error in configure radius
*This message was transferred with a trial version of CommuniGate(tm) Pro* Hello, I run sparc 64 solaris9 with gcc I can't configure radius freeradius-1.0.0-pre3 (also pre2 and pre1) I start with the command ./configure --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib and get the error checking for openssl/err.h... (cached) yes checking for openssl/engine.h... (cached) yes configure: warning: silently not building rlm_eap_sim. configure: warning: FAILURE: rlm_eap_sim requires: libssl. but I have the libssl in bash-2.05# ls -l /usr/local/ssl/lib total 4466 -rw-r--r-- 1 root other1949856 Jun 16 10:12 libcrypto.a -rw-r--r-- 1 root other 304440 Jun 16 10:12 libssl.a drw-r--r-- 2 root other512 Oct 9 2003 pkgconfig bash-2.05# I just compiled the last version of the openssl, but this don't help me. What I do wrong? Thanks Victor Belous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in configure radius
do you have the libssl*.so* and libcrypto*.so* ? try to make symlinks of them to /usr/local/lib or /usr/lib or whatever is the standard lib path in Solaris :) Selon Victor A Belous <[EMAIL PROTECTED]>: > *This message was transferred with a trial version of CommuniGate(tm) Pro* > Hello, > > I run sparc 64 solaris9 with gcc > > I can't configure radius freeradius-1.0.0-pre3 (also pre2 and pre1) > > I start with the command > > ./configure --with-openssl-includes=/usr/local/ssl/include > --with-openssl-libraries=/usr/local/ssl/lib > > and get the error > > checking for openssl/err.h... (cached) yes > checking for openssl/engine.h... (cached) yes > configure: warning: silently not building rlm_eap_sim. > configure: warning: FAILURE: rlm_eap_sim requires: libssl. > > but I have the libssl in > > bash-2.05# ls -l /usr/local/ssl/lib > total 4466 > -rw-r--r-- 1 root other1949856 Jun 16 10:12 libcrypto.a > -rw-r--r-- 1 root other 304440 Jun 16 10:12 libssl.a > drw-r--r-- 2 root other512 Oct 9 2003 pkgconfig > bash-2.05# > > I just compiled the last version of the openssl, but this don't help me. > > What I do wrong? > > Thanks > > Victor Belous > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time-session limits and Time-of-day restrictions.
I was reading on Mailing List about a new (at least for me) attribute 'login-time' is this an standard? It is not shown in RFC2865 as a standard radius attribute, Is it supported by a new RFC? Moreover, I am implementing a web-based admin tool for freeradius, an specific solution for an Ecuadorian ISP, and I need Supporting for: 1. Time-session limits. 2. Time-of-day login restrictions depending of customer. What solutions can you recommend? Cheers!. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.0.0-pre3 PEAP Issue using windows-XP client
Dear all:
I have encountered following issue when using windows XP client to do PEAP
test.
Client side’s connection will drop in 5 seconds
after passing authentication. The client side
prompt that no usable wireless device can be found and
the connection drop immediately.
Following is my configuration in “eap.conf” and
“radiusd.conf”
In “eap.conf” file
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = 123456
private_key_file = /test/server.pem
certificate_file = /test/server.pem
CA_file = /test/oot.pem
dh_file = /test/DH
random_file = /test/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
In “radiusd.conf” file
authorize {
preprocess
# auth_log
# attr_filter
chap
mschap
# digest
# IPASS
suffix
# ntdomain
files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
}
Any one can help me?
Thanks
Joe
ISPMan LDPAP authentification.
I currently have freeradius installed on a debian system and haven't had much luck yet getting the filters set properly to authenticate using radtest. admin:/etc/apache-ssl# radtest jim password localhost 0 secret Sending Access-Request of id 73 to 127.0.0.1:1812 User-Name = "jim" User-Password = "password" NAS-IP-Address = admin NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=73, length=20 The filters I am using my not be correct to to work, but i don't get enough debugging information to tell why things are failing. server = "localhost" identity = "o=ispman" # password = "secret" basedn = "o=ispman" filter = "(|([EMAIL PROTECTED])(ispmanUserId=%u))" start_tls = no Any suggestions or anyone who currently has freeradius working with ISPMan? -Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
i really can't get CVS to work. Compiles fine, but i tried several cvs versions and i got that at startup: Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': file not found [EMAIL PROTECTED]:/usr/local/freeradius-cvs# don't know if i can use the rlm_eap module from the non-cvs version. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius Web Frontend
Are there any web frontends for Freeradius? There is a link to Chris Shenton's frontend, but there is not documentation for it as it was written for an internal project. Has anyone used his frontend with success? Or even found any other web frontends for freeradius? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Arnauld, Have you looked at the "make" output from the compile to see if there are any error or warning messages? It sounds like either there is an error in the latest CVS stopping the compilation of modules (most likely not) or "something" is missing the compilation requires - from the sounds of it I am wondering if the OpenSSL version is the correct version - you do have the latest (greater than 0.9.7) of OpenSSL installed??? ( I don't install a binary but instead download the source and compile on my machine - seems some of the binarys out there don't install all of the pieces needed to compile parts of freeradius (header files, libs, ect.). I would first look at the messages thrown out by the make command to and the configure command to see if something flags a problem... Just some thoughts... gm.. - Original Message - From: "Arnauld Dravet" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 23, 2004 6:18 AM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) i really can't get CVS to work. Compiles fine, but i tried several cvs versions and i got that at startup: Module: Instantiated unix (unix) radiusd.conf[9] Failed to link to module 'rlm_eap': file not found [EMAIL PROTECTED]:/usr/local/freeradius-cvs# don't know if i can use the rlm_eap module from the non-cvs version. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, TTLS is not in 0.9.3 version - you have to use the 1.0.0-pre version to get TTLS support. The nice thing about TTLS is the fact the client security certificate is optional! Makes it much easier to deploy if you have a good number of clients or you don't have access to the wireless devices to install said certificates. Glad to see you are gaining some insight into the wonderful world of hi-security wireless access [grin]. It is rather complicated but MUCH better protecting the content of the link vs WEP... gm... - Original Message - From: "Mack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 22, 2004 3:53 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) > Gary & Alan, > > Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the > reading that I've done is this short period of time, I have learned a great deal about > how this stuff works. > > When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the > server-side, not the client (am I right?). I think that TTLS will be a better fit as it > seems to support more methods, and PEAP seems to be strickly a MS thing. I > actually got the PEAP working now, though, thanks to your direction. > > I'll look into demoing third party clients. Know of any free ones, though? > > It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this > correct? If so, does the CVS version include support? Sorry if this, too, is > documented somewhere, but I just thought I'd ask while I was here. > > Thanks for the help! > > mack > > > > On 22 Jun 2004 at 12:37, Gary McKinney wrote: > > > Mack, > > > > Take a look at the following URL: > > > > http://3w.denobula.com:5/EAPTLS.pdf > > > > It may be a little dated but all of the info is still relevent... one > > thing to take notice of is there is NO user password exchanged as > > EAP/TLS does not use a user's password for authentication - that chore > > is handled by the fact the supplicant contains a VALID user > > certificate the server recognizes. > > > > I think the above is what Alan is trying to convey to you - you can > > not use EAP/TLS and LDAP together as there is NO user password > > exchanged between the supplicant and Freeradius (or any other radius > > server) in that mode. If you are looking to use LDAP and a very > > secure method for the link between the client and the AP you will have > > to use a different method (PEAP or EAP/TTLS come to mind)... > > > > You may want to check out other supplicant software (if you are > > thinking of using the EAP/TTLS method you may want to check out the > > Odyssey Supplicant software from Funk Software (they are the one's who > > came up with TTLS and are working on a RFC to that effect). > > > > I may not have stated all of the above totally correctly but you > > should get the basic meaning [grin]... > > > > There are several RFC's that come with the freeradius package - I > > would strongly suggest reading them as they are the basis for all the > > different protocols and authentication methods Alan and company have > > based the Freeradius software against ( I think ) > > > > I hope the above information is helpful and taken in the manner in > > which it was meant (to be informative and helpful)... > > > > gm... > > > > > > -- Original Message -- > > From: "Mack" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > Date: Tue, 22 Jun 2004 12:02:33 -0400 > > > > >Alan, > > > > > >At your request, I'll try to reformat this so that it is presented as > > >a problem/challenge rather than a "why doesn't my solution work" > > >post: > > > > > >Problem: > > >My AP is a 3com 7250. It requires that you enable 802.1x on itself, > > >the client, and the radius server if you want to use the radius > > >server as the "authentication" server. My understanding is that > > >802.1x requires EAP-something. I chose EAP-TLS because my client is > > >stock XP and my understanding is that EAP-TLS is my only option with > > >that client. > > > > > >My boss asked me if it was possible to authenticate our wireless > > >users against Novell's eDirectory (LDAP). He did not specifically > > >require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is > > >because the AP requires it. > > > > > >I have successfully implemented EAP-TLS authentication between the > > >client, AP, and freeradius. Now I am attempting to "add" LDAP > > >authentication, but have not been successful. > > > > > >I can provide any configs/logs if needed. > > > > > >Solution: > > >None so far. Anyone have any suggestions/comments? What would ya'll > > >do in my position? > > > > > >thanks, > > >mack > > > > > > > > > > > >On 21 Jun 2004 at 23:52, Alan DeKok wrote: > > > > > >> "Mack" <[EMAIL PROTECTED]> wrote: > > >> > My AP requires that I enable 802.1x in order to use RADIUS > > >> > authentication. So, I figured I'd use EAP-TLS
Re: Time-session limits and Time-of-day restrictions.
