuration (much better from the one I came up with). Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? Thanks for everything. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius versus Radiator study
I'am doing a non-fundamentalist study about Freeradius versus Radiator (http://www.open.com.au/radiator/), costs not-involved, to see what to use at work. I looking for other studys, experiences, papers, opinions, etc.. to cross notes on advantages and disadvantages of each. In terms of funcionalities, we want to have PEAP and MS-CHAPv2 support. A administration tool, like dialup_admin is greatly appreciated since in the end, it will be a large system. Thanking you in advance, -- Nuno Morgadinho - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter query parameter
Hello it is possible to define the query parameter in sqlcounter.conf? %k = %b = I just want to specify the date where the AcctSessionTime will be compute(SUM).
Acct-Interim-Interval
I'm running FreeBSD 4.9 and 5.2.1 with freeradius version 0.9.3 Radius server is running on freeBSD ver. 4.9 and another server acted as a NAS gear (with freebsd ver. 5.2.1) I set the acct-interim-interval in access-reply as acct-interim-interval = 300 Here's the debug with radiusd -X rad_recv: Access-Request packet from host 10.150.15.134:49386, id=116, length=84 User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP User-Password = "test" NAS-Identifier = "nas1.eb.com.my" NAS-Port-Type = Ethernet NAS-Port = 49 modcall: entering group authorize for request 194 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 194 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 194 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 194 modcall: group authorize returns ok for request 194 rad_check_password: Found Auth-Type MD5 auth: type "MD5" modcall: entering group authtype for request 194 rlm_pap: login attempt by "test" with password test rlm_pap: Using password "098f6bcd4621d373cade4e832627b4f6" for user test authentication. rlm_pap: Using MD5 encryption. rlm_pap: User authenticated succesfully modcall[authenticate]: module "pap" returns ok for request 194 modcall: group authtype returns ok for request 194 modcall: entering group session for request 194 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT COUNT(*) FROM radacct WHERE UserName='test' AND AcctStopTime = 0' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 modcall[session]: module "sql" returns ok for request 194 modcall: group session returns ok for request 194 Login OK: [test] (from client pppoe-in4 port 49) Sending Access-Accept of id 116 to 10.150.15.134:49386 Session-Timeout = 4294967295 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Acct-Interim-Interval = 300 Framed-Pool = "unrestricted" Finished request 194 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 10.150.15.134:49387, id=120, length=114 User-Name = "test" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.1.4.192 Framed-IP-Netmask = 0.0.0.0 NAS-Identifier = "nas1.eb.com.my" NAS-Port-Type = Ethernet NAS-Port = 49 Acct-Status-Type = Start Acct-Session-Id = "55565-test1087374373" Acct-Multi-Session-Id = "" Acct-Delay-Time = 0 modcall: entering group preacct for request 195 modcall[preacct]: module "preprocess" returns noop for request 195 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 195 acct_users: Matched DEFAULT at 22 modcall[preacct]: module "files" returns ok for request 195 modcall: group preacct returns ok for request 195 modcall: entering group accounting for request 195 rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing ',Client-IP-Address = 10.150.15.134,NAS-IP-Address = 10.150.15.134,Acct-Session-Id = "55565-test1087374373",User
Re: TTLS + Cisco AP1100
The problems seems to be here..
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_realm: Looking up realm "eurotux.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "eurotux.com"
rlm_realm: Adding Stripped-User-Name = "User1"
rlm_realm: Proxying request from user User1 to realm eurotux.com
rlm_realm: Adding Realm = "eurotux.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: group authorize returns ok for request 4
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Any sugestions?
Thanks
Nuno Fernandes
On Wed, 2004-06-16 at 09:47, Nuno Miguel Pais Fernandes wrote:
> Ooopps..
>
> I do see User1.. but i see [EMAIL PROTECTED]
>
> How do i rewrite it to remove realm so there is a match at users file?
>
> Thanks
> Nuno Fernandes
>
> On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote:
> > Hello,
> >
> > I'm having problems authenticating windows XP clients using EAP-TTLS
> > (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2.
> >
> > In logs i only see outer authentication "[EMAIL PROTECTED]".
> > Can anyone have it working?
