NAS and Accounting Update
Thanks Alan for the previous answer. I've been doing some research regarding the FreeBSD built-in radclient and libradius. They currently doesn't support accounting update features. Is there anyone that using ppp FreeBSD with accounting update? I couldn't find anything on the Net. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius/LDAP conf : little problem
Hello
I'm facing some kind of configuration troubles with freeradius and openldap. I
got a new Access Point wich i'm trying to use with 802.1x auth.
I'm using a classical samba/qmail LDAP schema so that users in the company can
authenticate against ldap with win/linux workstations. Basically, i got 3
password fields, lmPassword, ntPassword, and userPassword . All of them are
encrypted and, there is no 0x in front of the ntPassword.
The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
set the password_attribute to userPassword and later to ntPassword to check
if it changed naything to the problem (no).
Other sections i'm using:
authorize {
preprocess
auth_log
ldap
eap
}
authenticate {
eap
}
now, when i set up a 802.1x client, the AP connect to the radius server and here
is the debug output:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = arnauld.dravet
Calling-Station-Id = 00904b625711
Called-Station-Id = 000d54fc1807
NAS-Identifier = EPSI AP1
State = 0xa63191155f9268efbcad3167d4e42e90
EAP-Message =
0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module preprocess returns ok for request 3
radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
modcall[authorize]: module auth_log returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat: '((objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
((objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 3
rlm_eap: EAP packet type response id 2 length 36
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type LDAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'arnauld.dravet'
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Login incorrect: [arnauld.dravet/no User-Password attribute] (from client ap1
port 1 cli 00904b625711)
Delaying request 3 for 2 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 71 to 192.168.6.3:1134
EAP-Message = 0x04020004
Message-Authenticator = 0x
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 70 with timestamp 40d298d0
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 71 with timestamp 40d298d1
Nothing to do. Sleeping until we see a request.
It's been two days i'm stuck on this problem, i think i've read all the
documentation and mailing lists archives .. i've tried different things, but it
still finish with a message saying it miss the User-Password attribute ... I've
of course also try to use ldap in the authenticate section. I tested the initial
config with radtest and it worked fine when i used ldap in the authenticate
section, cause radtest won't use eap ...
Thanks for any help you can give :)
--
Arnauld Dravet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
On Thu, 2004-06-17 at 16:33, Maqbool Hashim wrote: Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? Could you please expand on what you requirements are. I have users authenticating against a Windows BDC via radius if that is what you require advise on. Dave IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. It is intended solely for the use of the person to whom it is addressed. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Please also delete all copies of this email and any attachments from your system. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components. Copyright in this email and any attachments belong to Compass Group. Should you communicate with anyone at Compass Group by email, you consent to us monitoring and reading any such correspondence. Nothing in this email shall be taken or read as suggesting, proposing or relating to any agreement concerted practice or other practice that could infringe UK or EC competition legislation. Compass Group, UK and Ireland Limited is a company registered in England and Wales (Company number 02272248) whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in England and Wales (Company number 4083914) whose registered office is at Compass House, Guildford Street, Chertsey, Surrey, KT16 9BQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web interface
Hello all , I am using freeradius with mysql , is there any web interface that i can use to add and delete ( manage ) the user accounts in the sql server? you can make use of dialup admin or mysqladmin to manage your MySQL database and tables, webmin too...more to google. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Account lock out with FreeRadius
Hi all, I'm using FR+TTLS+LDAP for WiFi access. Just wondering how people implement account lock out after fixed number of failed authentication attempt? Thanks. __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello, For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Does someone have such a working configuration ? If so, can you send a copy ? Thanks. Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi Christophe.
Christophe Saillard pravi:
For the moment I use Freeradius with EAP-TTLS and it works fine...now
I'd like to get users credentials form an existing LDAP database.
The LDAP server sends me a valable MD5 hashed password but I think
something failed in my users file configuration.
You should run the server in debug mode and check the output. I use this
command:
radiusd -Xxxx 21 | tee logfile
Does someone have such a working configuration ? If so, can you send a
copy ?
modules {
ldap {
server = localhost
basedn = ou=employees,dc=org,dc=tld
filter = (PrincipalName=%{User-Name})
start_tls = no
}
[...]
authorize {
preprocess
auth_log
attr_rewrite
suffix
group {
# the files also activates EAP for user anonymous
files {
notfound = 1
ok = return
}
ldap
}
}
authenticate {
Auth-Type EAP {
eap
}
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
In the users file I have:
# User anonymous and [EMAIL PROTECTED] should be allowed #
# activate eap for them#
anonymous Auth-Type := EAP
# Accounting fix for AP#
# LDAP authentication for local users #
DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = yes
DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN :=
`PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To ==
127.0.0.1
--
Lep pozdrav,
Rok Papez.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and windows
Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? I think what I'm asking is: Is there a radclient for Windows Domain Controllers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM - reply code 0 unknown
Hi, I'm using freeradius-1.0.0-pre2 and i'm trying to authenticate windows client (XP with SP1) via EAP-SIM. My access point is Cisco 1200. I receive the following error while authenticating: --LOG START--- rad_recv: Access-Request packet from host 10.1.0.2:21645, id=1, length=173 User-Name = --- Framed-MTU = 1400 Called-Station-Id = Calling-Station-Id = --- Service-Type = Login-User Message-Authenticator = 0xb908c076b821a5b7d16657b78c321f0b EAP-Message = 0x020200220131323632303733393530323930393637406761726465726f732e636f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 10.1.0.2 NAS-Identifier = Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_realm: Looking up realm for User-Name = rlm_realm: Found realm - rlm_realm: Proxying request from user to realm - rlm_realm: Adding Realm = rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module mysuffix returns noop for request 0 users: Matched DEFAULT at 98 modcall[authorize]: module files returns ok for request 0 rlm_sim_files: authorized user/imsi - rlm_sim_files: Adding EAP-Type: eap-sim modcall[authorize]: module simtriplets returns ok for request 0 rlm_eap: EAP packet type response id 2 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type sim rlm_eap: Underlying EAP-Type set EAP ID to 0 rlm_eap: reply code 0 is unknown, Rejecting the request. rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [-] (from client cisco port 1 cli ---) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 10.1.0.2:21645 EAP-Message = 0x0014 Message-Authenticator = 0x Reply-Message = OK Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 40d2ba07 Nothing to do. Sleeping until we see a request. --LOG END- Any help is greatly appreciated! Regards, Simeon Penev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
On Fri, 2004-06-18 at 10:43, Maqbool Hashim wrote: Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? I think what I'm asking is: Is there a radclient for Windows Domain Controllers? You might want to try ntradping (www.mastersoft-group.com/download/) You'll need to also install the IAS product (an option of IIS I believe), onto the DC of your choice. Dave IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. It is intended solely for the use of the person to whom it is addressed. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Please also delete all copies of this email and any attachments from your system. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components. Copyright in this email and any attachments belong to Compass Group. Should you communicate with anyone at Compass Group by email, you consent to us monitoring and reading any such correspondence. Nothing in this email shall be taken or read as suggesting, proposing or relating to any agreement concerted practice or other practice that could infringe UK or EC competition legislation. Compass Group, UK and Ireland Limited is a company registered in England and Wales (Company number 02272248) whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in England and Wales (Company number 4083914) whose registered office is at Compass House, Guildford Street, Chertsey, Surrey, KT16 9BQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.0 pre1 segmentation fault with tls
Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Thanks
Re: CN check against User Name - EAP-TLS
Do you have any debugging output to show for when it should allow the
user and when it shouldn't allow the user?