> I was reading on Mailing List about a new (at least for me) attribute > 'login-time' is this an standard? It is not shown in RFC2865 as a > standard radius attribute, Is it supported by a new RFC? > > Moreover, I am implementing a web-based admin tool for freeradius, an > specific solution for an Ecuadorian ISP, and I need Supporting for: > > 1. Time-session limits. > 2. Time-of-day login restrictions depending of customer. > > What solutions can you recommend? > Login-Time is an attribute that the server uses to decide if the user gets rejected or not. It will work with any nas. By time-session limits, do you mean that a user will be disconnected after x time? If so, you can use the Session-Timeout attribute. In this case the nas has to support it but I would imagine that almost all do. Hope that helps, Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error in configure radius
*This message was transferred with a trial version of CommuniGate(tm) Pro* Thanks, Arnauld I recompiled openssl with shared option and now I have bash-2.05# ls /usr/local/ssl/lib libcrypto.a libcrypto.so.0.9.7 libssl.so.0 libcrypto.solibssl.alibssl.so.0.9.7 libcrypto.so.0 libssl.so pkgconfig bash-2.05# but, I have the same error again checking for openssl/ssl.h... yes checking for openssl/err.h... yes checking for openssl/crypto.h... yes checking for openssl/rand.h... yes checking for openssl/engine.h... yes checking for OpenSSL version >= 0.9.7... yes checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... no ... checking for openssl/err.h... (cached) yes checking for openssl/engine.h... (cached) yes configure: warning: silently not building rlm_eap_sim. configure: warning: FAILURE: rlm_eap_sim requires: libssl. Victor Belous Arnauld Dravet wrote: do you have the libssl*.so* and libcrypto*.so* ? try to make symlinks of them to /usr/local/lib or /usr/lib or whatever is the standard lib path in Solaris :) Selon Victor A Belous <[EMAIL PROTECTED]>: *This message was transferred with a trial version of CommuniGate(tm) Pro* Hello, I run sparc 64 solaris9 with gcc I can't configure radius freeradius-1.0.0-pre3 (also pre2 and pre1) I start with the command ./configure --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib and get the error checking for openssl/err.h... (cached) yes checking for openssl/engine.h... (cached) yes configure: warning: silently not building rlm_eap_sim. configure: warning: FAILURE: rlm_eap_sim requires: libssl. but I have the libssl in bash-2.05# ls -l /usr/local/ssl/lib total 4466 -rw-r--r-- 1 root other1949856 Jun 16 10:12 libcrypto.a -rw-r--r-- 1 root other 304440 Jun 16 10:12 libssl.a drw-r--r-- 2 root other512 Oct 9 2003 pkgconfig bash-2.05# I just compiled the last version of the openssl, but this don't help me. What I do wrong? Thanks Victor Belous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius Web Frontend
dialup_admin - Original Message - From: "Maqbool Hashim" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 23, 2004 6:23 PM Subject: freeradius Web Frontend > Are there any web frontends for Freeradius? There is a link to Chris > Shenton's frontend, but there is not documentation for it as it was > written for an internal project. Has anyone used his frontend with > success? Or even found any other web frontends for freeradius? > > Thanks > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time-session limits and Time-of-day restrictions.
rlm_sqlcounter or rlm_counter :) - Original Message - From: "Juan G. Garcia" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 03, 2004 4:16 PM Subject: Time-session limits and Time-of-day restrictions. > I was reading on Mailing List about a new (at least for me) attribute > 'login-time' is this an standard? It is not shown in RFC2865 as a > standard radius attribute, Is it supported by a new RFC? > > Moreover, I am implementing a web-based admin tool for freeradius, an > specific solution for an Ecuadorian ISP, and I need Supporting for: > > 1. Time-session limits. > 2. Time-of-day login restrictions depending of customer. > > What solutions can you recommend? > > Cheers!. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius Web Frontend
> Maqbool Hashim wrote: > Are there any web frontends for Freeradius? There is a link to Chris > Shenton's frontend, but there is not documentation for it as it was > written for an internal project. Has anyone used his frontend with > success? Or even found any other web frontends for freeradius? i will come up with a working simple web-based interface for managing users under freeradius+mysql and have it release for free soon! and will probably include you as beta testers hopefully. :) i have it working now but customized for my own use so far. im working on it, just need more time though. for now, you can try dialup admin or phpadmin. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius Web Frontend
On Wed, 23 Jun 2004, Milver S. Nisay wrote: > > Maqbool Hashim wrote: > > Are there any web frontends for Freeradius? There is a link to Chris > > Shenton's frontend, but there is not documentation for it as it was > > written for an internal project. Has anyone used his frontend with > > success? Or even found any other web frontends for freeradius? > > i will come up with a working simple web-based interface for managing users > under freeradius+mysql > and have it release for free soon! and will probably include you as beta > testers hopefully. :) > i have it working now but customized for my own use so far. im working on > it, just need more time though. > > for now, you can try dialup admin or phpadmin. What does dialupadmin do wrong? I 've seen quite a lot of people developing their own 'simple' interface? Could one of them give me a good reason for that? > //milver > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
> Have you looked at the "make" output from the compile to see if there are
> any error or warning messages?
yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for certificate
generation, and of course i forgot to link freeradius-cvs against 0.9.7 =) works
much better now, at least radiusd is launching.
But, still have a prob during TLS init (i'm trying to setup a TTLS connection):
The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2 tunneled
protocol. Seems like i got a problem with certificates, but i don't understand
why since i'm not supposed to have one on the client-side ..
Here is the output, sorry if a bit long:
rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79, length=242
NAS-IP-Address = 192.168.6.3
NAS-Port-Type = Wireless-802.11
NAS-Port = 5
Framed-MTU = 1400
User-Name = "arnauld.dravet"
Calling-Station-Id = "00904b625711"
Called-Station-Id = "000d54fc1807"
NAS-Identifier = "EPSI AP1"
State = 0xfdd7e79f9bbab3286563325da5e5199a
EAP-Message =
0x0203006a15800060160301005b0157030140d9772aeddf802406fe3f32167240a335e4
99126e92bb2f0423691ebb49fad93000390038003500160013000a00330032002f0066000500
040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for arnauld.dravet
radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
(&(objectclass=posixAccount)(uid=arnauld.dravet))
rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
rlm_ldap: Adding ntPassword as NT-Password, value
EFAC11B52777F8D7A34BDC1A0F89228D & op=21
rlm_ldap: Adding lmPassword as LM-Password, value
136BE46417241D68AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user arnauld.dravet authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
TLS_accept: SSLv3 read client hello A
TLS_accept: SSLv3 write server hello A
TLS_accept: SSLv3 write certificate A
TLS_accept: SSLv3 write key exchange A
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 79 to 192.168.6.3:1794
EAP-Message =
0x0104040a15c00761160301004a0246030140d97726d7480866aec454ff67f74505234d
669e72f26ff753fef0269dcb813e20bcf69fe6863b9922dec0ccf8b178896627f9e78227c3b38356
951ec41fafef6000160016030105f20b0005ee0005eb00028e3082028a308201f3a0030201020201
02300d06092a864886f70d0101040500307f310b30090603550406130246523110300e0603550408
130748657261756c74311430120603550407130b4d6f6e7470656c6c6965723111300f060355040a
130845505349204d5450311330110603550403130a776973686d61737465723120301e06092a8648
86f70d010901161161646d696e40
EAP-Message =
0x6d74702e657073692e6672301e170d3034303632323136303934335a170d303530363232313630
3934335a307e310b30090603550406130246523110300e0603550408130748657261756c74311430
120603550407130b4d6f6e7470656c6c6965723111300f060355040a130845505349204d54503110
300e06035504031307736d75726669653
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Update of the previous mail: when i choose on the client to not validate the server certificate chain, radius crashes when opening the TTLS tunnel: rlm_ldap: user arnauld.dravet authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 20 modcall: group authorize returns updated for request 20 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 20 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Segmentation fault [EMAIL PROTECTED]:/usr/local/freeradius-cvs# -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute "User-Password" is required for authentication.
