Re: Double quoting in sql?
On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. The pitty is that omitting '=' from allowed chars is obviously correct, cause its the char used to quote stuff. Like you need to use %% to get one %, an unescaped = should become a =3D. But cause radius_xlat (or whatever else...) does not know if a value of a pair is already escaped (as SQL-User-Name is), this creates some ugly double escaping. So the correct solution is to change the sql.conf and remove SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used inside queries always correctly, as it seems. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote:
On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote:
Oliver Graf [EMAIL PROTECTED] wrote:
Something is escaping '#' to '=23', probably in the SQL module.
Yeah. The Problem is that the allowed_chars string in 0.9.3 included
'=', but the one in 1.0.1 does not.
But cause radius_xlat (or whatever else...) does not know if a value
of a pair is already escaped (as SQL-User-Name is), this creates some
ugly double escaping.
So the correct solution is to change the sql.conf and remove
SQL-User-Name from it, cause freeradius 1.0.1 will escape pairs used
inside queries always correctly, as it seems.
Wrong.
Correct is: sql_set_user does NOT need to use sql_escape_func in
radius_xlat. That way the SQL-User-Name pair is unescaped, as any
other pair, and the radius_xlat (with sql_escape_func) that is run on
the query will escape that pair correctly, as it does it for any other
pair.
Diff vs 1.0.1 attached.
Oliver.
--- freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c.orig 2004-09-29 08:15:55.0
+0200
+++ freeradius-1.0.1/src/modules/rlm_sql/rlm_sql.c 2004-09-29 08:16:37.0
+0200
@@ -459,7 +459,7 @@
if (username != NULL) {
strNcpy(tmpuser, username, MAX_STRING_LEN);
} else if (strlen(inst-config-query_user)) {
- radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user,
request, sql_escape_func);
+ radius_xlat(tmpuser, sizeof(tmpuser), inst-config-query_user,
request, NULL);
} else {
return 0;
}
How to do accounting in Freeradius
Hello. My setup for my testbed is like this: Radius Client(Linux Based PC)-Radius Server-mysql DB Is there any simulation program that create session from multiple user for freeradius? Or, is there a way to make radius server to do accounting with the radacct tables first empty then when the session is created, there will be an information about the user log in to the network (as the attributes defined earlier). Or did I missed something in the middle? What should I do so that the accounting process will use mysql to write the user attributes in the radacct table? Please Help me..Thanx __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Double quoting in sql?
On Wed, Sep 29, 2004 at 08:10:45AM +0200, Oliver Graf wrote: On Fri, Sep 24, 2004 at 10:24:09AM -0400, Alan DeKok wrote: Oliver Graf [EMAIL PROTECTED] wrote: I've upgraded recently from 0.9.3 to 1.0.1. There seems to be one small problem in the sql module: a Username seems to be quoted two times, first when setting sql_user_name, then when doing the xlat on the whole query. Debug output: radius_xlat: 'test=23test' Something is escaping '#' to '=23', probably in the SQL module. Yeah. The Problem is that the allowed_chars string in 0.9.3 included '=', but the one in 1.0.1 does not. I'll take a risk to remind these threads... http://lists.cistron.nl/pipermail/freeradius-devel/2003-May/thread.html#4836 http://lists.cistron.nl/pipermail/freeradius-devel/2003-June/thread.html#4954 http://lists.cistron.nl/pipermail/freeradius-devel/2003-July/thread.html#5539 -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter module
hi all, that's my configuration. users file: Max Max-Daily-Session := 3600, Password = Max, NAS-IP-Address = 192.168.1.4, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 Without Max-Daily-Session := 3600 it works, but with Max-Daily-Session := 3600 the answer is: ... Processing the autenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by Max with CHAP password rlm_chap: Could not find clear text password for user Max modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user ... I don't understand WHERE is that password missing: any ideas? thanks a lot! __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault 1.0.1/suse 9.1
I can't seem to get beyond this problem -- and it is strange since I am simply moving from one server to another. Both are SuSE 9.1 and yet it works on one, but not on the second. Of course, I am cheating and copying all files over. Although I have fully recompiled freeradius 1.0.1 Any suggestions?? From radiusd -X Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10:1645, id=182, length=126 User-Name = xyzzy Framed-MTU = 1400 Called-Station-Id = 000f.3489.1a8c Calling-Station-Id = 000d.ed49.e870 Message-Authenticator = 0x23b03a4e7bc400b704df8aa1eeed59f8 EAP-Message = 0x0201000a01716c6f636f NAS-Port-Type = Virtual NAS-Port = 399 NAS-IP-Address = 10.10.10.10 NAS-Identifier = W117_8A.ATL Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Counter Module
hi all, that's my configuration. Sorry for the mistakes. users file: Max Max-Daily-Session := 3600, Password = Max, NAS-IP-Address = 192.168.1.4, Simultaneous-Use = 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 Without Max-Daily-Session := 3600 it works, but with Max-Daily-Session := 3600 the answer is: ... Processing the autenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by Max with CHAP password rlm_chap: Could not find clear text password for user Max modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user ... I don't understand WHERE is that password missing: any ideas? thanks a lot! __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 30 settembre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi. Attivala subito! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.0.1 Underlying EAP-Type set EAP ID to 0
I have just compiled and installed a FreeRadius V1.0.1, with all the experimental modules (and esp. simtriplets). I have configured it to use EAP-SIM authentication for one user. Ihave triedto run the eam-sim test number 6 using "radeapclient" and I am now stuck on two problems: 1) During authentication, the server says that it does not recognize the Autz-Type attribute set on my user in the "users" file (as recommended in the test documentation). I had to remove this attribute to go further. 2) During authentication, the server says "Underlying EAP-Type set EAP ID to 0". I cannot explain and solve this message. I have seen in http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033269.htmlthat a patch could solve problem 2). Ihave looked at my EAP source code : the recommended patch has not been been applied to FreeRadius V1.0.1, though the message has been published before V1.0.0 release. Why ? Do I have to apply the proposed patch? According to the previous message, even if the patch is applied, it seems that some problems remain. Any idea to go further ? In short : HOW TO CONFIGURE A FREERADIUS SERVER TO RUN THE EAP-SIM TESTS ? Thanks a lot for your help. Max.
RE: SQL db failover
On Tue, 28 Sep 2004, Paul wrote:
What i need is failover for accounting and session tracking.