--Mike
On Fri, 2004-06-18 at 05:34, pouet wrote:
Hi,
I try to use the check_cert_cn = %{User-Name} option in the tls
section of eap.conf. It's not working and still the user's certificate
is ok, freeradius accept him whatever he typed in the User-Name field
who is responded after an eap-request-ID message. Is there here someone
who is using this option with more luck? My goal is to give differents
privilege to users in function of their CN (now it is CN, but DN or mail
adress are possible alternative?), for this freeradius must match a user
name in the users file and to make impossible for a trusted user (who
own a good certificate for the network) to use privilege of another
user, I must use this option. Tell me if i'm wrong on this.
I have searched but only found an old patch (didn't try it) from Michael
Griego on Nov2003 and an unanswered message from Anthony Lopez on May
2004. Any clue?
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Thanks, I suppose could just use LDAP to authenticate Windows Domain Controllers. I am not actually asking this question for Domain Controllers which I personally run, but for clients who might have these things and I would like to be able to authenticate these windows machines via our radius server. Am I right in thinking that LDAP would work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 pre1 segmentation fault with tls
Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Look in configure log if all is ok about link with opennssl lib Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
On Fri, 2004-06-18 at 12:07, Maqbool Hashim wrote: Thanks, I suppose could just use LDAP to authenticate Windows Domain Controllers. Sorry, you are confusing me. A Windows Domain Controller in my mind is what holds the SAM database, which contains the user data, so in this scenario no. However, you could authenticate a windows client machine against an LDAP backend, via your radius server, thus eliminating the need for your Windows Domain Controller in the authentication process. I am not actually asking this question for Domain Controllers which I personally run, but for clients who might have these things and I would like to be able to authenticate these windows machines via our radius server. Ignore the above then. Honestly, if you are running NT4, the IAS (microsofts radius server) product is a good solution, as it talks natively to your SAM database. All you need to do then is proxy these clients through your radius server to the IAS server and bobs your uncle. Am I right in thinking that LDAP would work? Yes. Dave IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. It is intended solely for the use of the person to whom it is addressed. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Please also delete all copies of this email and any attachments from your system. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components. Copyright in this email and any attachments belong to Compass Group. Should you communicate with anyone at Compass Group by email, you consent to us monitoring and reading any such correspondence. Nothing in this email shall be taken or read as suggesting, proposing or relating to any agreement concerted practice or other practice that could infringe UK or EC competition legislation. Compass Group, UK and Ireland Limited is a company registered in England and Wales (Company number 02272248) whose registered office is at Parklands Court, 24 Parklands, Birmingham Great Park, Rubery, Birmingham, West Midlands, B45 9PZ. Compass Group UK Ireland Limited is a wholly owned subsidiary of Compass Group PLC, registered in England and Wales (Company number 4083914) whose registered office is at Compass House, Guildford Street, Chertsey, Surrey, KT16 9BQ. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 1.0.0 pre1 segmentation fault with tls
Do it as per How-To guide and after that install pre2 it works. Ofcourse it worked for me. Thank you, Sathish Challa. GRIC Software India Pvt. Ltd., www.GoRemote.com Mobile: +91-98451-90676 Office [Direct]: +91-80 513 80 882 Server Group's Mission: Innovative, open and scalable solutions pioneered proactively with a methodical approach and engineering agility to deliver quality solutions to the Customers and prudent responses to Product Management and other decision making bodies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fr édéric EVRARD Sent: Friday, June 18, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Re: freeradius 1.0.0 pre1 segmentation fault with tls Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Look in configure log if all is ok about link with opennssl lib Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I want to use PEAP and created the certificates with CA.all in the scripts dir. I copied the cert-srv.pem and root.pem to my config dir and configured eap.conf according. But radiusd -XA stops with the following error: tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = radius tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) 30092:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: CERTIFICATE 30092:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:277: 30092:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:452: 30092:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos:ssl_rsa.c:707: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. Setup: OpenSSL 0.9.7d FreeRADIUS Version 1.0.0-pre2 Any idea what might be wrong? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0thKqndXpO3Yl5sRAnNLAJ9lEpggk1VUHdH7Vg5i+cn7qar1oACgqzG/ xeov8WFRmLNbbzRdbwokG/8= =/fAo -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pre2 with Mipsel
Title: Pre2 with Mipsel Hi : Have any one try to cross compile PRE2 for MIPSEL Platform? I tried to compile have an error on doing LD job. Have error message below, Error Message radiusd.o: In function `no symbol': /home/freeradius-1.0.0-pre2/src/main/radiusd.c:1446: undefined reference to `thread_pool_addrequest' collect2: ld returned 1 exit status thread_pool_addrequest -- this function was OK when compile thread.o but always broken here! Have any idea? Thanks for your help! YachineChang
Possible bug in rlm_exec
I think I've found a possible bug in rlm_exec (???).