> > Thanks
> >
> > Nuno Fernandes
> >
> > Freeradius config:
> > eap {
> > default_eap_type = ttls
> > timer_expire = 60
> > ignore_unknown_eap_types = no
> > cisco_accounting_username_bug = no
> >
> > md5 {
> > }
> >
> > tls {
> > private_key_password = whatever
> > private_key_file = ${raddbdir}/certs/cert-srv.pem
> >
> > certificate_file = ${raddbdir}/certs/cert-srv.pem
> > CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> > dh_file = ${raddbdir}/certs/dh
> > random_file = ${raddbdir}/certs/random
> > fragment_size = 1024
> > include_length = yes
> > }
> > #
> > ttls {
> > #default_eap_type = md5
> > #copy_request_to_tunnel = no
> > use_tunneled_reply = yes
> > }
> >
> > peap {
> > default_eap_type = mschapv2
> > }
> >
> > mschapv2 {
> > }
> > }
> >
> >
> > Users File:
> > User1 User-Password == "passwd1"
> > Tunnel-Type:0 = VLAN,
> > Tunnel-Medium-Type:0 = IEEE-802,
> > Tunnel-Private-Group-Id:0 = "4"
> >
> >
> >
> >
> > Freeradius logs show:
> >
> > rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10,
> > length=157
> > User-Name = "[EMAIL PROTECTED]"
> > Framed-MTU = 1400
> > Called-Station-Id = "0002.8a21.1129"
> > Calling-Station-Id = "000f.3d87.543f"
> > NAS-Port-Type = Wireless-802.11
> > Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1
> > EAP-Message =
> > 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d
> > NAS-Port-Type = Virtual
> > NAS-Port = 20
> > Service-Type = Login-User
> > NAS-IP-Address = 192.168.0.253
> > Processing the authorize section of radiusd.conf
> > modcall: entering group authorize for request 0
> > modcall[authorize]: module "preprocess" returns ok for request 0
> > radius_xlat:
> > '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
> > rlm_detail:
> > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
> > to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616
> > modcall[authorize]: module "auth_log" returns ok for request 0
> > rlm_realm: Looking up realm "eurotux.com" for User-Name =
> > "[EMAIL PROTECTED]"
> > rlm_realm: Found realm "eur
Re: TTLS + Cisco AP1100
Ooopps..
I do see User1.. but i see [EMAIL PROTECTED]
How do i rewrite it to remove realm so there is a match at users file?
Thanks
Nuno Fernandes
On Wed, 2004-06-16 at 09:36, Nuno Miguel Pais Fernandes wrote:
> Hello,
>
> I'm having problems authenticating windows XP clients using EAP-TTLS
> (I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2.
>
> In logs i only see outer authentication "[EMAIL PROTECTED]".
> Can anyone have it working?
> Thanks
>
> Nuno Fernandes
>
> Freeradius config:
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> md5 {
> }
>
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/cert-srv.pem
>
> certificate_file = ${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> fragment_size = 1024
> include_length = yes
> }
> #
> ttls {
> #default_eap_type = md5
> #copy_request_to_tunnel = no
> use_tunneled_reply = yes
> }
>
> peap {
> default_eap_type = mschapv2
> }
>
> mschapv2 {
> }
> }
>
>
> Users File:
> User1 User-Password == "passwd1"
> Tunnel-Type:0 = VLAN,
> Tunnel-Medium-Type:0 = IEEE-802,
> Tunnel-Private-Group-Id:0 = "4"
>
>
>
>
> Freeradius logs show:
>
> rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10,
> length=157
> User-Name = "[EMAIL PROTECTED]"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a21.1129"
> Calling-Station-Id = "000f.3d87.543f"
> NAS-Port-Type = Wireless-802.11
> Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1
> EAP-Message =
> 0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d
> NAS-Port-Type = Virtual
> NAS-Port = 20
> Service-Type = Login-User
> NAS-IP-Address = 192.168.0.253
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> radius_xlat:
> '/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
> rlm_detail:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
> to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616
> modcall[authorize]: module "auth_log" returns ok for request 0
> rlm_realm: Looking up realm "eurotux.com" for User-Name =
> "[EMAIL PROTECTED]"
> rlm_realm: Found realm "eurotux.com"
> rlm_realm: Adding Stripped-User-Name = "anonymous"
> rlm_realm: Proxying request from user anonymous to realm eurotux.com
> rlm_realm: Adding Realm = "eurotux.com"
> rlm_realm: Authentication realm is LOCAL.