Auth will be done using LDAP.
Mirroring the DB is not possibe because accounting has alot of inserts,
that would need to have multi-master replication.
I would like to use application data mirroring instead, having 2
databases and both servers writing(acct)to both but not fail unless
both databases are not accessible, reading (session) from local
only and failover to the other DB in case of failure only.
For accounting replication your best choise is radrelay. For failover, just use
a failover section in radiusd.conf
session{
redundant{
sql1
sql2
}
[...]
}
authorize{
[...]
redundant{
ldap1
ldap2
}
}
We have a similar setup working just fine in the Greek School Network (two
radius servers, serving different regions but keeping full accounting).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Separate authentication and logging SQL servers
On Tue, 28 Sep 2004, Chris Stith wrote: We're currently using ICRADIUS. One of the things we like about it is that we can use one MySQL database server for the radcheck and radreply information while we use another for accounting. I don't see in the documentation for rlm_sql any options for using different servers for different tasks. Is there some way I'm missing, or am I out of luck for now? It doesn't work that way. You just create multiple module instances to do different tasks. One instance could be handling authentication and another one accounting and so on. I can't just go on using ICRADIUS, as it seems the only released version that supports tagged attributes is an alpha. We're not going to use an alpha or a CVS build for production use. Thanks for your time, Chris -- Chris S. [EMAIL PROTECTED] Family Online, 888-332-6843 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stupid question
Hello, First, you should place Auth-Type := Accept in your radcheck not radreply Second, please show us your configuration files. Best Regards, Brian Ammons wrote: I am a radius rookie. I have FreeRadius 1.0.0 installed on Slack 9.1 and have the mySql compatibility working as well. I ran the script that was included with the source code to create the mySql tables. My problem is not with getting the server running - it's that I can't make it deny access when I want, or accept when I want. I'm using NTRadPing for testing. For example...there's only one username defined (bammons) in the table usergroup, and that user is a member of groupname administrators. In the table radcheck, I setup username = bammons, Attribute = Password, op = == and Value = wtfover. So at that point I've setup a user and a password for that user, right? After it validates, it's supposed to look @ the table radreply for what to do, right? In radreply, I define username = bammons, Attribute = Auth-Type, op = == and Value = Accept. You may know that that does NOT result in the Access-Accept message I expected to see, but I can't figure out why. I'm running radiusd in full debug mode (radiusd -xxyz -l stdout) and I see the following: modcall: entering group authenticate for request 34 modcall [authenticate]: module unix returns notfound for request 34 modcall: group authenticate returns notfound for request 34 auth: Failed to validate the user. OK, so I see that it wants to find an entry for the group administrators in the radgroupcheck table. So I add that - groupname = administrators, attribute = Auth-Type, op = == and Value = Local (I picked local because it's listed as an Auth-Type value in the Hassell Radius book) and then that works, I get Access-Accept back from the server. WHY is that required? WHAT can I do about the error message that appears, Warning: Found 2 auth-types on request for user 'bammons'? I've tried putting Service-Type in place of Auth-Type in radgroupcheck but that doesn't work...what am I missing here? Back to the working config...I change the Auth-Type in radreply to Reject, but I still get an Access - Accept reply - this is (I suspect) because any Auth-Type entries found in radgroupcheck take precedence over any others...except that just doesn't seem right, what am I missing? I guess ultimately despite trying to read everything I could find, I just don't get how the RADIUS system steps through the different tables. Thanks for your gentle replies. Brian Ammons - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault 1.0.1/suse 9.1
I may have seen something similar. I have FreeBSD 4.10 with gcc 2.95.4, and I am trying to migrate from freeradius 0.9.3 to 1.0.1 but I get this segfault at about the same point in startup when running in debug mode too. When not in debug mode, the daemon just starts and hangs. I have provided gdb debug info for this in a previous thread but it was for 1.0.0. -- Mark Hennessy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: segmentation fault 1.0.1/suse 9.1 I can't seem to get beyond this problem -- and it is strange since I am simply moving from one server to another. Both are SuSE 9.1 and yet it works on one, but not on the second. Of course, I am cheating and copying all files over. Although I have fully recompiled freeradius 1.0.1 Any suggestions?? From radiusd -X Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10:1645, id=182, length=126 User-Name = xyzzy Framed-MTU = 1400 Called-Station-Id = 000f.3489.1a8c Calling-Station-Id = 000d.ed49.e870 Message-Authenticator = 0x23b03a4e7bc400b704df8aa1eeed59f8 EAP-Message = 0x0201000a01716c6f636f NAS-Port-Type = Virtual NAS-Port = 399 NAS-IP-Address = 10.10.10.10 NAS-Identifier = W117_8A.ATL Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius on SLES 9.0 - installation issues