Something like:
exec myscript {
...
program = /path/to/myscript.sh %{Packet-Type}
...
}
...results in a correct first argument myscript.sh for Access-Request and
Accounting-Request, but not Access-Accept. An Access-Accept packet causes
the script to be invoked as though the packet were an Access-Request.
josh.
--
---
Josh Howlett, Networking Digital Communications,
Information Systems Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication from windows
hello Mike, i have a big problem with this machine certificates for win2000 and xp. to create the CA and certificates i used the openssl tool. in addition i have added the microsoft OIDs in the opnessl.cnf.: 1.3.6.1.4.1.311.20.2=DER:1e:0e:00:4d:00:61:00:63:00:68:00:69:00:6e:00:65 and of course the Subjectaltname with the FQDN. but the client does not send anything. the certificates are stored in the lokal computer storage. it looks like that microsoft do not accept the certificates created with openssl for machine certificates. and now my question. wich tool do you use to create the certificates . or wich OIDs needs the certificate for microsoft compatibility. thanks in advance, jens - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Thanks for your help. I think I'm not far from the end but I still have problems. Here's the debug logs : [...] Fri Jun 18 14:11:17 2004 : Debug: rlm_ldap: performing search in dc=u-strasbg,dc=fr, with filter (uid=csaillard) request 6 done Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: Added password $1$QEnpt.4f$nixixczJ/xu0CnyuvaTLV/ in check items Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for check items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: looking for reply items in directory... Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: user csaillard authorized to use remote access Fri Jun 18 14:11:31 2004 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authorize]: module ldap returns ok for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group authorize returns updated for request 4 Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP Fri Jun 18 14:11:31 2004 : Debug: auth: type EAP Fri Jun 18 14:11:31 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Jun 18 14:11:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Failed in handler Fri Jun 18 14:11:31 2004 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall[authenticate]: module eap returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: modcall: group Auth-Type returns invalid for request 4 Fri Jun 18 14:11:31 2004 : Debug: auth: Failed to validate the user. [...] I use TTLS/PAP for authentication, so you can see that the LDAP server sends MD5 hased password...but I'm not sure that's what I need Could you tell me what kind of EAP method you use, with what type of password's hash ? Thanks for help ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
On Fri, 18 Jun 2004, Arnauld Dravet wrote:
Hello
I'm facing some kind of configuration troubles with freeradius and openldap. I
got a new Access Point wich i'm trying to use with 802.1x auth.
I'm using a classical samba/qmail LDAP schema so that users in the company can
authenticate against ldap with win/linux workstations. Basically, i got 3
password fields, lmPassword, ntPassword, and userPassword . All of them are
encrypted and, there is no 0x in front of the ntPassword.
The ldap section in radiusd.conf seems to be ok, the connection is done, and ive
set the password_attribute to userPassword and later to ntPassword to check
if it changed naything to the problem (no).
Other sections i'm using:
authorize {
preprocess
auth_log
ldap
eap
}
authenticate {
eap
}
now, when i set up a 802.1x client, the AP connect to the radius server and here
is the debug output:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.6.3:1134, id=71, length=172
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = arnauld.dravet
Calling-Station-Id = 00904b625711
Called-Station-Id = 000d54fc1807
NAS-Identifier = EPSI AP1
State = 0xa63191155f9268efbcad3167d4e42e90
EAP-Message =
0x0202002404105f6aa1f2ca8bfe0b6efc3da31527335861726e61756c642e647261766574
Message-Authenticator = 0xb917bedaab691dda63cd4364b2d93ae8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module preprocess returns ok for request 3
radius_xlat: '/var/log/radius/radacct/192.168.6.3/auth-detail-20040618'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.6.3/auth-detail-20040618
modcall[authorize]: module auth_log returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat: '((objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
((objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Either you haven't configured password extraction in the ldap module or it isn't
working. Make sure the user rlm_ldap uses to connect to the ldap server is
allowed to read the userpassword entry. Posting your rlm_ldap configuration
might help.
modcall[authorize]: module ldap returns ok for request 3
rlm_eap: EAP packet type response id 2 length 36
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type LDAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'arnauld.dravet'
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Login incorrect: [arnauld.dravet/no User-Password attribute] (from client ap1
port 1 cli 00904b625711)
Delaying request 3 for 2 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 71 to 192.168.6.3:1134
EAP-Message = 0x04020004
Message-Authenticator = 0x
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 70 with timestamp 40d298d0
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 71 with timestamp 40d298d1
Nothing to do. Sleeping until we see a request.