Alberto Ugarte <[EMAIL PROTECTED]> wrote: > ./radtest 00502964 prueba freeradius 5 testing123 > It works correctly. ... > But when I try with XP client(PEAP/Mschapv2)... ... > I think that it doesn't work because there isn't > "User-Password" and It doesn't process it. But I don't > know how can I change it. You don't. > rlm_ldap: Attribute "User-Password" is required for > authentication. You've edited the configuration to: a) set Auth-Type = LDAP or b) listed LDAP before EAP in the "authorize" section. Don't do either one. The default configuration works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject connect based on Ldap Attributes
I'm trying to set it up so, when a connection comes in from a certain NAS-IP-Address, and the user trying to connect has a specific Ldap Attribute set they won't be able to connect. I haven't been able to successfully figure out how to do this. I'm using FreeRadius 0.98. It matches default 93, then does ldap stuff, then because it auths with ldap is just returns. Is there a way to get it to go back to users so I can deny based on an ldap attribute? This is what I have setup: huntgroup: ludo NAS-IP-Address == 255.255.255.255 users: DEFAULT Auth-Type = Ldap <= default 93 Fall-Through = 1 DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject Reply-Message = "woah." This is a radtest: ludo# radtest WWWtstmnky test123 localhost 3 testing123 Sending Access-Request of id 33 to 127.0.0.1:1812 User-Name = "WWWtstmnky" User-Password = "abc123" NAS-IP-Address = ludo.gwi.net NAS-Port = 3 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=33, length=32 Test = 28 This is radiusd debugging output: rad_recv: Access-Request packet from host 127.0.0.1:4948, id=33, length=62 User-Name = "WWWtstmnky" User-Password = "test123" NAS-IP-Address = 255.255.255.255 NAS-Port = 3 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "WWWtstmnky", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "WWWtstmnky" rlm_realm: Proxying request from user WWWtstmnky to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 93 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' radius_xlat: '(uid=WWWtstmnky)' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=gwi,dc=net/jogging cures the common cold to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net)))' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (&(cn=true)(|(&(objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group true not found or user is not a member. modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for WWWtstmnky radius_xlat: '(uid=WWWtstmnky)' radius_xlat: 'ou=Users,o=gwi.net,dc=gwi,dc=net' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with filter (uid=WWWtstmnky) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding gidNumber as Test, value 28 & op=11 rlm_ldap: user WWWtstmnky authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Ldap auth: type "LDAP" modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "WWWtstmnky" with password "test123" rlm_ldap: user DN: uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net/test123 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: user WWWtstmnky authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 33 to 127.0.0.1:4948 Test = 28 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 40d985a6 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius Web Frontend
Kostas Kalevras <[EMAIL PROTECTED]> wrote: > What does dialupadmin do wrong? I 've seen quite a lot of people developing > their own 'simple' interface? > Could one of them give me a good reason for that? Update the main FreeRADIUS README to talk about dialup_admin, and update the web site (freeradius-www in CVS) to include comments about dialup_admin, and screen shots. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cryptocard
Hi, I am using freeradius-0.9.3 and the cryptocard RB-1 Token for authentication. Synchronous mode works fine, but when I try to resynchronize the token (or when I try to use challenge mode) I get the same error as Christoph Galuschka described earlier [Feb 2004]: rlm_x99_token: auth: bad state for [nstalb]: length I tried out two different NAS's, Cisco VPN Concentrator and Checkpoint Firewall. Both seem to mangle the State attribute. Did anybody try to modify the code according to Alan DeKok suggestions? Or is there another way for the user to resynchronize (getting hold of the information in x99sync.d/), without having to call me. (I have read the rlm_x99_token README). Bernie Stalder >"Christoph Galuschka" <[EMAIL PROTECTED]> wrote: > > Configuration seems to work well as I do get a challange when > > logging in to my cisco box (IOS 12.2). But I get an error > > message after entering my response: > > > > rlm_x99_token: auth: bad state for [tigalch]: length > > The NAS is mangling the State attribute. It's not supposed to do > that. You can edit the source to rlm_x99_token to decrease the length > off the State it uses. That might help. > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto set max reauthentication parameter
Ankan, During Authetication the AP just acts as a go-between for the Radius server and the XSupplicant. It just passes info and waits for the radius server to tell it all is OK (that's an over simplication of the process as I understand it). Since the AP is not a participant in the conversation its not a matter of how many attempts but rather how long it takes. In Cisco IOS the default time the AP give the client to autheticate is 30 seconds. If the client does not authenticate in that time interval then the AP dis-associates the client and the association/authentication cycle has to be restarted by the client. That value can be changed to suit your needs. In the WebAdmin interface goto "Security | Advanced Security | EAP Authentication" and change the "EAP Client Timeout". OR from global configuration mode (config t) interface Dot11Radio0 dotx client-timeout Reauthentication happens at regular intervals starting from the time of successful authentication as set by the Radius server OR the AP can force reauthetication at a regular interval of your setting. Note: if you force reauthentication at the AP make sure you use a time interval less then that provided by the radius server. In the WebAdmin interface goto "Security | Advanced Security | EAP Authentication" and change the "EAP Reauthentication Interval". OR from global configuration mode (config t) interface Dot11Radio0 dot1x reauth-period There is no way (that I know of) to automatically force reauthentication at a set time (e.g 9:00am, top of the hour, half-past, etc.). To manually force reauthentication go to the "Association" menu in WebAdmin and dis-associate the specific client. That restarts the Association/Authentication cycle. If you are running a dynamic key authentication protocal like EAP-TLS or PEAP the radius server *should* serve up new keys with each new authentication. I hope that answers your question. Mark C. [EMAIL PROTECTED] wrote: Hi Mark, Actually I want to know, howto set the total number of authentication/reauthentication params inside CISCO 1100 AP. It means, I want to set the maximum number of authentication attempt after which the trusted port in AP will be finally unauthorized. Also how can I force the AP to start reauthentication? It seems to me that I can set reauthentication interval inside AP, but I am not able to force reauthentication at any time (does not depend on interal) inside AP. Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Accept does not contain Attributes