Thanks it worked. [EMAIL PROTECTED] 9/28/2004 11:33:27 PM I am trying to install/compile freeRADIUS 1.0.1 version on SUSE Ent 9.0. without success.This is what I get when I do./configuremake..In file included from x99_rlm.c:54:x99.h:26:42: openssl/des.h: No such file or directoryIn file included from x99_rlm.c:54:x99.h:146: error: parse error before "des_cblock"x99.h:146: warning: no semicolon at end of struct or unionx99.h:147: warning: type defaults to `int' in declaration of`x99_user_info_t'x99.h:147: warning: data definition has no type or storage classx99.h:152: error: parse error before "des_cblock"x99.h:152: warning: function declaration isn't a prototypex99.h:153: error: parse error before "des_cblock"x99.h:153: warning: function declaration isn't a prototypex99.h:165: error: parse error before "des_cblock"x99.h:165: warning: function declaration isn't a prototypex99.h:166: warning: type defaults to `int' in declaration of`des_cblock'x99.h:166: error: parse error before "keyblock"x99.h:167: warning: function declaration isn't a prototypex99.h:170: error: parse error before "x99_user_info_t"x99.h:170: warning: function declaration isn't a prototypex99.h:180: error: parse error before "des_cblock"x99.h:180: warning: function declaration isn't a prototypex99.h:182: warning: type defaults to `int' in declaration of`des_cblock'x99.h:182: error: parse error before "keyblock"x99.h:182: warning: function declaration isn't a prototypex99_rlm.c: In function `x99_token_authorize':x99_rlm.c:294: error: parse error before "user_info"x99_rlm.c:331: error: `user_info' undeclared (first use in thisfunction)x99_rlm.c:331: error: (Each undeclared identifier is reported onlyoncex99_rlm.c:331: error: for each function it appears in.)x99_rlm.c: In function `x99_token_authenticate':x99_rlm.c:460: error: parse error before "user_info"x99_rlm.c:492: error: `user_info' undeclared (first use in thisfunction)x99_rlm.c:550: warning: deprecated use of label at end of compoundstatementgmake[6]: *** [x99_rlm.o] Error 1gmake[6]: Leaving directory`/home/werbowya/src/freeradius-1.0.1/src/modules/rlm_x99_token'gmake[5]: *** [common] Error 1gmake[5]: Leaving directory`/home/werbowya/src/freeradius-1.0.1/src/modules'gmake[4]: *** [all] Error 2gmake[4]: Leaving directory`/home/werbowya/src/freeradius-1.0.1/src/modules'gmake[3]: *** [common] Error 1gmake[3]: Leaving directory `/home/werbowya/src/freeradius-1.0.1/src'gmake[2]: *** [all] Error 2gmake[2]: Leaving directory `/home/werbowya/src/freeradius-1.0.1/src'gmake[1]: *** [common] Error 1gmake[1]: Leaving directory `/home/werbowya/src/freeradius-1.0.1'make: *** [all] Error 2Also I tryed to install RPM versio 0.9.x and got followingerror about missing lib files: rpm -iv freeradius-0.9.3-0.i586.rpmerror: Failed dependencies: liblber.so.2 is needed by freeradius-0.9.3-0 libldap_r.so.2 is needed by freeradius-0.9.3-0 libsnmp-0.4.2.6.so is needed by freeradius-0.9.3-0 Did anyone came across this issue?We want to use RADIUS to talk to LDAP server running Novell Netwareplatform for Wireless users. Thanks for help.Andrew.Possibly you dont have the OpenSSL headers or you have not toldFreeRADIUS where to look for them. Installing OpenSSL should take careof this problem.Regardssayantan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building freeradius 1.0.1 on Solaris 9
I'm having a problem getting freeradius to build under solaris 9. Fresh install of Solaris 9, compilers from the companion cd. the gmake fails in rlm_ldap when it is trying to do the ld. It complains that it can't find the libraries liblber, libldap_r, and libldap_ra. I tried linking to them from /usr/lib, then I get a libtool error about them not being vaild libraries. Any ideas ? Thanks Wade - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP won't authenticate with 1.0.1
I'm trying to setup a network where each AP on the network must authenticate to a radius server before being assigned an IP address and then joining the network. Using a commercial radius package, I had to specify that the APs were Cisco APs to get everything to work. Under 0.9.3, everything just worked once I put the userid/password into the users file. I had to edit the radiusd.conf to enable EAP and setup the certs. Under 1.0.1, I edited the radiusd.conf, eap.conf, and other files so that they are similiar but the APs will not authenticate. Does anybody have any suggestion? Here is a copy of the output that I receive under 1.0.1. Wed Sep 29 10:53:14 2004 : Info: Starting - reading configuration files ... Wed Sep 29 10:53:14 2004 : Debug: reread_config: reading radiusd.conf Wed Sep 29 10:53:14 2004 : Debug: Config: including file: /usr/local/etc/raddb/clients.conf Wed Sep 29 10:53:14 2004 : Debug: Config: including file: /usr/local/etc/raddb/snmp.conf Wed Sep 29 10:53:14 2004 : Debug: Config: including file: /usr/local/etc/raddb/eap.conf Wed Sep 29 10:53:14 2004 : Debug: Config: including file: /usr/local/etc/raddb/sql.conf Wed Sep 29 10:53:14 2004 : Debug: main: prefix = /usr/local Wed Sep 29 10:53:14 2004 : Debug: main: localstatedir = /usr/local/var Wed Sep 29 10:53:14 2004 : Debug: main: logdir = /usr/local/var/log/radius Wed Sep 29 10:53:14 2004 : Debug: main: libdir = /usr/local/lib Wed Sep 29 10:53:14 2004 : Debug: main: radacctdir = /usr/local/var/log/radius/radacct Wed Sep 29 10:53:14 2004 : Debug: main: hostname_lookups = no Wed Sep 29 10:53:14 2004 : Debug: main: max_request_time = 30 Wed Sep 29 10:53:14 2004 : Debug: main: cleanup_delay = 5 Wed Sep 29 10:53:14 2004 : Debug: main: max_requests = 1024 Wed Sep 29 10:53:14 2004 : Debug: main: delete_blocked_requests = 0 Wed Sep 29 10:53:14 2004 : Debug: main: port = 0 Wed Sep 29 10:53:14 2004 : Debug: main: allow_core_dumps = no Wed Sep 29 10:53:14 2004 : Debug: main: log_stripped_names = no Wed Sep 29 10:53:14 2004 : Debug: main: log_file = /usr/local/var/log/radius/radius.log Wed Sep 29 10:53:14 2004 : Debug: main: log_auth = yes Wed Sep 29 10:53:14 2004 : Debug: main: log_auth_badpass = yes Wed Sep 29 10:53:14 2004 : Debug: main: log_auth_goodpass = no Wed Sep 29 10:53:14 2004 : Debug: main: pidfile = /etc/radiusd.pid Wed Sep 29 10:53:14 2004 : Debug: main: user = (null) Wed Sep 29 10:53:14 2004 : Debug: main: group = (null) Wed Sep 29 10:53:14 2004 : Debug: main: usercollide = no Wed Sep 29 10:53:14 2004 : Debug: main: lower_user = no Wed Sep 29 10:53:14 2004 : Debug: main: lower_pass = no Wed Sep 29 10:53:14 2004 : Debug: main: nospace_user = no Wed Sep 29 10:53:14 2004 : Debug: main: nospace_pass = no Wed Sep 29 10:53:14 2004 : Debug: main: checkrad = /usr/local/sbin/checkrad Wed Sep 29 10:53:14 2004 : Debug: main: proxy_requests = no Wed Sep 29 10:53:14 2004 : Debug: security: max_attributes = 200 Wed Sep 29 10:53:14 2004 : Debug: security: reject_delay = 1 Wed Sep 29 10:53:14 2004 : Debug: security: status_server = no Wed Sep 29 10:53:14 2004 : Debug: main: debug_level = 0 Wed Sep 29 10:53:14 2004 : Debug: read_config_files: reading dictionary Wed Sep 29 10:53:14 2004 : Debug: read_config_files: reading naslist Wed Sep 29 10:53:14 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Sep 29 10:53:14 2004 : Debug: read_config_files: reading clients Wed Sep 29 10:53:14 2004 : Debug: read_config_files: reading realms Wed Sep 29 10:53:14 2004 : Debug: radiusd: entering modules setup Wed Sep 29 10:53:14 2004 : Debug: Module: Library search path is /usr/local/lib Wed Sep 29 10:53:14 2004 : Debug: Module: Loaded exec Wed Sep 29 10:53:14 2004 : Debug: exec: wait = yes Wed Sep 29 10:53:14 2004 : Debug: exec: program = (null) Wed Sep 29 10:53:14 2004 : Debug: exec: input_pairs = request Wed Sep 29 10:53:14 2004 : Debug: exec: output_pairs = (null) Wed Sep 29 10:53:14 2004 : Debug: exec: packet_type = (null) Wed Sep 29 10:53:14 2004 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Sep 29 10:53:14 2004 : Debug: Module: Instantiated exec (exec) Wed Sep 29 10:53:14 2004 : Debug: Module: Loaded expr Wed Sep 29 10:53:14 2004 : Debug: Module: Instantiated expr (expr) Wed Sep 29 10:53:14 2004 : Debug: Module: Loaded PAP Wed Sep 29 10:53:14 2004 : Debug: pap: encryption_scheme = crypt Wed Sep 29 10:53:14 2004 : Debug: Module: Instantiated pap (pap) Wed Sep 29 10:53:14 2004 : Debug: Module: Loaded CHAP Wed Sep 29 10:53:14 2004 : Debug: Module: Instantiated chap (chap) Wed Sep 29 10:53:14 2004 : Debug: Module: Loaded MS-CHAP Wed Sep 29 10:53:14 2004 : Debug: mschap: use_mppe = yes Wed Sep 29 10:53:14 2004 : Debug: mschap: require_encryption = no Wed Sep 29 10:53:14 2004 : Debug: mschap: require_strong = no Wed Sep 29 10:53:14 2004 : Debug: mschap: with_ntdomain_hack = no Wed Sep 29 10:53:14 2004 : Debug: mschap: passwd = (null)
Re: question
I need assistance configuring my Free Radius install. Is anyone available to assist me for a small fee? I would post my questions one by one but I feel it would take forever and gum up this resource. I have been following the posts with great interest but I still have some fundamental issues. Respond to [EMAIL PROTECTED] Glenn Lyvers
Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
We are trying to setup the following system: 1)Wireless users ask Wireless gateway for authentication 2)Gateway (BlueSocket) asks Suse(SLES 9.0)freeRadius server for authentication. 3)freeRadius uses LDAP module to talk to LDAP running on Novell Server with eDirectory (NDS) to get user info 4)eDirectory (Novell server) talks back to LDAP module, which talks to freeRADIUS 5)freeRADIUS send info to BlueSocket (Wireless Gateway) and user logs in. We are having problem with point (4) and password I think. Below is capture from debug screen: Nothing to do. Sleeping until we see a request.rad_recv: Access-Request packet from host 1.128.6.61:32778, id=75, length=141 User-Name = "tor_sysop_2" User-Password = "testpassword" NAS-IP-Address = 1.128.6.61 Service-Type = Login-User Framed-IP-Address = 1.251.47.58 Called-Station-Id = "00:90:0B:03:5D:DE" Calling-Station-Id = "" NAS-Identifier = "elsbluesocket" Acct-Session-Id = "00:90:0B:03:5D:DE:1096465368" NAS-Port-Type = Wireless-802.11 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "tor_sysop_2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched DEFAULT at 160 modcall[authorize]: module "files" returns ok for request 4rlm_ldap: - authorizerlm_ldap: performing user authorization for tor_sysop_2radius_xlat: '(uid=tor_sysop_2)'radius_xlat: 'o=cbcsrc'rlm_ldap: ldap_get_conn: Checking Id: 0rlm_ldap: ldap_get_conn: Got Id: 0rlm_ldap: performing search in o=cbcsrc, with filter (uid=tor_sysop_2)rlm_ldap: no dialupAccess attribute - access denied by defaultrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns userlock for request 4modcall: group authorize returns userlock for request 4Invalid user (rlm_ldap: Access Attribute denies access): [tor_sysop_2/testpassword] (from client bluesocket port 0 cli )Delaying request 4 for 1 secondsFinished request 4Going to the next request= Any ideas what I need to modify to get this up and running? Thank for you time to look through this. Andrew.
Re: freeRadius on SLES 9.0 - installation issues
Andrew Werbowy [EMAIL PROTECTED] wrote: Did anyone came across this issue? ... Yes. A search on google would have found similar problems. If you're not using rlm_x99_token, delete the whole directory. We want to use RADIUS to talk to LDAP server running Novell Netware platform for Wireless users. That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
Nour Omar [EMAIL PROTECTED] wrote: I wanted to write VOIP billing software( with prepaid, post-paid and advanced routing features, etc, etc) as FreeRADIUS plugin module. And I'm not sure if I want to make my module Open Source or not(Not decided yet). If you are planning on distributing your software to other people, any module you write for FreeRADIUS, and include with FreeRADIUS, must be under the GPL license. In case, I choose not make it Open Source, is there any legal consequence? If you distribute FreeRADIUS with your module, and your module is not GPL'd, you are breaking the license which permits you to distribute FreeRADIUS. You do not then have any legal right to distribute FreeRADIUS, or any product based on it. My guess is that since it is seperate .so module(dynamically loaded module) that is not part of FreeRADIUS binary, It would not need the same licence as FreeRADIUS but I wanted to make sure that is the case. No. The module will be linked into the server, and will be part of it. It therefore must be GPL'd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP won't authenticate with 1.0.1
Stephen Donovan [EMAIL PROTECTED] wrote: Under 1.0.1, I edited the radiusd.conf, eap.conf, and other files so that they are similiar but the APs will not authenticate. Does anybody have any suggestion? Here is a copy of the output that I receive under 1.0.1. You're running on Solaris, and there's a bug in the MD4 functions that make them not work on Solaris, so LEAP fails. The short-term solution is to copy src/include/md4.h src/lib/md4.c from 0.9.3 to 1.0.1, and re-build it. Version 1.0.2 should have this fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
i'm also trying to make this configuration. But something doesn't stick
together.
i've added the following lines in the modules section:
sql sql1 {
}
sql sql2 {
}
but when starting the server the following appears:
Module: Instantiated preprocess (preprocess)
radiusd.conf[11] Failed to link to module 'rlm_sql1': rlm_sql1.so:
cannot open shared object file: No such file or directory
where could be the problem?
thanks!