It's been two days i'm stuck on this problem, i think i've read all the
documentation and mailing lists archives .. i've tried different things, but it
still finish with a message saying it miss the User-Password attribute ... I've
of course also try to use ldap in the authenticate section. I tested
RE : freeradius 1.0.0 pre1 segmentation fault with tls
I've checked the logfile and here's what I get : Info: Using deprecated naslist file. Support for this will go away soon. Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? I don't think there's anything wrong in that but. Maybe, a link a bad link to the openssl libraries while compilation or execution. I've used http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm, is it the one you're referring to? Thanks -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Sathish Challa Envoyé : vendredi 18 juin 2004 13:41 À : [EMAIL PROTECTED] Objet : RE: freeradius 1.0.0 pre1 segmentation fault with tls Do it as per How-To guide and after that install pre2 it works. Ofcourse it worked for me. Thank you, Sathish Challa. GRIC Software India Pvt. Ltd., www.GoRemote.com Mobile: +91-98451-90676 Office [Direct]: +91-80 513 80 882 Server Group's Mission: Innovative, open and scalable solutions pioneered proactively with a methodical approach and engineering agility to deliver quality solutions to the Customers and prudent responses to Product Management and other decision making bodies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fr édéric EVRARD Sent: Friday, June 18, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Re: freeradius 1.0.0 pre1 segmentation fault with tls Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Look in configure log if all is ok about link with opennssl lib Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web interface
Marco Marques [EMAIL PROTECTED] wrote: I am using freeradius with mysql , is there any web interface that i can use to add and delete ( manage ) the user accounts in the sql server? dialup_admin, which is included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap tls configuration problem
Heath Partington [EMAIL PROTECTED] wrote: Has the issue where freeradius crashes when tls is enabled due to the lack of ability to find ssl libraries and includes at configuration time been fixed? I think you're talking about two separate issues. The server doesn't crash if the configure process fails. It doesn't get *built* if the configure process fails. Also, many other people have tried -pre1 -pre2, and don't report those problems. So... are you willing to say what options you're passing to configure, what version of OpenSSL you have, where it is, and what happens during the configure process? Saying I tried to do stuff and it didn't work is not particularly helpful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rate limit radius requests
Guy Fraser [EMAIL PROTECTED] wrote:
I have been quietly watching this thread, and the idea of setting up
a FIFO {First In First Out} buffer to handle inserts sounds like a
good idea, but may have some adverse consequences.
Like losing requests if the server goes down. If the requests are
on disk, the detail file acts like a FIFO, and is permanent storage.
Another option might be setting up a customizable delay into the
acknowledge response from the radius server. This is sometimes referred
to as a delay pool, and is used for connection throttling in squid
and apache if I remember correctly.
I'm not sure that this would work for RADIUS. The NAS is getting
10^4 people logging in at the same time, and slowing down the response
for person A won't change the speed of the accounting requests for
person B.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP using rlm_ippool and Cisco 2500 Series NAS.
Shannon Sariman [EMAIL PROTECTED] wrote: I'd like to know the process involved in setting up DHCP on my FreeRadius server instead of using a Cisco 2500 NAS to do the dynamic IP assignment. FreeRADIUS doesn't do DHCP. At the moment I am using a Cisco 2500 NAS to do the dynamic IP assignment. If I am going to use rlm_ippools in my radiusd.conf file, will that mean I will have to remove my DHCP assignment entries on my Cisco NAS? Probably. You can't have 2 systems handing out IP addresses. What effect will this have on my Cisco NAS after I have enabled my FreeRadius server to do the Dynamic IP assignment? What kind of effect are you looking for? FreeRADIUS will hand out IP addresses, and the Cisco box will give them to the client. There isn't much else to the process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Arnauld Dravet [EMAIL PROTECTED] wrote: I'm using a classical samba/qmail LDAP schema so that users in the company can authenticate against ldap with win/linux workstations. Basically, i got 3 password fields, lmPassword, ntPassword, and userPassword . All of them are encrypted ... Then you can't do CHAP or EAP-MD5, which is basically CHAP. rlm_eap_md5: User-Password is required for EAP-MD5 authentication Yup. EAP-MD5 doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. Did you try running it debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? Does someone have such a working configuration ? If so, can you send a copy ? Since no one knows what you're really trying to do. I doubt anyone will send you a configuration. Follow the documented instructions for running the server and asking questions on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and windows
Maqbool Hashim [EMAIL PROTECTED] wrote: Is it possible to get a Windows Domain Controller to authenticate via radius? Has anyone got this working? For a Windows DC to issue RADIUS Access-Request packets when authenticating uses? It's not possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CN check against User Name - EAP-TLS (pouet - debugging output)
Hi,
Subject: Re: CN check against User Name - EAP-TLS
From: Michael Griego [EMAIL PROTECTED]
Date: Fri, 18 Jun 2004 05:55:21 -0500
Do you have any debugging output to show for when it should allow the
user and when it shouldn't allow the user?
--Mike
Ok, thanks for support, here is debugging stuff (tried to make it the
less noisy as possible):
1. From radiusd.log
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:06:34 2004 : Error: TLS_accept:error in SSLv3 read client certificate A
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:06:35 2004 : Auth: rlm_eap_tls: Certificate CN (Surname Name) does not match specified value (nimp)!
Fri Jun 18 15:06:35 2004 : Info: (other): SSL negotiation finished successfully
Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Auth: Login OK: [nimp/no User-Password attribute] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:06:35 2004
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-MPPE-Recv-Key =
0x459dbc226905e1ce46366fe24b1a0affac11b941c2bf7a28efb785299a652143
MS-MPPE-Send-Key =
0x6429091bd04c8d083fd38784facb13cdf002376246167642da105cc6bfa60b01
EAP-Message = 0x03790004
Message-Authenticator = 0x
User-Name = nimp
*
Here we can see that the user nimp is unknow from the users files and
is not matching with the CN of the certificate he supplied. However
freeradius accept him and use the default account in the users file.
(there is something strange with the ssl error, I can't deal with this)
Now a login attempt with the right username (ie equals the CN):
1. From radiusd.log
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:36:04 2004 : Error: TLS_accept:error in SSLv3 read client certificate A
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:36:04 2004 : Info: (other): SSL negotiation finished successfully
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Auth: Login OK: [Surname Name/no User-Password attribute] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:36:04 2004
Reply-Message = Hello
MS-MPPE-Recv-Key =
0xaae75fffd314a20444df5348b008290cbeb5c73935a110fdfdd5b978d4af102e
MS-MPPE-Send-Key =
0x016156318c111b228b0450f01d614609bb0b38c3aa92840edbf28a63a0182b14
EAP-Message = 0x038b0004
Message-Authenticator = 0x
User-Name = Surname Name
*
And finally a login attempt with a wrong certificate who is correctly
rejected:
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate A
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:54:00 2004 : Error: -- verify error:num=20:unable to get local issuer certificate
Fri Jun 18 15:54:00 2004 : Auth: rlm_eap_tls: Certificate CN (test) does not match specified value (Surname Name)!