I am using mysql behind my freeradius and I have used www.frontios.com's howto to configure the mysql tables. I am getting access-accept packets back when using radtest, but no additional attributes. but i have the reply-detail file logging, and it show the correct attributes pulled from the mysql tables using all the stock sql.conf queries. ? could i have accidentaly turned anything off in radiusd.conf that would prevent the queried attributes from be returned in the access-accept packet? I added those test values to the /usr/local/etc/raddb/dictionary file. [EMAIL PROTECTED] doc]# radtest dwinter dave 127.0.0.1 1812 testing1232 Sending Access-Request of id 95 to 127.0.0.1:1812 User-Name = "dwinter" User-Password = "dave" NAS-IP-Address = planet3.planet-telecom.com NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=95, length=20 [EMAIL PROTECTED] doc]# [EMAIL PROTECTED] doc]# [EMAIL PROTECTED] doc]# [EMAIL PROTECTED] doc]# cat /var/log/radius/radacct/127.0.0.1/reply-detail-20040623 Packet-Type = Access-Accept Wed Jun 23 09:59:23 2004 DAVE_TEST_VAL := "dave is cool" DAVE_TEST_VAL2 := "this is test val2" [EMAIL PROTECTED] doc]# David Winter Senior Network Engineer Planet-Telecom, Inc. Tampa FL (813)901-5182 Office (813)864-3162 Direct (813)817-4204 Mobile (813)881-9762 Fax -- AIM: mobofool ICQ: 3563403 MSN:[EMAIL PROTECTED] Y!:vt_fool Alan DeKok wrote: Alberto Ugarte <[EMAIL PROTECTED]> wrote: ./radtest 00502964 prueba freeradius 5 testing123 It works correctly. ... But when I try with XP client(PEAP/Mschapv2)... ... I think that it doesn't work because there isn't "User-Password" and It doesn't process it. But I don't know how can I change it. You don't. rlm_ldap: Attribute "User-Password" is required for authentication. You've edited the configuration to: a) set Auth-Type = LDAP or b) listed LDAP before EAP in the "authorize" section. Don't do either one. The default configuration works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to use the MAC as the key
Taking this a step further, is it possible to authenticate based soley on MAC address? Meaning completely ignoring what is being sent for username/password. >>> [EMAIL PROTECTED] 6/22/2004 9:38:14 AM >>> yes. It depends on what the switch sends in the authentication-request. if your auth-detail has username and password with the MAC address you just have a User-Name and User-Password for the machine in your db. It only authorizes the machine to be on the network. It's a little better than just plugging in any machine. If the MAC address is in the Calling-Station-ID, and a real User-Name and User-Password is in the request you could authorize the person to use that machine. If you have a profile in your switch of "Accept" and a default of reject. users file ... 00-01-02-ab-cd-de User-Password == "00-01-02-ab-cd-de" Filter-ID="profile=Accept" DEFAULT User-Password =~"..-..-..-" Filter-ID="profile=DEFAULT" On Tue, 2004-06-22 at 00:58, Christoffer Dahl Petersen wrote: > Hi! > > I was wondering if it is possible to tell the Freeradius to use the > MAC addr. as a validating key? > I would like to store all my clients MAC addr. in a db, and use it as > a backend for Freeradius, then when the clients starts, the AP sends > the clients MAC addr. to Freeradius and the MAC addr. is used as a > token for validating. > > / Christoffer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept does not contain Attributes
david winter <[EMAIL PROTECTED]> wrote: > I am using mysql behind my freeradius and I have used www.frontios.com's > howto to configure the mysql tables. I am getting access-accept packets > back when using radtest, but no additional attributes. So... what does debugging mode day? > [EMAIL PROTECTED] doc]# radtest dwinter dave 127.0.0.1 1812 testing1232 > Sending Access-Request of id 95 to 127.0.0.1:1812 ... I fail to understand the reason behing providing debugging logs on the client, but not on the server. There's nothing you can do to the client to make the server return the right attributes. > /var/log/radius/radacct/127.0.0.1/reply-detail-20040623 > Packet-Type = Access-Accept > Wed Jun 23 09:59:23 2004 > DAVE_TEST_VAL := "dave is cool" > DAVE_TEST_VAL2 := "this is test val2" Let me guess: You defined these as non-protocol attributes. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS cert chain authentication
Mohammed Petiwala <[EMAIL PROTECTED]> wrote: > any help in this regards would be appreciated - has anyone using > freeRADIUS used cert chains with length more than 2 I don't think so. SSL is complicated, and it's difficult to understand or debug it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto set max reauthentication parameter
Hi Mark, Thanks for your answers. It really works for me. Now one more question. How can I force the FastEthernet port(trusted one) to Authorized state? I mean without any EAP authentication how can I set the AP so that it can forward data through Ethernet port? Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing VSAs from proxied requests
Alex French <[EMAIL PROTECTED]> wrote: > But is there any way to say "Don't allow the following VSAs. Allow > everything else"? You can try the "-=" operator in the "pre-proxy" file. DEFAULT Foo-Bar -= "" may remove Foo-Bar from the proxied request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept does not contain Attributes
Alan, My apologies for the lack of info in the previos post. I see from researching my problem in the freeradius list you seem to run into lots of newbies such as myself sending in help requests with lacking info. sorry to have jumped into that pool. let me see if i can clarify. After sending the last email i tried to add a REAL attribute into my radgroupreply table, Service-Type := Framed-User and that value will always come back. I think this ties into your 'non-protocol' attribute question. I dont know much about these attribute or howto create the customer ones i need. Can you please point me in the right direction as to editing the dictionary or whatever needs to be edited to support my own attributes. thanks. (meanwhile i will search the list for customized attribute posts) David Winter Senior Network Engineer Planet-Telecom, Inc. Tampa FL (813)901-5182 Office (813)864-3162 Direct (813)817-4204 Mobile (813)881-9762 Fax -- AIM: mobofool ICQ: 3563403 MSN:[EMAIL PROTECTED] Y!:vt_fool Alan DeKok wrote: david winter <[EMAIL PROTECTED]> wrote: I am using mysql behind my freeradius and I have used www.frontios.com's howto to configure the mysql tables. I am getting access-accept packets back when using radtest, but no additional attributes. So... what does debugging mode day? [EMAIL PROTECTED] doc]# radtest dwinter dave 127.0.0.1 1812 testing1232 Sending Access-Request of id 95 to 127.0.0.1:1812 ... I fail to understand the reason behing providing debugging logs on the client, but not on the server. There's nothing you can do to the client to make the server return the right attributes. /var/log/radius/radacct/127.0.0.1/reply-detail-20040623 Packet-Type = Access-Accept Wed Jun 23 09:59:23 2004 DAVE_TEST_VAL := "dave is cool" DAVE_TEST_VAL2 := "this is test val2" Let me guess: You defined these as non-protocol attributes. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suspending Users
Previously i posted this inquiry a few days ago and no one has replyed. I'm posting it again incase you all missed it. I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysqlinstead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. This is the reply that one of you gave to me: If you just want "suspended", then I would add a column suspended and edit the sql query in sql.conf. If you need more complex checking that can't be done with sql queries, then you might look at the exec or perl modules to execute external scripts. Ok, here is exactly what i need -- The only reason i would want to prevent a user from logging on would be because they did not pay their bill. All i want to do is make it so that they can't log on to the internet. The above post states that i need to "add a column called "suspended" and edit the sql query in sql.conf." Here are my 2 questions.. in which mysql table do i need to add the column? And what do i need to edit in the sql.conf file? Thank you. Linda PagilloDirector of Technical ServicesN2 The Net
radius access-reject