Edgars
Kostas Kalevras wrote:
On Tue, 28 Sep 2004, Paul wrote:
What i need is failover for accounting and session tracking.
Auth will be done using LDAP.
Mirroring the DB is not possibe because accounting has alot of inserts,
that would need to have multi-master replication.
I would like to use application data mirroring instead, having 2
databases and both servers writing(acct)to both but not fail unless
both databases are not accessible, reading (session) from local
only and failover to the other DB in case of failure only.
For accounting replication your best choise is radrelay. For failover, just use
a failover section in radiusd.conf
session{
redundant{
sql1
sql2
}
[...]
}
authorize{
[...]
redundant{
ldap1
ldap2
}
}
We have a similar setup working just fine in the Greek School Network (two
radius servers, serving different regions but keeping full accounting).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA and WIN2K
Mahesh S Kudva [EMAIL PROTECTED] wrote: I have been trying to setup WPA Enterprise in windows 2000 professional. It works perfectly fine with Mac OS X. In windows, the OS accepts the certificate initially and that's it. What do you mean The OS accepts the certificate? It never tries to ask the username/password for wpa enterprise. Because it's probably using the certificate you configured. Running radiusd -X, I dont see any request for validation. What do you mean by that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Define Vendor-Specific Attribute in MYSql freeradius
Elad Kugman [EMAIL PROTECTED] wrote: I have a problem to define a Vendor-Specific Attribute in MYSql freeradius. I define it by MYSql Control Center in the radreply table. Are you willing to say how, or is that a secret? When i check my user with the radtest i get the following msg: radclient:WARNING: Malformed RADIUS packet from host 10.0.1.16: Vendor specific attributes do not exactly fill Vendor-Specific You're using Vendor-Specific as an attribute name. Don't do that. Use an attribute name from one of the vendor dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: netgear wg302
Raphael Clifford [EMAIL PROTECTED] wrote: a) Does the radius server have to be physically connected to the access point/on the same subnet/anywhere on the network? The AP has to be able to send packets to the RADIUS server. c) Is there some simple step by step guide to setting up freeradius under linux for a WPA setup? http://www.freeradius.org/doc/ I simply want wireless users to be able to have an IP address on our (wired) subnet That may not be a good idea. and have some control over what is going on. You will need to run a DHCP server for the wireless users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to drop requests on basis of Acct-Status-Type?
Josh Howlett [EMAIL PROTECTED] wrote: I have some very noisy NASes generating a lot of spurious Acct-Status-Type=Alive requests. There's no way to turn these off at the NAS. Am I right in thinking that there's no way to drop a request on the basis of the value of Acct-Status-Type? You can use the preacct section to set Acct-Type handled, and then have a handled sub-section of accounting, which does nothing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for username locally then proxy
David [EMAIL PROTECTED] wrote:
Is it possible in FR 1.0.0 to check the database for
[EMAIL PROTECTED] and then if it is not present, proxy
the request to abc.com ?
Yes.
authorize {
group {
sql {
notfound = 1
}
files
}
}
And in the users file, set Proxy-To-Realm.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Cris Boisvert [EMAIL PROTECTED] wrote:
I have been trying to do the same thing I have the references in the
radius.conf as notated in the Doc's although I cannot get it to
Connect to the second sql server
I have this in the radius.conf
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
...
You have to list sql2 in the section where you want it to be used.
I just need it to authenticate off one database and fail to the
other if = the first is unavailable ...
Do:
authorize {
...
redundant {
sql
sql2
}
...
}
This is taken from doc/configurable_failover.
Alan DEkok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
Yup thats what I'm getting also... now..
I'm glad I'm not alone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Edgars
Sent: Wednesday, September 29, 2004 11:30 AM
To: [EMAIL PROTECTED]
Subject: Re: SQL db failover
i'm also trying to make this configuration. But something doesn't stick
together.
i've added the following lines in the modules section:
sql sql1 {
}
sql sql2 {
}
but when starting the server the following appears:
Module: Instantiated preprocess (preprocess)
radiusd.conf[11] Failed to link to module 'rlm_sql1': rlm_sql1.so:
cannot open shared object file: No such file or directory
where could be the problem?
thanks!
Edgars
Kostas Kalevras wrote:
On Tue, 28 Sep 2004, Paul wrote:
What i need is failover for accounting and session tracking.
Auth will be done using LDAP.
Mirroring the DB is not possibe because accounting has alot of inserts,
that would need to have multi-master replication.
I would like to use application data mirroring instead, having 2
databases and both servers writing(acct)to both but not fail unless
both databases are not accessible, reading (session) from local
only and failover to the other DB in case of failure only.
For accounting replication your best choise is radrelay. For failover, just
use
a failover section in radiusd.conf
session{
redundant{
sql1
sql2
}
[...]
}
authorize{
[...]
redundant{
ldap1
ldap2
}
}
We have a similar setup working just fine in the Greek School Network (two
radius servers, serving different regions but keeping full accounting).
--
Kostas KalevrasNetwork Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone:+30 210 7721861
'Go back to the shadow'Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to do accounting in Freeradius
zack musa [EMAIL PROTECTED] wrote: Is there any simulation program that create session from multiple user for freeradius? No. You can use radclient, and create test packets by hand. It isn't hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Counter module
[EMAIL PROTECTED] wrote: Processing the autenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by Max with CHAP password rlm_chap: Could not find clear text password for user Max So... tell the server what the user's correct password is. This has nothing to do with rlm_counter. I don't understand WHERE is that password missing: any ideas? You're asking the server to authenticate someone, but not telling the server how. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.1 Underlying EAP-Type set EAP ID to 0
anonymous [EMAIL PROTECTED] wrote: 1) During authentication, the server says that it does not recognize the Autz-Type attribute set on my user in the users file (as recommended in the test documentation). I had to remove this attribute to go further. Are you willing to post the exact error message, or the debug logs? 2) During authentication, the server says Underlying EAP-Type set EAP ID to 0. I cannot explain and solve this message. Ok... I have seen in http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033269.html that a patch could solve problem 2). I have looked at my EAP source code : the recommended patch has not been been applied to FreeRadius V1.0.1, though the message has been published before V1.0.0 release. Why ? Do I have to apply the proposed patch ? Try it and see. In short : HOW TO CONFIGURE A FREERADIUS SERVER TO RUN THE EAP-SIM TESTS ? Email the author of the eap-sim module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
Andrew Werbowy [EMAIL PROTECTED] wrote:
rlm_ldap: performing search in o=cbcsrc, with filter (uid=tor_sysop_2)
rlm_ldap: no dialupAccess attribute - access denied by default
Look at access_attr in the ldap{} configuration in radiusd.conf.