Fri Jun 18 15:54:00 2004 : Error: TLS Alert write:fatal:unknown CA
Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate B
Fri Jun 18 15:54:00 2004 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Auth: Login incorrect: [Surname Name/no User-Password attribute] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
Am I missing something? Do you need more or/and different output?
thanks
On Fri, 2004-06-18 at 05:34, pouet wrote:
Hi,
I try to use the check_cert_cn = %{User-Name} option in the tls
section of eap.conf. It's not working and still the user's certificate
is ok, freeradius accept him whatever he typed in the User-Name field
who is responded after an eap-request-ID message. Is there here someone
who is using this option with more luck? My goal is to give differents
privilege to users in function of their CN (now it is CN, but DN or mail
adress are possible alternative?), for this freeradius must match a user
name in the users file and to make impossible for a trusted user (who
own a good
Re: radius and windows
Dave Shepherd [EMAIL PROTECTED] IMPORTANT - this email and the information in it may be confidential, legally privileged and/or protected by law. ... Or it may not be. Can you please get rid of that signature? It's huge, annoying, and has zero legal validity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_exec
Josh Howlett [EMAIL PROTECTED] wrote:
program = /path/to/myscript.sh %{Packet-Type}
...
}
...results in a correct first argument myscript.sh for Access-Request and
Accounting-Request,
Which are both requests
but not Access-Accept.
Which is a reply. See doc/variables.txt
Try: program = /path/to/myscript.sh %{reply:Packet-Type}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: Fri Jun 18 14:11:31 2004 : Debug: rad_check_password: Found Auth-Type EAP ... Fri Jun 18 14:11:31 2004 : Debug: rlm_eap: Request not found in the list Fri Jun 18 14:11:31 2004 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request ... I use TTLS/PAP for authentication, And you set Auth-Type = EAP. DON'T DO THAT. The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_exec
--On Friday, June 18, 2004 10:22:04 -0400 Alan DeKok [EMAIL PROTECTED] wrote:
Josh Howlett [EMAIL PROTECTED] wrote:
program = /path/to/myscript.sh %{Packet-Type}
...
}
...results in a correct first argument myscript.sh for Access-Request
and Accounting-Request,
Which are both requests
but not Access-Accept.
Which is a reply. See doc/variables.txt
D'oh, I failed to engage brain. Thanks Alan, you're a star.
josh.
--
---
Josh Howlett, Networking Digital Communications,
Information Systems Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Authorization failed
Hi, I have installed the free radius with mysql server. configured the radius server authentication on Cisco 3660 router. When I am trying to telnet to the router though radius server it says authorization got failed. When I check radius debug it says access accept using the port 1645. And also why the request coming from 1645 and 1646 ports from router instead of 1812 and 1813. Pls help me how to resolve this problem. rad_recv: Access-Request packet from host 192.168.1.2:1645, id=79, length=86 NAS-IP-Address = 192.168.1.2 Cisco-NAS-Port = tty227 NAS-Port-Type = Virtual User-Name = hydrad Calling-Station-Id = 192.168.1.5 User-Password = 56789 modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 rlm_realm: No '@' in User-Name = hydrad, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 radius_xlat: 'hydrad' rlm_sql (sql): sql_set_user escaped user -- 'hydrad' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'hydrad' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'hydrad' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'hydrad' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'hydrad' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 3 modcall[authorize]: module mschap returns noop for request 3 modcall: group authorize returns ok for request 3 auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 79 to 192.168.1.2:1645 Cisco-AVPair += multilink:max-links=2 Cisco-AVPair += multilink:max-links=1 Cisco-AVPair += multilink:load-threshold=1 Cisco-AVPair += shell:priv-lvl=7 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 79 with timestamp 40ce8ed3 Nothing to do. Sleeping until we see a request. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.707 / Virus Database: 463 - Release Date: 6/15/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CN check against User Name - EAP-TLS (pouet - debugging output)
Which version of the server are you using? You should be using a CVS snapshot from at least this month. There was a fix applied in late May to correct a problem with this behavior. Try giving 1.0.0-pre3 a try when it comes out later today. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Then you can't do CHAP or EAP-MD5, which is basically CHAP. Yup. EAP-MD5 doesn't work. Hmm .. i think i've read docs where i understood ppl were using samba schema without problems ... what am i supposed to use to make it possible ? LEAP returns the same error with the missing User-Password attribute .. And i can't store clear passwords in the directory I'll paste the ldap section in one hour, i can't have access to it at the moment .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Freeradius with LDAP storage and EAP-TTLS authentication
And you set Auth-Type = EAP. DON'T DO THAT. The eap.conf file has BIG HUGE COMMENTS saying DON'T DO THAT. It really means DON'T DO THAT. You're doing the exact opposite of what the documentation says, and as a result, it's not working. You might try following the recommendations of the server, which WILL allow it to work. Alan DeKok. Ok. Sorry for being such a fool... Here's what I want to do : For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file (I store MD5 hashed password to have PAP compatibility). The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? I hope my questions are not to stupid. Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Authorization failed
Nagesh Boyina [EMAIL PROTECTED] wrote: When I am trying to telnet to the router though radius server it says authorization got failed. When I check radius debug it says access accept using the port 1645. Then I suggest checking the debug logs on the router. So far as FreeRADIUS is concerned, it saw a good request, and send a proper reply. And also why the request coming from 1645 and 1646 ports from router instead of 1812 and 1813. The ports that the request comes from don't matter to anyone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap tls configuration problem