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 1 length 26
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> modcall[authorize]: module "files" returns notfound for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 10 to 192.168.0.253:1645
> EAP-Message = 0x010200061520
> Message-Authenticator = 0x
> State = 0x41fe77eda11d1a9b9c7fa714fd945f6e
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11,
> length=209
> User-Name = "[EMAIL PROTECTED]"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a21.1129"
> Calling-Station-Id = "0
TTLS + Cisco AP1100
Hello,
I'm having problems authenticating windows XP clients using EAP-TTLS
(I'm using Securew2 pluggin) with Freeradius-1.0.0-pre2.
In logs i only see outer authentication "[EMAIL PROTECTED]".
Can anyone have it working?
Thanks
Nuno Fernandes
Freeradius config:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
#
ttls {
#default_eap_type = md5
#copy_request_to_tunnel = no
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Users File:
User1 User-Password == "passwd1"
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = "4"
Freeradius logs show:
rad_recv: Access-Request packet from host 192.168.0.253:1645, id=10,
length=157
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1400
Called-Station-Id = "0002.8a21.1129"
Calling-Station-Id = "000f.3d87.543f"
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xa3d8d84921101a1ae828ca990746dab1
EAP-Message =
0x0201001a01616e6f6e796d6f7573406575726f7475782e636f6d
NAS-Port-Type = Virtual
NAS-Port = 20
Service-Type = Login-User
NAS-IP-Address = 192.168.0.253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.253/auth-detail-20040616
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: Looking up realm "eurotux.com" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "eurotux.com"
rlm_realm: Adding Stripped-User-Name = "anonymous"
rlm_realm: Proxying request from user anonymous to realm eurotux.com
rlm_realm: Adding Realm = "eurotux.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 26
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 10 to 192.168.0.253:1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0x41fe77eda11d1a9b9c7fa714fd945f6e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.253:1645, id=11,
length=209
User-Name = "[EMAIL PROTECTED]"
Framed-MTU = 1400
Called-Station-Id = "0002.8a21.1129"
Calling-Station-Id = "000f.3d87.543f"
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0x13fa184ce90d2922912773ddc1189ee5
EAP-Message =
0x0202003c15800032160301002d012903017803310085f1af3aaa504b75c9a1e5942f5e4cdcdd3b5d06f7548d8550ad020f02000a0100
NAS-Port-Type = Virtual
NAS-Port = 20
State = 0x41fe77eda11d1a9b9c7fa714fd945f6e
Service-Type = Login-User
NAS-IP-Address = 192.168.0.253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/var/log/radius/radacct/192.168.0.253/auth-detail-20040616'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radi
Re: Logs say I am authentication is OK but XP tells me it's not?
Please disregard this message, I have checked /var/log/messages and found CHAP gave a Reject message. - Original Message - From: "keith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 16, 2004 5:11 PM Subject: Logs say I am authentication is OK but XP tells me it's not? > My guess is the pass to the accounting software fails. > Any ideas? > > modcall: entering group Auth-Type for request 7 > rlm_mschap: doing MS-CHAPv2 with NT-Password > rlm_mschap: adding MS-CHAPv2 MPPE keys > modcall[authenticate]: module "mschap" returns ok for request 7 > modcall: group Auth-Type returns ok for request 7 > Sending Access-Accept of id 168 to 127.0.0.1:32771 > MS-CHAP2-Success = > 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 > 323937324536 > MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 > MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 > MS-MPPE-Encryption-Policy = 0x0001 > MS-MPPE-Encryption-Types = 0x0006 > > Keith > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logs say I am authentication is OK but XP tells me it's not?
My guess is the pass to the accounting software fails. Any ideas? modcall: entering group Auth-Type for request 7 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 7 modcall: group Auth-Type returns ok for request 7 Sending Access-Accept of id 168 to 127.0.0.1:32771 MS-CHAP2-Success = 0xb1533d3741323445414238324631344534363231443933383031443937363042383631 323937324536 MS-MPPE-Recv-Key = 0xe7005a9b1186781b542a359447036115 MS-MPPE-Send-Key = 0x8c6fb74b3aa4539ed38ced254af2e7e0 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