You probably want to delete/comment out that line.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
On Wed, 2004-09-29 at 08:55, Kostas Kalevras wrote:
On Tue, 28 Sep 2004, Paul wrote:
What i need is failover for accounting and session tracking.
Auth will be done using LDAP.
Mirroring the DB is not possibe because accounting has alot of inserts,
that would need to have multi-master replication.
I would like to use application data mirroring instead, having 2
databases and both servers writing(acct)to both but not fail unless
both databases are not accessible, reading (session) from local
only and failover to the other DB in case of failure only.
For accounting replication your best choise is radrelay. For failover, just use
a failover section in radiusd.conf
Radrelay is only for text file accounting, not SQL. (unless i'm wrong)
I would like to use sql instead, that why i want to write to both DB's.
How would you configure accounting to only fail when both entries,
sql1 and sql2, fail ?
session{
redundant{
sql1
sql2
}
[...]
}
authorize{
[...]
redundant{
ldap1
ldap2
}
}
We have a similar setup working just fine in the Greek School Network (two
radius servers, serving different regions but keeping full accounting).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
On Wed, 29 Sep 2004, Paul wrote:
On Wed, 2004-09-29 at 08:55, Kostas Kalevras wrote:
On Tue, 28 Sep 2004, Paul wrote:
What i need is failover for accounting and session tracking.
Auth will be done using LDAP.
Mirroring the DB is not possibe because accounting has alot of inserts,
that would need to have multi-master replication.
I would like to use application data mirroring instead, having 2
databases and both servers writing(acct)to both but not fail unless
both databases are not accessible, reading (session) from local
only and failover to the other DB in case of failure only.
For accounting replication your best choise is radrelay. For failover, just use
a failover section in radiusd.conf
Radrelay is only for text file accounting, not SQL. (unless i'm wrong)
I would like to use sql instead, that why i want to write to both DB's.
You keep two radius/sql servers and use radrelay to sync them. radrelay sends
data to a *radius* server so you can log the data to whatever you want.
How would you configure accounting to only fail when both entries,
sql1 and sql2, fail ?
If you don't want to use radrelay:
accounting{
redundant{
sql1
sql2
}
}
session{
redundant{
sql1
sql2
}
[...]
}
authorize{
[...]
redundant{
ldap1
ldap2
}
}
We have a similar setup working just fine in the Greek School Network (two
radius servers, serving different regions but keeping full accounting).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
I have this in my radiusd.conf now. I get this error when I try to start
radius
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Wed Sep 29 12:00:27 2004 : Error: radiusd.conf[14] Failed to link to module
'rlm_sql2': rlm_sql2.so: cannot open shared object file: No such file or
directory
In my sql2.conf it looks like this.
sql2 {
driver = rlm_sql_mysql
server = 192.168.1.100
login = user
password = password
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
}
always handled {
rcode = handled
}
}
authorize {
...
redundant {
sql
sql2
}
...
}
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
I removed this line and now I get this:
...
..
.
rlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user tor_sysop_2 authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAPauth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.auth: Failed to validate the user.What now
[EMAIL PROTECTED] 9/29/2004 12:13:34 PM
"Andrew Werbowy" [EMAIL PROTECTED] wrote: rlm_ldap: performing search in o=cbcsrc, with filter (uid=tor_sysop_2) rlm_ldap: no dialupAccess attribute - access denied by default Look at access_attr in the ldap{} configuration in radiusd.conf.You probably want to delete/comment out that line. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
On Wed, 29 Sep 2004, Cris Boisvert wrote:
I have this in my radiusd.conf now. I get this error when I try to start
radius
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Wed Sep 29 12:00:27 2004 : Error: radiusd.conf[14] Failed to link to module
'rlm_sql2': rlm_sql2.so: cannot open shared object file: No such file or
directory
In my sql2.conf it looks like this.
sql2 {
This should be sql sql2
driver = rlm_sql_mysql
server = 192.168.1.100
login = user
password = password
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
}
Where did you see this? Delete it.
always handled {
rcode = handled
}
}
authorize {
...
redundant {
sql
sql2
}
...
}
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Cris Boisvert [EMAIL PROTECTED] wrote:
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
}
The $INCLUDE ${confdir}/sql.conf should be INSIDE of the modules{}
section, which means you don't need to have TWO definitions for it.