Heath Partington [EMAIL PROTECTED] wrote: Sounds like you need a vacation. Sniping at the people helping you won't help. configure: warning: FAILURE: rlm_eap_sim requires: libssl. configure: warning: silently not building rlm_eap_tls. You don't have SSL installed. Install it. OR, you have an older version of SSL installed, and the server doesn't like it. READ the output of configure. It will tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Arnauld Dravet [EMAIL PROTECTED] wrote: Hmm .. i think i've read docs where i understood ppl were using samba schema without problems ... what am i supposed to use to make it possible ? Something other than EAP-MD5. LEAP should work. LEAP returns the same error with the missing User-Password attribute .. And i can't store clear passwords in the directory Why not? As an alternative, you could try storing NT passwords. That will allow LEAP MS-CHAP to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file That shouldn't be a problem. (I store MD5 hashed password to have PAP compatibility). That will make CHAP MS-CHAP not work. The Ldap bind is ok and I got correct uid and password when I launch a 802.1X request from a laptop client. I'm not sure what you mean by that. But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? MD5 is fine if you're only doing PAP authentication. - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? Don't put anything in the users file. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Authorization failed
Authentication succeeds, Authorization fails; have your configured aaa authorization exec default group radius ? permit Service-Type administrative and things should work 1645 vs 1812 as source depens on ios-version, several bugs or take a look at radius-server source-ports extended but it shouldn't matter which source-port the router uses as long as it reaches freeradius on the right destination-port.. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nagesh Boyina Sent: Friday, June 18, 2004 4:39 PM To: [EMAIL PROTECTED] Subject: Cisco Authorization failed Hi, I have installed the free radius with mysql server. configured the radius server authentication on Cisco 3660 router. When I am trying to telnet to the router though radius server it says authorization got failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups send reply
Thank you for the reply. Here is the output from radius. The problem im having is that only one group name is returned. As show below I have value testgroup2 and users not being returned. Ready to process requests. rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value C5A237B7E9D8E708D8436B6148A25FA1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module files returns notfound for request 0 modcall[authorize]: module eap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 3 to 10.32.2.108:1142 Filter-Id = testgroup1 Finished request 0 -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 11:12 AM To: '[EMAIL PROTECTED]' Subject: Re: LDAP groups send reply Hello, I would like to know if this is possible Send a Class or Filter-Id attribute to the NAS, with the content being the names of the LDAP groups to which the user belongs. Thank you, denis How does the NAS expect the group to come back? Class: Sorry, I guess I hit send too early. What I meant was what radius attribute the nas expecting for the groups? An example could be the radius attribute Class. In that case, you would make sure the following is in ldap.attrmap replyItem Class radiusClass Then in your ldap directory, you would store the reply items. radiusClass: OU=group.com; The one above is an example for Cisco VPN concentrators. Need to add more use +=, read the man page on users. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap (values with space)
Hello, I have group values with spaces in them the rml_ldap is not reading the value after the space is this a bug? Values in my securityRole values are Change Password and Luisa Admin. I'm using freeRadius 0.9.3 and OpenLDAP 2.1.25 ad_recv: Access-Request packet from host 10.32.2.108:1164, id=4, length=52 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value A4F51A8F148FF0FB30DB313FD41E2282 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value Change op=11 rlm_ldap: Adding securityRole as Filter-Id, value Luisa op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module files returns notfound for request 1 modcall[authorize]: module eap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 1 modcall: group authenticate returns ok for request 1 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 4 to 10.32.2.108:1164 Filter-Id = Change Finished request 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic ?
Joel Eddy [EMAIL PROTECTED] wrote: Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? I'm partial to NetBSD, but that's just me. For most purposes, it doesn't rally matter. Use what you're familiar with. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups send reply
Rivera, Denis [EMAIL PROTECTED] wrote: Here is the output from radius. The problem im having is that only one group name is returned. As show below I have value testgroup2 and users not being returned. Put them in quotes. group1 group2 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Selon Alan DeKok [EMAIL PROTECTED]:
Something other than EAP-MD5.
LEAP should work.
As an alternative, you could try storing NT passwords. That will
allow LEAP MS-CHAP to work.
okay i'm not really into Win stuff .. ntPassword fields seem crypted since i
can't read them with my eyes, but i think it's just a hash or something. Isn't
it the regular way to store NT passwords ?
anyway, here is my ldap section in radiusd.conf:
ldap {
server = 192.168.1.6
basedn = ou=Users,dc=mtp,dc=epsi,dc=fr
filter = ((objectclass=posixAccount)(uid=%u))
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = ntPassword #--- i changed this one just to try it out,
it was originally userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
and here are my sldapd access rules:
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=userPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=ntPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=lmPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
if i remember well (long time i've not reconfigured openldap) the write perm
also allow read ?
since i didn't configure any user in the ldap section of radiusd, isn't it
supposed to log in the ldap server with the username/passwd received by radiusd,
and grab the user password which should be possible since it has write (read ?)
perm ?