Hi, I am using freeradius-0.9.3 and a server LDAP for authentication. but when i want to connect a user with frame protocol PPP, the authentication failed. below, logs of router and users file. Jun 23 11:36:19.168: %ISDN-6-CONNECT: Interface Serial1/0:0 is now connected to 29800 Jun 23 11:36:35.148: As69 LCP: I CONFREQ [Closed] id 1 len 20 Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.148: As69 LCP: Lower layer not up, Fast Starting Jun 23 11:36:35.148: As69 PPP: Using dialer call direction Jun 23 11:36:35.148: As69 PPP: Treating connection as a callin Jun 23 11:36:35.148: As69 PPP: Phase is ESTABLISHING, Passive Open Jun 23 11:36:35.148: As69 LCP: State is Listen Jun 23 11:36:35.148: As69 PPP: Authorization required Jun 23 11:36:35.148: As69 LCP: O CONFREQ [Listen] id 1 len 25 Jun 23 11:36:35.148: As69 LCP:ACCM 0x000A (0x0206000A) Jun 23 11:36:35.148: As69 LCP:AuthProto CHAP (0x0305C22305) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.148: As69 LCP: O CONFACK [Listen] id 1 len 20 Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.152: %LINK-3-UPDOWN: Interface Async69, changed state to up Jun 23 11:36:35.360: As69 LCP: I CONFACK [ACKsent] id 1 len 25 Jun 23 11:36:35.360: As69 LCP:ACCM 0x000A (0x0206000A) Jun 23 11:36:35.360: As69 LCP:AuthProto CHAP (0x0305C22305) Jun 23 11:36:35.360: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) Jun 23 11:36:35.360: As69 LCP:PFC (0x0702) Jun 23 11:36:35.360: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.360: As69 LCP: State is Open Jun 23 11:36:35.360: As69 PPP: Phase is AUTHENTICATING, by this end Jun 23 11:36:35.360: As69 CHAP: O CHALLENGE id 1 len 28 from "r-nas-a" Jun 23 11:36:35.512: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" Jun 23 11:36:35.516: As69 PPP: Phase is FORWARDING, Attempting Forward Jun 23 11:36:35.516: As69 PPP: Phase is AUTHENTICATING, Unauthenticated User Jun 23 11:36:35.516: As69 PPP: Sent CHAP LOGIN Request Jun 23 11:36:35.516: RADIUS/ENCODE(0138):Orig. component type = ISDN Jun 23 11:36:35.516: RADIUS: AAA Unsupported [152] 7 Jun 23 11:36:35.516: RADIUS: 41 73 79 6E 63 [Async] Jun 23 11:36:35.516: RADIUS(0138): Storing nasport 69 in rad_db Jun 23 11:36:35.516: RADIUS(0138): Config NAS IP: 0.0.0.0 Jun 23 11:36:35.516: RADIUS/ENCODE(0138): acct_session_id: 312 Jun 23 11:36:35.516: RADIUS(0138): sending Jun 23 11:36:35.516: RADIUS/ENCODE: Best Local IP-Address 10.xxx.xxx.19 for Radius-Server 10.xxx.xxx.29 Jun 23 11:36:35.516: RADIUS(0138): Send Access-Request to 10.xxx.xxx.29:1812 id 1645/199, len 111 Jun 23 11:36:35.516: RADIUS: authenticator 8D 83 E8 0D 9B 53 D0 2F - 14 3C 36 20 60 A9 4D 54 Jun 23 11:36:35.516: RADIUS: Framed-Protocol [7] 6 PPP [1] Jun 23 11:36:35.516: RADIUS: User-Name [1] 7 "a0327" Jun 23 11:36:35.516: RADIUS: CHAP-Password [3] 19 * Jun 23 11:36:35.516: RADIUS: Calling-Station-Id [31] 11 "2" Jun 23 11:36:35.516: RADIUS: Called-Station-Id [30] 6 "0061" Jun 23 11:36:35.516: RADIUS: NAS-Port-Type [61] 6 Async [0] Jun 23 11:36:35.516: RADIUS: Connect-Info[77] 18 "19200 V34+/Async" Jun 23 11:36:35.516: RADIUS: NAS-Port[5] 6 69 Jun 23 11:36:35.516: RADIUS: Service-Type[6] 6 Framed [2] Jun 23 11:36:35.516: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.19 Jun 23 11:36:38.148: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" Jun 23 11:36:38.148: As69 CHAP: Ignoring Additional Response Jun 23 11:36:40.516: RADIUS: Retransmit to (10.xxx.xxx.29:1812,1813) for id 1645/199 Jun 23 11:36:40.516: RADIUS: Received from id 1645/199 10.xxx.xxx.29:1812, Access-Reject, len 155 Jun 23 11:36:40.516: RADIUS: authenticator 97 C7 04 0E E1 4C C2 1C - CD 11 37 C8 68 47 84 E0 Jun 23 11:36:40.516: RADIUS: Vendor, Cisco [26] 29 Jun 23 11:36:40.516: RADIUS: Cisco AVpair [1] 23 "ip:addr-pool=testpool" Jun 23 11:36:40.516: RADIUS(0138): Received from id 1645/199 Jun 23 11:36:40.516: As69 PPP: Received LOGIN Response FAIL Jun 23 11:36:40.516: As69 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed" Jun 23 11:36:40.516: As69 PPP: Sending Acct Event[Down] id[138] Jun 23 11:36:40.516: As69 PPP: Phase is TERMINATING Jun 23 11:36:40.516: As69 LCP: O TERMREQ [Open] id 2 len 4 Jun 23 11:36:42.504: As69 LCP: TIMEout: Stat
help
Hi all, If the users in Radius are set different auth-type for different users. How do I get the auth-type of different users? Also I would like to know if it is a normal practice setting different users with different auth-typeor all the users are set the same type of auth-type. Since I have a requirement like the above defined senario, it would be great if someonecan clarify about this. Regards,jagadish Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
Re: Is it possible to use the MAC as the key
I think like: DEFAULT Calling-Station-Id == "00-0D-60-5D-2D-AC", Auth-Type := Accept Filter-ID="profile=DEFAULT" On Wed, 2004-06-23 at 08:26, Mike Patchen wrote: > Taking this a step further, is it possible to authenticate based soley > on MAC address? Meaning completely ignoring what is being sent for > username/password. > > >>> [EMAIL PROTECTED] 6/22/2004 9:38:14 AM >>> > yes. It depends on what the switch sends in the > authentication-request. > if your auth-detail has username and password with the MAC address you > just have a User-Name and User-Password for the machine in your db. It > only authorizes the machine to be on the network. It's a little better > than just plugging in any machine. If the MAC address is in the > Calling-Station-ID, and a real User-Name and User-Password is in the > request you could authorize the person to use that machine. > > If you have a profile in your switch of "Accept" and a default of > reject. > > users file > ... > 00-01-02-ab-cd-de User-Password == "00-01-02-ab-cd-de" > Filter-ID="profile=Accept" > > DEFAULT User-Password =~"..-..-..-" > Filter-ID="profile=DEFAULT" > > On Tue, 2004-06-22 at 00:58, Christoffer Dahl Petersen wrote: > > Hi! > > > > I was wondering if it is possible to tell the Freeradius to use the > > MAC addr. as a validating key? > > I would like to store all my clients MAC addr. in a db, and use it > as > > a backend for Freeradius, then when the clients starts, the AP sends > > the clients MAC addr. to Freeradius and the MAC addr. is used as a > > token for validating. > > > > / Christoffer > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius access-reject
Hi, I am using freeradius-0.9.3 and a server LDAP for authentication. but when i want to connect a user with frame protocol PPP, the authentication failed. below, logs of router , users file and radius log. Jun 23 11:36:19.168: %ISDN-6-CONNECT: Interface Serial1/0:0 is now connected to 29800 Jun 23 11:36:35.148: As69 LCP: I CONFREQ [Closed] id 1 len 20 Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.148: As69 LCP: Lower layer not up, Fast Starting Jun 23 11:36:35.148: As69 PPP: Using dialer call direction Jun 23 11:36:35.148: As69 PPP: Treating connection as a callin Jun 23 11:36:35.148: As69 PPP: Phase is ESTABLISHING, Passive Open Jun 23 11:36:35.148: As69 LCP: State is Listen Jun 23 11:36:35.148: As69 PPP: Authorization required Jun 23 11:36:35.148: As69 LCP: O CONFREQ [Listen] id 1 len 25 Jun 23 11:36:35.148: As69 LCP:ACCM 0x000A (0x0206000A) Jun 23 11:36:35.148: As69 LCP:AuthProto CHAP (0x0305C22305) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.148: As69 LCP: O CONFACK [Listen] id 1 len 20 Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.152: %LINK-3-UPDOWN: Interface Async69, changed state to up Jun 23 11:36:35.360: As69 LCP: I CONFACK [ACKsent] id 1 len 25 Jun 23 11:36:35.360: As69 LCP:ACCM 0x000A (0x0206000A) Jun 23 11:36:35.360: As69 LCP:AuthProto CHAP (0x0305C22305) Jun 23 11:36:35.360: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) Jun 23 11:36:35.360: As69 LCP:PFC (0x0702) Jun 23 11:36:35.360: As69 LCP:ACFC (0x0802) Jun 23 11:36:35.360: As69 LCP: State is Open Jun 23 11:36:35.360: As69 PPP: Phase is AUTHENTICATING, by this end Jun 23 11:36:35.360: As69 CHAP: O CHALLENGE id 1 len 28 from "r-nas-a" Jun 23 11:36:35.512: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" Jun 23 11:36:35.516: As69 PPP: Phase is FORWARDING, Attempting Forward Jun 23 11:36:35.516: As69 PPP: Phase is AUTHENTICATING, Unauthenticated User Jun 23 11:36:35.516: As69 PPP: Sent CHAP LOGIN Request Jun 23 11:36:35.516: RADIUS/ENCODE(0138):Orig. component type = ISDN Jun 23 11:36:35.516: RADIUS: AAA Unsupported [152] 7 Jun 23 11:36:35.516: RADIUS: 41 73 79 6E 63 [Async] Jun 23 11:36:35.516: RADIUS(0138): Storing nasport 69 in rad_db Jun 23 11:36:35.516: RADIUS(0138): Config NAS IP: 0.0.0.0 Jun 23 11:36:35.516: RADIUS/ENCODE(0138): acct_session_id: 312 Jun 23 11:36:35.516: RADIUS(0138): sending Jun 23 11:36:35.516: RADIUS/ENCODE: Best Local IP-Address 10.xxx.xxx.19 for Radius-Server 10.xxx.xxx.29 Jun 23 11:36:35.516: RADIUS(0138): Send Access-Request to 10.xxx.xxx.29:1812 id 1645/199, len 111 Jun 23 11:36:35.516: RADIUS: authenticator 8D 83 E8 0D 9B 53 D0 2F - 14 3C 36 20 60 A9 4D 54 Jun 23 11:36:35.516: RADIUS: Framed-Protocol [7] 6 PPP [1] Jun 23 11:36:35.516: RADIUS: User-Name [1] 7 "a0327" Jun 23 11:36:35.516: RADIUS: CHAP-Password [3] 19 * Jun 23 11:36:35.516: RADIUS: Calling-Station-Id [31] 11 "2" Jun 23 11:36:35.516: RADIUS: Called-Station-Id [30] 6 "0061" Jun 23 11:36:35.516: RADIUS: NAS-Port-Type [61] 6 Async [0] Jun 23 11:36:35.516: RADIUS: Connect-Info[77] 18 "19200 V34+/Async" Jun 23 11:36:35.516: RADIUS: NAS-Port[5] 6 69 Jun 23 11:36:35.516: RADIUS: Service-Type[6] 6 Framed [2] Jun 23 11:36:35.516: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.19 Jun 23 11:36:38.148: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" Jun 23 11:36:38.148: As69 CHAP: Ignoring Additional Response Jun 23 11:36:40.516: RADIUS: Retransmit to (10.xxx.xxx.29:1812,1813) for id 1645/199 Jun 23 11:36:40.516: RADIUS: Received from id 1645/199 10.xxx.xxx.29:1812, Access-Reject, len 155 Jun 23 11:36:40.516: RADIUS: authenticator 97 C7 04 0E E1 4C C2 1C - CD 11 37 C8 68 47 84 E0 Jun 23 11:36:40.516: RADIUS: Vendor, Cisco [26] 29 Jun 23 11:36:40.516: RADIUS: Cisco AVpair [1] 23 "ip:addr-pool=testpool" Jun 23 11:36:40.516: RADIUS(0138): Received from id 1645/199 Jun 23 11:36:40.516: As69 PPP: Received LOGIN Response FAIL Jun 23 11:36:40.516: As69 CHAP: O FAILURE id 1 len 25 msg is "Authentication failed" Jun 23 11:36:40.516: As69 PPP: Sending Acct Event[Down] id[138] Jun 23 11:36:40.516: As69 PPP: Phase is TERMINATING Jun 23 11:36:40.516: As69 LCP: O TERMREQ [Open] id 2 len 4 Jun 23 11:36:42.504: As69 LCP:
Re: Access-Accept does not contain Attributes
david winter <[EMAIL PROTECTED]> wrote: > I dont know much about these attribute or howto create the > customer ones i need. Can you please point me in the right direction as > to editing the dictionary or whatever needs to be edited to support my > own attributes. thanks. Grab a small dictionary from the "share" directory, copy it to your own version, and edit it. Also, read the "man" page for the "dictionary" file. And note that adding your own attributes to the server's dictionary files won't do anything if the client doesn't know what they are. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius access-reject
On Wed, 23 Jun 2004, TANGUY ERIC wrote: > Hi, > I am using freeradius-0.9.3 and a server LDAP for authentication. > but when i want to connect a user with frame protocol PPP, the authentication failed. > > below, logs of router and users file. The log from the router will not help. Run the server in debug mode to see what's happening > > > Jun 23 11:36:19.168: %ISDN-6-CONNECT: Interface Serial1/0:0 is now connected to > 29800 > Jun 23 11:36:35.148: As69 LCP: I CONFREQ [Closed] id 1 len 20 > Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) > Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) > Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) > Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) > Jun 23 11:36:35.148: As69 LCP: Lower layer not up, Fast Starting > Jun 23 11:36:35.148: As69 PPP: Using dialer call direction > Jun 23 11:36:35.148: As69 PPP: Treating connection as a callin > Jun 23 11:36:35.148: As69 PPP: Phase is ESTABLISHING, Passive Open > Jun 23 11:36:35.148: As69 LCP: State is Listen > Jun 23 11:36:35.148: As69 PPP: Authorization required > Jun 23 11:36:35.148: As69 LCP: O CONFREQ [Listen] id 1 len 25 > Jun 23 11:36:35.148: As69 LCP:ACCM 0x000A (0x0206000A) > Jun 23 11:36:35.148: As69 LCP:AuthProto CHAP (0x0305C22305) > Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) > Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) > Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) > Jun 23 11:36:35.148: As69 LCP: O CONFACK [Listen] id 1 len 20 > Jun 23 11:36:35.148: As69 LCP:ACCM 0x (0x0206) > Jun 23 11:36:35.148: As69 LCP:MagicNumber 0x19723A65 (0x050619723A65) > Jun 23 11:36:35.148: As69 LCP:PFC (0x0702) > Jun 23 11:36:35.148: As69 LCP:ACFC (0x0802) > Jun 23 11:36:35.152: %LINK-3-UPDOWN: Interface Async69, changed state to up > Jun 23 11:36:35.360: As69 LCP: I CONFACK [ACKsent] id 1 len 25 > Jun 23 11:36:35.360: As69 LCP:ACCM 0x000A (0x0206000A) > Jun 23 11:36:35.360: As69 LCP:AuthProto CHAP (0x0305C22305) > Jun 23 11:36:35.360: As69 LCP:MagicNumber 0x35C0A4C5 (0x050635C0A4C5) > Jun 23 11:36:35.360: As69 LCP:PFC (0x0702) > Jun 23 11:36:35.360: As69 LCP:ACFC (0x0802) > Jun 23 11:36:35.360: As69 LCP: State is Open > Jun 23 11:36:35.360: As69 PPP: Phase is AUTHENTICATING, by this end > Jun 23 11:36:35.360: As69 CHAP: O CHALLENGE id 1 len 28 from "r-nas-a" > Jun 23 11:36:35.512: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" > Jun 23 11:36:35.516: As69 PPP: Phase is FORWARDING, Attempting Forward > Jun 23 11:36:35.516: As69 PPP: Phase is AUTHENTICATING, Unauthenticated User > Jun 23 11:36:35.516: As69 PPP: Sent CHAP LOGIN Request > Jun 23 11:36:35.516: RADIUS/ENCODE(0138):Orig. component type = ISDN > Jun 23 11:36:35.516: RADIUS: AAA Unsupported [152] 7 > Jun 23 11:36:35.516: RADIUS: 41 73 79 6E 63 > [Async] > Jun 23 11:36:35.516: RADIUS(0138): Storing nasport 69 in rad_db > Jun 23 11:36:35.516: RADIUS(0138): Config NAS IP: 0.0.0.0 > Jun 23 11:36:35.516: RADIUS/ENCODE(0138): acct_session_id: 312 > Jun 23 11:36:35.516: RADIUS(0138): sending > Jun 23 11:36:35.516: RADIUS/ENCODE: Best Local IP-Address 10.xxx.xxx.19 for > Radius-Server 10.xxx.xxx.29 > Jun 23 11:36:35.516: RADIUS(0138): Send Access-Request to 10.xxx.xxx.29:1812 id > 1645/199, len 111 > Jun 23 11:36:35.516: RADIUS: authenticator 8D 83 E8 0D 9B 53 D0 2F - 14 3C 36 20 60 > A9 4D 54 > Jun 23 11:36:35.516: RADIUS: Framed-Protocol [7] 6 PPP > [1] > Jun 23 11:36:35.516: RADIUS: User-Name [1] 7 "a0327" > Jun 23 11:36:35.516: RADIUS: CHAP-Password [3] 19 * > Jun 23 11:36:35.516: RADIUS: Calling-Station-Id [31] 11 "2" > Jun 23 11:36:35.516: RADIUS: Called-Station-Id [30] 6 "0061" > Jun 23 11:36:35.516: RADIUS: NAS-Port-Type [61] 6 Async > [0] > Jun 23 11:36:35.516: RADIUS: Connect-Info[77] 18 "19200 V34+/Async" > Jun 23 11:36:35.516: RADIUS: NAS-Port[5] 6 69 > Jun 23 11:36:35.516: RADIUS: Service-Type[6] 6 Framed > [2] > Jun 23 11:36:35.516: RADIUS: NAS-IP-Address [4] 6 10.xxx.xxx.19 > Jun 23 11:36:38.148: As69 CHAP: I RESPONSE id 1 len 26 from "a0327" > Jun 23 11:36:38.148: As69 CHAP: Ignoring Additional Response > Jun 23 11:36:40.516: RADIUS: Retransmit to (10.xxx.xxx.29:1812,1813) for id 1645/199 > Jun 23 11:36:40.516: RADIUS: Received from id 1645/199 10.xxx.xxx.29:1812, > Access-Reject, len 155 > Jun 23 11:36:40.516: RADIUS: authenticator 97 C7 04 0E E1 4C C2 1C - CD 11 37 C8 68 > 47 84 E0 > Jun 23 11:36:40.516: RADIUS: Vendor, Cisco [26] 29 > Jun 23 11:36:40.516: RADIUS: Cisco AVpair [1] 23 "ip:addr-pool=testpool" > Jun 23 11:36:40.516: RADIUS(0138): Received from id 1645/199 > Jun 23 11:36:40.516: As69 PPP: Received LOGIN Response FAIL > Jun
Re: radius access-reject
> rlm_ldap: no dialupAccess attribute - access denied by default This is pretty explicit: you need to add a dialupAccess attribute in the LDAP entry for your user, and to set it to anything but false. -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
- Original Message - From: Jagadeesha T Hi all, If the users in Radius are set different auth-type for different users. How do I get the auth-type of different users? Put different authentication type attribute for every user or you may use groupings. Also I would like to know if it is a normal practice setting different users with different auth-typeor all the users are set the same type of auth-type. you can decide. freeradius does not care. Since I have a requirement like the above defined senario, it would be great if someonecan clarify about this. yes it is possible, and i am one using it. //milver
Re: Suspending Users
Linda wrote: >I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i >see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql>instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. there are a lots of way of preventing a user from being authenticated or authorized from freeradius+mysql implementation. you may add a column or you may not. one funny way that will work with freeradius+MySQL is you can make "User-Password" attribute under radcheck table to be "UserS-Password" attribute, which is unknown to freeradius, the user cannot in any way be authenticated regardless of groups or authentication type. you may try "Auth-Type" attribute to be "Auth-TypoError", and see how it works :) freeradius is fun specially when you get your feet wet with it! more to google and search the list, it has been reposted too! //milver
Re: Suspending Users
Thank you! - Original Message - From: Milver S. Nisay To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 11:48 AM Subject: Re: Suspending Users Linda wrote: >I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i >see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql>instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. there are a lots of way of preventing a user from being authenticated or authorized from freeradius+mysql implementation. you may add a column or you may not. one funny way that will work with freeradius+MySQL is you can make "User-Password" attribute under radcheck table to be "UserS-Password" attribute, which is unknown to freeradius, the user cannot in any way be authenticated regardless of groups or authentication type. you may try "Auth-Type" attribute to be "Auth-TypoError", and see how it works :) freeradius is fun specially when you get your feet wet with it! more to google and search the list, it has been reposted too! //milver