i.e. delete the empty sql sql {} and sql sql2 {} blocks from
modules{}. They're wrong, and you don't need them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
Andrew Werbowy [EMAIL PROTECTED] wrote: ... I'm on the list. Please don't CC me on mail. I get too much mail as it is. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform List ldap in the authenticate section. There's a sample entry there already, just commented out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP1230 + VLAN assignment
hello, I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN thanks to Freeradius. Here's the situation : - Cisco Aironet 1200 with 12.2(15)JA IOS with 3 VLAN : ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode wep mandatory ! encryption vlan 10 mode wep mandatory ! encryption vlan 30 mode wep mandatory ! ssid DEFAULT_VLAN vlan 1 authentication open eap eap_methods authentication network-eap eap_methods guest-mode ! ssid VLAN10 vlan 10 authentication open eap eap_methods authentication network-eap eap_methods ! ssid VLAN30 vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! ... - Freeradius 1.0.1 on Fedora Core 2 users file configuration : ... ... - Windows XP SP2 client with Aironet 350 PCMCIA card. Windows PEAP 802.1x supplicant The PEAP authentication works fine but the client always stays in the DEFAULT_VLAN vlan. Here's the radiusd -X output : ... ... It seems that Freeradius does its job but the AP doesn't want to assign the user to the right the VLAN. I know many of you made it work, could you please send me any tip ? thanks, Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP1230 + VLAN assignment COMPLETE
hello, SORRY, THE FIRST MAIL WAS UNCOMPLETE. I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN thanks to Freeradius. Here's the situation : - Cisco Aironet 1200 with 12.2(15)JA IOS with 3 VLAN : ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode wep mandatory ! encryption vlan 10 mode wep mandatory ! encryption vlan 30 mode wep mandatory ! ssid DEFAULT_VLAN vlan 1 authentication open eap eap_methods authentication network-eap eap_methods guest-mode ! ssid VLAN10 vlan 10 authentication open eap eap_methods authentication network-eap eap_methods ! ssid VLAN30 vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! ... - Freeradius 1.0.1 on Fedora Core 2 users file configuration : ... jmguillemot User-Password == password Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 10 ... - Windows XP SP2 client with Aironet 350 PCMCIA card. Windows PEAP 802.1x supplicant The PEAP authentication works fine but the client always stays in the DEFAULT_VLAN vlan. Here's the radiusd -X output : ... rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: group authenticate returns ok for request 18 Sending Access-Accept of id 101 to 192.168.50.6:21646 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 10 MS-MPPE-Recv-Key = 0xa17b7a952f7c3f323869e4804d71b061391c73c53c097422419ef3ce3a52fbe0 MS-MPPE-Send-Key = 0x8dcf3ad166d7eea121d40d59ee0c3bf71b5a4618c8eac8f6ee752c6b10103f36 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = jmguillemot Finished request 18 Going to the next request Waking up in 5 seconds... ... It seems that Freeradius does its job but the AP doesn't want to assign the user to the right the VLAN. I know many of you made it work, could you please send me any tip ? thanks, Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
trying to override a reply-item of users file, help.
Dear List, Following is my configuration: freeRadius ver: 0.9.3 OS: debian woody NAS: (Total control) USRHiper My users file has a block for default user DEFAULT Auth-Type := Accept, Simultaneous-Use := 1 Exec-Program-Wait = my_radius_auth_check -t auth, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Service-Type = Framed-User, Framed-Compression = Van-Jacobsen-TCP-IP, USR-Framed_IP_Address_Pool_Name = ippool, Fall-Through = No Now, my radius auth check program checks valid users from database. For certain type of users, I like to override the USR-Framed_IP_Address_Pool_Name = unreg. In order to do so, I'm sending a radius packet from the auth_check application with that reply item. But, NAS is getting the ippool. It seems, the reply-item is not overridden. What should I do? -- tanveer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 29, 2004, at 11:30 AM, Alan DeKok wrote: Nour Omar [EMAIL PROTECTED] wrote: My guess is that since it is seperate .so module(dynamically loaded module) that is not part of FreeRADIUS binary, It would not need the same licence as FreeRADIUS but I wanted to make sure that is the case. No. The module will be linked into the server, and will be part of it. It therefore must be GPL'd. I don't think this is technically correct. While I agree that he cannot distribute a binary-only modified FreeRadius, there is nothing stopping him from distributing a binary-only dynamically-loaded module (and just the module) under a non-GPL license. For an example of the way this works, see closed source device drivers and the GPL'd Linux kernel. Jon - -- Jon Moore ISC Networking Telecommunications University of Pennsylvania -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (Darwin) iD8DBQFBWu9jx8TaElR3qMMRApQyAJ9Pyx0uUScK6oDV91dDFkODJXCjQQCfcPGo 1rEIONgivrOufZD0ajuUz0c= =civE -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL db failover
It looks like its working... YEEEA!!!
Thanx Very much...
The
always handled {
rcode = handled
}
}
I found in the example in the /doc/configure-failover
Thanx again..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kostas
Kalevras
Sent: Wednesday, September 29, 2004 12:33 PM
To: [EMAIL PROTECTED]
Subject: RE: SQL db failover
On Wed, 29 Sep 2004, Cris Boisvert wrote:
I have this in my radiusd.conf now. I get this error when I try to start
radius
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #0
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #1
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #2
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #3
Wed Sep 29 12:00:27 2004 : Info: rlm_sql_mysql: Starting connect to MySQL
server for #4
Wed Sep 29 12:00:27 2004 : Error: radiusd.conf[14] Failed to link to
module
'rlm_sql2': rlm_sql2.so: cannot open shared object file: No such file or
directory
In my sql2.conf it looks like this.
sql2 {
This should be sql sql2
driver = rlm_sql_mysql
server = 192.168.1.100
login = user
password = password
radius_db = radius
acct_table1 = radacct
acct_table2 = radacct
$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/sql2.conf
modules {
sql sql {
}
sql sql2 {
}
Where did you see this? Delete it.
always handled {
rcode = handled
}
}
authorize {
...
redundant {
sql
sql2
}
...