thanks for your help
--
Arnauld Dravet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap tls configuration problem
Apparently must have had the wrong combination of openssl and/or permissions levels. Anyway it seems that if you use the eaptls howto with the latest released openssl and pre2 everything is fine. Thanks for your help. -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, June 18, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: Re: eap tls configuration problem Heath Partington [EMAIL PROTECTED] wrote: Sounds like you need a vacation. Sniping at the people helping you won't help. configure: warning: FAILURE: rlm_eap_sim requires: libssl. configure: warning: silently not building rlm_eap_tls. You don't have SSL installed. Install it. OR, you have an older version of SSL installed, and the server doesn't like it. READ the output of configure. It will tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap tls configuration problem
Quoting Heath Partington [EMAIL PROTECTED]: Apparently must have had the wrong combination of openssl and/or permissions levels. Anyway it seems that if you use the eaptls howto with the latest released openssl and pre2 everything is fine. Thanks for your help. When I installed openSSL, I configured with: ./configure --prefix=/usr/local/openssl I'm not sure if this matters, it might be setting the path to the place the freeRadius will look for the SSL librearies. When I configured freeRadius 0.9.3 I had to: CFLAGS=-I/usr/include/et ./configure to include a library. Hopefully this helps... -Al -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, June 18, 2004 12:34 PM To: [EMAIL PROTECTED] Subject: Re: eap tls configuration problem Heath Partington [EMAIL PROTECTED] wrote: Sounds like you need a vacation. Sniping at the people helping you won't help. configure: warning: FAILURE: rlm_eap_sim requires: libssl. configure: warning: silently not building rlm_eap_tls. You don't have SSL installed. Install it. OR, you have an older version of SSL installed, and the server doesn't like it. READ the output of configure. It will tell you what's going wrong, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.0.0-pre2 configure problem
On a suse9.0 system I ran ./configure;make. from config output:(complete script output is available at http://www.wegener-net.de/radius/typescript.bz2 ) ... checking for krb5.h... no^ ... locate krb5.h gives: /usr/include/heimdal/krb5.h /usr/include/linux/sunrpc/gss_krb5.h later in the process make of course complains about the missing krb5.h as well a about missing com_err.h, which ist also available according to locate com_err.h: /usr/include/et/com_err.h Making static dynamic in rlm_krb5...^M gmake[6]: Entering directory `/usr/src/packages/SOURCES/freeradius-1.0.0-pre2/src/modules/rlm_krb5'^M gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -I../../include -c rlm_krb5.c -o rlm_krb5.o^M rlm_krb5.c:39:18: krb5.h: No such file or directory^M rlm_krb5.c:40:21: com_err.h: No such file or directory^M rlm_krb5.c:45: error: parse error before krb5_context^M rlm_krb5.c:45: warning: no semicolon at end of struct or union^M rlm_krb5.c:46: warning: data definition has no type or storage class^M rlm_krb5.c:50: error: parse error before ')' token^M rlm_krb5.c:50: error: initializer element is not constant^M rlm_krb5.c:50: error: (near initialization for `module_config[0].offset')^M rlm_krb5.c:50: error: initializer element is not constant^M rlm_krb5.c:50: error: (near initialization for `module_config[0]')^M rlm_krb5.c:52: error: parse error before ')' token^M rlm_krb5.c:52: error: initializer element is not constant^M rlm_krb5.c:52: error: (near initialization for `module_config[1].offset')^M rlm_krb5.c:52: error: initializer element is not constant^M . and some more lines of errors. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups send reply
You need to store them in ldap with the +=. Now you probably have it like this: dn: ... securityrole: testgroup1 securityrole: testgroup2 securityrole: Users change it to this dn: ... securityrole: testgroup1 securityrole: += testgroup2 securityrole: += Users That should send back all of them. If its easier you could make them all += if you'd like and it should still work. -Dusty Doris On Fri, 18 Jun 2004, Rivera, Denis wrote: Thank you for the reply. Here is the output from radius. The problem im having is that only one group name is returned. As show below I have value testgroup2 and users not being returned. Ready to process requests. rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value C5A237B7E9D8E708D8436B6148A25FA1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module files returns notfound for request 0 modcall[authorize]: module eap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 3 to 10.32.2.108:1142 Filter-Id = testgroup1 Finished request 0 -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Thursday, June 17, 2004 11:12 AM To: '[EMAIL PROTECTED]' Subject: Re: LDAP groups send reply Hello, I would like to know if this is possible Send a Class or Filter-Id attribute to the NAS, with the content being the names of the LDAP groups to which the user belongs. Thank you, denis How does the NAS expect the group to come back? Class: Sorry, I guess I hit send too early. What I meant was what radius attribute the nas expecting for the groups? An example could be the radius attribute Class. In that case, you would make sure the following is in ldap.attrmap replyItem Class radiusClass Then in your ldap directory, you would store the reply items. radiusClass: OU=group.com; The one above is an example for Cisco VPN concentrators. Need to add more use +=, read the man page on users. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap (values with space)
Combining both posts. As Allen said replying to your other post. If the FilterId has a space in it, you'll need to quote it. Plus what I said about returning multiple values. It would look like this in ldap as an example: securityrole: users otherstuff securityrole: += testgroup1 stuff securityrole: += testgroup2 stuff -Dusty Doris On Fri, 18 Jun 2004, Rivera, Denis wrote: Hello, I have group values with spaces in them the rml_ldap is not reading the value after the space is this a bug? Values in my securityRole values are Change Password and Luisa Admin. I'm using freeRadius 0.9.3 and OpenLDAP 2.1.25 ad_recv: Access-Request packet from host 10.32.2.108:1164, id=4, length=52 User-Name = testuser User-Password = test123 modcall: entering group authorize for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value A4F51A8F148FF0FB30DB313FD41E2282 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value Change op=11 rlm_ldap: Adding securityRole as Filter-Id, value Luisa op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module files returns notfound for request 1 modcall[authorize]: module eap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group authenticate for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password test123 rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 1 modcall: group authenticate returns ok for request 1 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 4 to 10.32.2.108:1164 Filter-Id = Change Finished request 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
okay i'm not really into Win stuff .. ntPassword fields seem crypted since i
can't read them with my eyes, but i think it's just a hash or something. Isn't
it the regular way to store NT passwords ?
anyway, here is my ldap section in radiusd.conf:
ldap {
server = 192.168.1.6
basedn = ou=Users,dc=mtp,dc=epsi,dc=fr
filter = ((objectclass=posixAccount)(uid=%u))
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = ntPassword #--- i changed this one just to try it out,
it was originally userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
and here are my sldapd access rules:
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=userPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=ntPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
access to dn=.*,dc=mtp,dc=epsi,dc=fr attr=lmPassword
by dn=cn=root,dc=mtp,dc=epsi,dc=fr write
by self write
by * auth
if i remember well (long time i've not reconfigured openldap) the write perm
also allow read ?
since i didn't configure any user in the ldap section of radiusd, isn't it
supposed to log in the ldap server with the username/passwd received by radiusd,
and grab the user password which should be possible since it has write (read ?)
perm ?
thanks for your help
--
Arnauld Dravet
No, you need to add a user to do the search for the user logging in.
Since you don't allow anonymous reads, you'll need to create a user with
read access.