Re: Suspending Users
A very easy solution could be change the password for that users??? Ernesto Freyre RamírezÁrea de OperacionesRed Privada Virtual S.A.Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Linda Pagillo To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 10:05 AM Subject: Re: Suspending Users Thank you! - Original Message - From: Milver S. Nisay To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 11:48 AM Subject: Re: Suspending Users Linda wrote: >I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i >see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql>instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. there are a lots of way of preventing a user from being authenticated or authorized from freeradius+mysql implementation. you may add a column or you may not. one funny way that will work with freeradius+MySQL is you can make "User-Password" attribute under radcheck table to be "UserS-Password" attribute, which is unknown to freeradius, the user cannot in any way be authenticated regardless of groups or authentication type. you may try "Auth-Type" attribute to be "Auth-TypoError", and see how it works :) freeradius is fun specially when you get your feet wet with it! more to google and search the list, it has been reposted too! //milver
calling-station-id example
Hi, Does anyone of an example configuration file for authentication based on the calling-station-id (ANI)? I have read the docs and book and somehow am missing how to do this. thanks, gene - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suspending Users
That is the way i'm doing it now.. I've been changing the passwords. I just thought that there has to be a more logical way to do it besides that. Thanks for your help guys. - Original Message - From: Ernesto Freyre To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 2:16 PM Subject: Re: Suspending Users A very easy solution could be change the password for that users??? Ernesto Freyre RamírezÁrea de OperacionesRed Privada Virtual S.A.Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Linda Pagillo To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 10:05 AM Subject: Re: Suspending Users Thank you! - Original Message - From: Milver S. Nisay To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 11:48 AM Subject: Re: Suspending Users Linda wrote: >I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i >see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql>instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. there are a lots of way of preventing a user from being authenticated or authorized from freeradius+mysql implementation. you may add a column or you may not. one funny way that will work with freeradius+MySQL is you can make "User-Password" attribute under radcheck table to be "UserS-Password" attribute, which is unknown to freeradius, the user cannot in any way be authenticated regardless of groups or authentication type. you may try "Auth-Type" attribute to be "Auth-TypoError", and see how it works :) freeradius is fun specially when you get your feet wet with it! more to google and search the list, it has been reposted too! //milver
Re: freeRADIUS cert chain authentication
Hi Alan: If someone can get this working (n-tier cert chain authentication - can it be added as a patch to freeRADIUS) or be made as part of the release 1.0.0 (if done in the release time-frame) Thanks. Regards, Mohammed. Alan DeKok <[EMAIL PROTECTED]> wrote: Mohammed Petiwala <[EMAIL PROTECTED]>wrote:> any help in this regards would be appreciated - has anyone using> freeRADIUS used cert chains with length more than 2 I don't think so. SSL is complicated, and it's difficult tounderstand or debug it.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Suspending Users
Could you set up a group for those that you want to suspend that would keep them from loging on? >>> [EMAIL PROTECTED] 06/23/04 10:38AM >>> That is the way i'm doing it now.. I've been changing the passwords. I just thought that there has to be a more logical way to do it besides that. Thanks for your help guys. - Original Message - From: Ernesto Freyre To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 2:16 PM Subject: Re: Suspending Users A very easy solution could be change the password for that users??? Ernesto Freyre Ramírez Área de Operaciones Red Privada Virtual S.A. Av. Paseo de la República 4675 - Lima 34 Telf.: (511) 241-4122 Anexo 2245 Fax: (511) 446-8135 Visítenos en: www.qnet.com.pe - Original Message - From: Linda Pagillo To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 10:05 AM Subject: Re: Suspending Users Thank you! - Original Message - From: Milver S. Nisay To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 11:48 AM Subject: Re: Suspending Users Linda wrote: >I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i >see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysql >instead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. there are a lots of way of preventing a user from being authenticated or authorized from freeradius+mysql implementation. you may add a column or you may not. one funny way that will work with freeradius+MySQL is you can make "User-Password" attribute under radcheck table to be "UserS-Password" attribute, which is unknown to freeradius, the user cannot in any way be authenticated regardless of groups or authentication type. you may try "Auth-Type" attribute to be "Auth-TypoError", and see how it works :) freeradius is fun specially when you get your feet wet with it! more to google and search the list, it has been reposted too! //milver Ultradent Products, Inc. Email Policy The information in this email, including any attachments, is confidential to the intended recipient and may be legally privileged. If you are not the intended recipient of this message you may not copy, distribute, disclose or rely on the information contained in it nor use it's contents in any way. Please contact the sender immediately and delete this message, together with any attachments, from your system. The unauthorized use, dissemination,, distribution or reproduction of this e-mail, including attachments is prohibited and may be unlawful. We do not accept any liability or responsibility for changes made to this e-mail after it was sent, or viruses transmitted through this e-mail or any attachment. You should take full responsibility for virus checking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject connect based on Ldap Attributes
Lew A wrote:
I'm trying to set it up so, when a connection comes in from a certain
NAS-IP-Address, and the user trying to connect has a specific Ldap
Attribute set they won't be able to connect. I haven't been able to
successfully figure out how to do this. I'm using FreeRadius 0.98. It
matches default 93, then does ldap stuff, then because it auths with ldap
is just returns. Is there a way to get it to go back to users so I can
deny based on an ldap attribute?
This is what I have setup:
huntgroup:
ludo NAS-IP-Address == 255.255.255.255
users:
DEFAULT Auth-Type = Ldap <= default 93
Fall-Through = 1
DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject
Reply-Message = "woah."
I'm doing something similar but I filter this stuff in the ldap search
filter. I setup two ldap modules in the radiusd.conf file:
ldap ldap_dsl {
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDSLEnabled=1)(aptAccountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dsl.attrmap
}
ldap ldap_dialup {
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDialupEnabled=1)(aptAccountEnabled=1))"
dictionary_mapping = ${raddbdir}/ldap_dialup.attrmap
}
authorize {
autztype ldap_dialup { ldap_dialup }
autztype ldap_dsl { ldap_dsl }
}
Then in my users config file I define which ldap module to use based on nas:
DEFAULT Auth-Type := DSL, NAS-IP-Address == "x.x.x.x", Autz-Type := ldap_dsl
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1492
DEFAULT Auth-Type := DIALUP, NAS-IP-Address == "x.x.x.x", Autz-Type :=
ldap_dialup
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500
That way I can use a completely different search filter and attribute
set for my dial and dsl nases. This gives me the ability to assign a
different dialup and dsl static ip to the same user.
HTH,
schu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS cert chain authentication
pMohammed Petiwala <[EMAIL PROTECTED]> wrote: > If someone can get this working (n-tier cert chain authentication - > can it be added as a patch to freeRADIUS) or be made as part of the > release 1.0.0 (if done in the release time-frame) I doubt that it will be in 1.0.0, there just isn't enough time. As for including the patch sometime, sure. Just send in a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreRadius 0.9.3 (Help)
hi i installed a freeradius 0.9.3 on redhat 9. when i try to run the freeradius i have this error message: Wed Jun 23 15:03:18 2004 : Debug: Module: Instantiated sql (sql) Wed Jun 23 15:03:18 2004 : Error: Failed creating PID file /usr/local/var/run/radiusd/radiusd.pid: Permission denied i am a new user for freeradius, can please someone tell me how to resolve this problem!! thanks _ STOP MORE SPAM with the MSN Premium and get 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_ttls and eap_peap linking problem
Hi, Problem linking eap_ttls and eap_peap on the following system: Gentoo Linux gcc-3.3.3 glibc-2.3.3 libtool-1.5.2 openssl-0.9.7d kernel 2.6.7 I am using the latest nightly CVS build (20040623). Here's some of the output of "make": . Making static dynamic in rlm_eap_peap... gmake[9]: Entering directory `/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_peap' gmake[9]: Nothing to be done for `static'. /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -fPIC -DPIC -o .libs/rlm_eap_peap.o rlm_eap_peap.c: In function `eappeap_authenticate': rlm_eap_peap.c:190: warning: passing arg 2 of `record_plus' from incompatible pointer type gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -o rlm_eap_peap.o >/dev/null 2>&1 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -fPIC -DPIC -o .libs/peap.o peap.c: In function `eappeap_process': peap.c:578: warning: comparison between signed and unsigned gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -o peap.o >/dev/null 2>&1 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=link gcc -release 1.1.0-pre0 \ -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite- strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested- externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. -I../rlm_eap_tls - DOPENSSL_NO_KRB5 -I./../../libeap \ -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo peap.lo ../../../../lib/libradius.la \ ../rlm_eap_tls/rlm_eap_tls.la -L./../../libeap -leap -lcrypto -lssl -lcrypto -lnsl -lresolv - lpthread -lcrypto *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** rlm_eap_tls.so is not portable! gcc -shared .libs/rlm_eap_peap.o .libs/peap.o -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot-20040623/src/lib/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_tls/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap/.libs ../../../../lib/.libs/libradius.so ../rlm_eap_tls/.libs/rlm_eap_tls.so -L/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap /home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap/.libs/libeap.so -lssl -lnsl -lresolv -lpthread - lcrypto -Wl,-soname -Wl,rlm_eap_peap-1.1.0-pre0.so -o .libs/rlm_eap_peap-1.1.0- pre0.so (cd .libs && rm -f rlm_eap_peap.so && ln -s rlm_eap_peap-1.1.0-pre0.so rlm_eap_peap.so) ar cru .libs/rlm_eap_peap.a rlm_eap_peap.o peap.o ranlib .libs/rlm_eap_peap.a creating rlm_eap_peap.la (cd .libs
EAP/TLS stopped working...
Hi, I recently upgraded from the CVS version of freeradius to 1.0.0-pre3. Since then, my previously functional EAP/TLS config has stopped working. I've modified the config to reflect the new use of eap.conf, rather than the built-in eap module. There have been no changes to the certificates, no changes to the version of OpenSSL and no change to the supplicant (Funk Odyssey 3.0 running on Windows XP SP1). Below is the output from radiusd -X. I apologise that it's such a long log. I believe that the relevant information is right at the end. buddhist# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.103.1 IP address [192.168.103.1] main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/radiusprivkey.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/radiuscert.pem" tls: CA_file = "/usr/local/ssl/private/cacert.pem" tls: private_key_password = "muzzy28" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/
freeradius-1.0.0-pre3 and hints
Did something change in the way that the hints file is processed in the change from 0.9.3 to 1.0.0-pre3? My config, which worked in 0.9.3, looks much like this: hints: # # FreeRADIUS hints file # # # TESTING # #DEFAULT Suffix == "@test", Strip-User-Name = Yes # Hint= Dialup # # # END TEST DEFAULT Suffix == "@local", Strip-User-Name = No Hint= DSLUser DEFAULT Suffix == "@freerad", Strip-User-Name = No Hint= DSLUser users: [EMAIL PROTECTED] Auth-Type := accept Framed-IP-Address=172.30.100.2, PVC_Profile_Name=Profile_384, Fall-Through=Yes with the DEFAULT merely providing client DNS info Debugging from another client using radtest shows: --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.33.2.2:32854, id=29, length=81 User-Name = "[EMAIL PROTECTED]" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 99 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 hints: Matched DEFAULT at 17 modcall[authorize]: module "preprocess" returns ok for request 3 users: Matched DEFAULT at 71913 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns ok for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [VerizonATMdsl3.1.1.33] (from client slbradius0x port 99) Delaying request 3 for 1 seconds Finished request 3 Going to the next request proxy.conf -- as distributed in 1.0.0-pre3 It looks like the hints file was processed, but the suffix still got stripped. Any suggestions? Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suspending Users
If your reading Freeradius FAQ, probabbly you were overlook of using Type-Auth := Reject. Which simply rejecting the user instead of changing user/s password. - Original Message - From: Linda Pagillo To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 10:39 PM Subject: Suspending Users Previously i posted this inquiry a few days ago and no one has replyed. I'm posting it again incase you all missed it. I have a quick questions. I was reading the FAQ and i saw the instructions for rejecting users from authenticating when their account is suspended etc.. but from what i see, the instructions in the FAQ are for people using the "users" file for authentication. I have set my freeradius to use mysqlinstead of the users file. Does anyone know what i need to do to reject users in this case? Thank you. This is the reply that one of you gave to me: If you just want "suspended", then I would add a column suspended and edit the sql query in sql.conf. If you need more complex checking that can't be done with sql queries, then you might look at the exec or perl modules to execute external scripts. Ok, here is exactly what i need -- The only reason i would want to prevent a user from logging on would be because they did not pay their bill. All i want to do is make it so that they can't log on to the internet. The above post states that i need to "add a column called "suspended" and edit the sql query in sql.conf." Here are my 2 questions.. in which mysql table do i need to add the column? And what do i need to edit in the sql.conf file? Thank you. Linda PagilloDirector of Technical ServicesN2 The Net
Re: Suspending Users
No, i did not overlook that. According to the FAQ, that is only suppose to be used if Freeradius is set up to use the flat user file, if i'm correct. In my case, i'm using the MySql setup. -- Original Message -- From: "apellido jr., wilfredo p." <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Thu, 24 Jun 2004 10:38:57 +0800 >If your reading Freeradius FAQ, probabbly you were overlook of using Type-Auth := >Reject. Which simply rejecting the user instead of changing user/s password. > > > - Original Message - > From: Linda Pagillo > To: [EMAIL PROTECTED] > Sent: Wednesday, June 23, 2004 10:39 PM > Subject: Suspending Users > > > Previously i posted this inquiry a few days ago and no one has replyed. I'm posting > it again incase you all missed it. > > I have a quick questions. I was reading the FAQ and i saw the instructions for > rejecting users from authenticating when their account is suspended etc.. but from > what i see, the instructions in the FAQ are for people using the "users" file for > authentication. I have set my freeradius to use mysql > instead of the users file. Does anyone know what i need to do to reject users in > this case? Thank you. > > This is the reply that one of you gave to me: > > If you just want "suspended", then I would add a column suspended and edit the sql > query in sql.conf. If you need more complex checking that can't be done with sql > queries, then you might look at the exec or perl modules to execute external scripts. > > Ok, here is exactly what i need -- The only reason i would want to prevent a user > from logging on would be because they did not pay their bill. All i want to do is > make it so that they can't log on to the internet. The above post states that i need > to "add a column called "suspended" and edit the sql query in sql.conf." Here are my > 2 questions.. in which mysql table do i need to add the column? And what do i need > to edit in the sql.conf file? Thank you. > > > Linda Pagillo > Director of Technical Services > N2 The Net > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Replies on port 1029
I have been using freeradius .9.1 for some time now. I have been seeing a problem in that the responses are coming back on port 1029 rather than the 1812 expected. I have not found or seen anything that addresses this. It seems that it is grabbing the first "non-privledged" port, but I may be wrong. How do I force freeradius to respond on port 1812 for requests? Brian Andrus