So, first change the ldap section to include something like
identity = cn=freeradius,dc=mtp,dc=epsi,dc=fr
password = password
Then in slapd.conf add something like
access to dn.subtree=ou=Users,dc=mtp,dc=epsi,dc=fr
by cn=freeradius,dc=mtp,dc=epsi,dc=fr read
by self write
by * auth
Then add the freeradius user to ldap
$ ldapadd -D cn=root,dc=mtp,dc=epsi,dc=fr -W
dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr
objectclass: person
cn: freeradius
sn: freeradius
userpassword: password
objectclass: person
Hope that helps
Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.0.0-pre2 configure problem
Norbert Wegener [EMAIL PROTECTED] wrote : On a suse9.0 system I ran ./configure;make. from config output:(complete script output is available at http://www.wegener-net.de/radius/typescript.bz2 ) ... checking for krb5.h... no^ http://lists.cistron.nl/pipermail/freeradius-devel/2004-April/007092.html That got around the problem on FC1, so it will probably work on suse. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
duplicate accounting with mysql-accounting and radrelay
Hi, there are several things I can imagine to prevent the below, but before re-inventing the wheel, I'm sure somebody of you has a simple solution for this or some good posts to point to ? Here it goes: using freeradius-1.0-pre2 on two servers, setup as follows: - server1 doing local mysql-accounting into table radacct - server2 is only accounting to detail and a detail-relay files for usage with radrelay to replay them to server1 the mysql-db is replicated from server1 (local-db) to server2 (local-db) but server2 does no accounting into sql while still doing auth/author but this shouldn't matter for this. Now, everything fine so far but while testing failover, I got duplicate accounting-records inserted into radacct-table. setup of database and queries is quite straightforward from the supplied sql.conf I were able to understand what happened: - server1 shutdown - session started 21:17:32, auth by server2, acct-start record on server2 saved in detail-relay for radrelay - radrelay on server2 has not yet sent the record from 21:17:32 to server1 - 21:22:02 server1 is up again - an acct-alive received for this session on server1 - server1 inserts a record with accounting_update_query_alt (as expected, no session in radacct yet present, so accounting_update_query fails and _alt kicks in) - 21:24:04 radrelay on server2 sends acct-start record to server1 using radrelay - server1 creates a new acct-session in radacct table (also as expected, accounting_start_query works fine) - from now on, the two sessions are updated in sync and closed correctly by server1 Now, banging my head to some walls, there are some more cases where things will go wrong: Scenario2: server1 down - acct-alive sent to server2 - server1 up - acct-stop to server1 - acct-alive from server2 sent by radrelay - again duplicate sessions in radacct) The easiest thing I could imagine is something with AcctUniqueId to prevent duplicates BUT: AcctUniqueId is different between server1 and server2 for the above session, after going through all logs, Client-IP-Address is server2 instead of the NAS in the packet radrelay sent from server2 to server1 (which is intentional what I've understood) Now one could remove Client-Ip from acct_unique and make it unique in the DB but this alone probably won't really solve the problem. I'd appreciate any hint on solving these duplicate accounting issues -or in general on how to get 100% reliable accounting into my db with two radius servers. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin not showing any output
Using Debian woody, every dialup_admin I tried *after* 0.9.3 release doesn't output the database-query results on the web. Apachephp should work, I can also see the queries bveing run against the mysql-server in mysql.log and these queries also return results if I execute them manually. But they're simply not written to the browser, nothing uncommon in access.log or error.log of Apache. any quick idea where to look ? Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql / AcctstartTime AcctStartDelay
Just an idea while messing around with duplicate accountings in mysql: Wouldn't it be more logical to change the insert/update-commands in sql.conf to log the real startstop-time of the session with regarding start/stop-delay instead of the packet-timestamp %S ? Because otherwise any query against the accounting-data has to calculate (AcctStartTime-AcctStartDelay) As LoginTime and AcctStopTime-AcctStopDelay IMHO it's much more likely to query login/logout-times than how long the packet took to reach the database (which is still possible with AcctStart/StopDelay) I can make/change the queries and post them, just wanted to poll some opinions or maybe I've overlooked something this change might break up with.. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql / AcctstartTime AcctStartDelay
On Sat, Jun 19, 2004 at 01:29:55AM +0200, Michael Markstaller wrote: Just an idea while messing around with duplicate accountings in mysql: Wouldn't it be more logical to change the insert/update-commands in sql.conf to log the real startstop-time of the session with regarding start/stop-delay instead of the packet-timestamp %S ? Because otherwise any query against the accounting-data has to calculate (AcctStartTime-AcctStartDelay) As LoginTime and AcctStopTime-AcctStopDelay IMHO it's much more likely to query login/logout-times than how long the packet took to reach the database (which is still possible with AcctStart/StopDelay) I think one of the concerns with radacct logging in MySQL is that MySQL's very good at selects, but not so good with inserts. So we want to make the inserts as simple for the server as possible. Also, (at least in the default setting) it's prolly best to leave radacct as close to a direct packet record as possible, so a user can do whatever they need to to the calculations. An alternative sql.conf+db schema (ala the PostgresQL voip stuff) wouldn't raise any objections from me though. No harm in multiple examples. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Porting issue.
I had a problem building freeradius-1.0.0-pre2 on RH Fedora Core2 and was able to figure a workaround. Basically the build stopped because my system lacked the file com_err.h So I installed the current RPM for krb5 and still ran into the problem. It appears that the file is located at /usr/include/et when freeradius is looking for the file at /usr/include. As a quick and dirty fix I soft linked the file in the et directory into /usr/include (ln -s /usr/include/et/com_err.h /usr/include/com_err.h) and the build completed sucessfully. Just thought I let everyone know. Mark C. smime.p7s Description: S/MIME Cryptographic Signature
(no subject)
Considering running freeradius. I have a special need that just popped into my lap. I need to set up a radius server that allows for any arbitrary user with any password to be authenticated by the radius server. Sounds crazy, but I want to use the server to capture user information for a contact list. Did I explain that correctly? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User configuration
Considering running freeradius. I have a special need that just popped into my lap. I need to set up a radius server that allows for any arbitrary user with any password to be authenticated by the radius server. Sounds crazy, but I want to use the server to capture user information for a contact list. Did I explain that correctly? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius, 802.1x, eap/tls, and edirectory (ldap)
Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