}
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.768 / Virus Database: 515 - Release Date: 9/22/2004
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and DNIS map
Hello all, I am running freeradius 0.9.3 with mysql 4.0.18-standard. I am trying to setup DNIS map on a cisco AS5300 running IOS ver (C5300-IS-M), Version 12.2(15)T5 without any luck Does anybody have any suggestions or know of a better way to do this? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
Terry J Fike Jr [EMAIL PROTECTED] wrote: Okay, i'm not sure if this is the right place, to ask, but since it is more or less radius accounting i thought i'd try here. Does anyone know the difference in the data in the columns inputoctets/outputoctets and inputoctets64/outputoctets64 and why there would always be data in the i/o columns, but not always in the i/o64 columns? Are those columns in the standard FreeRADIUS SQL schema? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
Jon Moore [EMAIL PROTECTED] wrote: No. The module will be linked into the server, and will be part of it. It therefore must be GPL'd. I don't think this is technically correct. While I agree that he cannot distribute a binary-only modified FreeRadius, there is nothing stopping him from distributing a binary-only dynamically-loaded module (and just the module) under a non-GPL license. For an example of the way this works, see closed source device drivers and the GPL'd Linux kernel. I'm not sure I agree, at least for FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP1230 + VLAN assignment
Jean-Marie GUILLEMOT [EMAIL PROTECTED] wrote: I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN thanks to Freeradius. I'm not sure that's possible. See the Cisco AP documentation for a list of what attributes it can understand in an Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and DNIS map
I think this more of the IOS configuration Have you looked this yet http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t1/dtaudnis.htm#xtocid12091 And make sure you are receiving DNIS from the Telco Kafui Amedzekor. --- Tim Petersen [EMAIL PROTECTED] wrote: Hello all, I am running freeradius 0.9.3 with mysql 4.0.18-standard. I am trying to setup DNIS map on a cisco AS5300 running IOS ver (C5300-IS-M), Version 12.2(15)T5 without any luck Does anybody have any suggestions or know of a better way to do this? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 29, 2004, at 2:20 PM, Alan DeKok wrote: Jon Moore [EMAIL PROTECTED] wrote: No. The module will be linked into the server, and will be part of it. It therefore must be GPL'd. I don't think this is technically correct. While I agree that he cannot distribute a binary-only modified FreeRadius, there is nothing stopping him from distributing a binary-only dynamically-loaded module (and just the module) under a non-GPL license. For an example of the way this works, see closed source device drivers and the GPL'd Linux kernel. I'm not sure I agree, at least for FreeRADIUS. Ok, I'm a little curious about your reasoning. Lest this discussion get heated, let me say up front that I think it would be great if he GPL'd his module and contributed it back in to the FreeRadius project as a whole. :) From section 2 of the GPL (regarding the rights to modify the Program): These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. So if his module contains no source code from FreeRadius, he can do what he likes with it if he doesn't distribute his module with FreeRadius. How does your reading of the license differ? Curious, Jon - -- Jon Moore ISC Networking Telecommunications University of Pennsylvania -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (Darwin) iD8DBQFBWwUEx8TaElR3qMMRAg5+AKCZYc/f72Dnf5Dqj3VzTKE3EYJ7hACfS3N0 nTT1KeMgbga6m+/qTX8iI5E= =nS5x -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
Terry J Fike Jr [EMAIL PROTECTED] wrote:
/ Okay, i'm not sure if this is the right place, to ask, but since it is /
/ more or less radius accounting i thought i'd try here. Does anyone know /
/ the difference in the data in the columns inputoctets/outputoctets and /
/ inputoctets64/outputoctets64 and why there would always be data in the /
/ i/o columns, but not always in the i/o64 columns?/
Are those columns in the standard FreeRADIUS SQL schema?
Alan DeKok
Umm...not sure, much of this was originally set up by someone else and
i just copied
the sql queries into the sql.conf file from our original version
(0.8.3). Here is an example of one of the queries
accounting_update_query = INSERT into interim_updates (AcctSessionId,
AcctUniqueId, UserName, NASIPAddress, NASPortId, AcctUpdateTime,
AcctSessionTime, AcctAuthentic, ConnectInfo_Update, AcctInputOctets,
AcctInputOctets64, AcctOutputOctets, AcctOutputOctets64,
AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress) values
('%{Acct-Session-Id}','%{Acct-Unique-Session_Id}','%{SQL-User-Name}','%{NAS-IP-Address}','%{NAS-Port-Id}',TO_DATE('%S','-mm-dd
hh24:mi:ss'),'%{Acct-Session-Time}','%{Acct-Authentic}','%{Connect-Info}','%{Acct-Input-Octets}',radius.hex2dec('%{Acct_Input_Octets_64}'),'%{Acct-Output-Octets}',radius.hex2dec('%{Acct_Output_Octets_64}'),'%{Acct-Terminate-Cause}','%{Service-Type}','%{Framed-Protocol}','%{Framed-IP-Address}')
and just in case this was an inhouse written java function, here is
hex2dec from in oracle
function hex2dec (
hex_in varchar2) return NUMBER as
language java name 'Hex2Dec.getInt(java.lang.String) return int';
public class Hex2Dec {
public static long getInt(String hex) {
if(hex!=null hex.startsWith(0x)) {
String cleanHex = hex.substring(2, hex.length());
return Long.parseLong(cleanHex, 16);
} else if(hex!=null) {
return Long.parseLong(hex, 16);
} else {
return 0;
}
}
}
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
Jon Moore [EMAIL PROTECTED] wrote: From section 2 of the GPL (regarding the rights to modify the Program): These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, Any module used *in* FreeRADIUS cannot be considered to be independent from FreeRADIUS. That is, the module is *completely* useless unless it's built as part of FreeRADIUS. It's not a separate application, it's not a separate software package, it's intended to be used inside of FreeRADIUS. So if his module contains no source code from FreeRadius, he can do what he likes with it if he doesn't distribute his module with FreeRadius. Certainly. But if he's not distributing FreeRADIUS, then the license terms of FreeRADIUS don't apply. If he is distributing FreeRADIUS, then either: a) he doesn't include his module, in which case there's no problem. or b) he does include his module, in which case the license terms apply. How does your reading of the license differ? IF he's distributing FreeRADIUS as part of a VOIP application suite, AND he includes his module, THEN his module MUST be distributed under the terms of the FreeRADIUS license. IF he's not distributing FeeeRADIUS, THEN he can distribute any software he wants under any license he wants. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
Sorry... I had Replay To All set on my mailbox options. I did change and now I get this: rlm_ldap: performing search in o=cbcsrc, with filter (uid=tor_sysop_2)rlm_ldap: looking for check items in directory...rlm_ldap: looking for reply items in directory...rlm_ldap: user tor_sysop_2 authorized to use remote accessrlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3modcall: group authorize returns ok for request 3 rad_check_password: Found Auth-Type MS-CHAPauth: type "MS-CHAP" Processing the authenticate section of radiusd.confmodcall: entering group Auth-Type for request 3 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for tor_sysop_2 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 3modcall: group Auth-Type returns reject for request 3auth: Failed to validate the user.Login incorrect: [tor_sysop_2/no User-Password attribute] (from client bluesocket port 0)Delaying request 3 for 1 secondsFinished request 3Going to the next request I think we are getting closer and closer to resolve this configuration. Thanks Andrew. [EMAIL PROTECTED] 9/29/2004 12:47:05 PM "Andrew Werbowy" [EMAIL PROTECTED] wrote:.. I'm on the list. Please don't CC me on mail. I get too much mailas it is. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" ERROR: Unknown value specified for Auth-Type. Cannot perform List "ldap" in the "authenticate" section. There's a sample entrythere already, just commented out. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: difference in columns/names
The Acct_Output_Octets_64 isn't a standard RADIUS attribute. It's a Redback attribute. (see dictionary.redback) I suggest asking Redback what it means, and why it's zero. Alan DeKok. Okay, will do. Thank you very much! t- -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Licence question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan, I completely agree. I went back and re-read the discussion, and realized that I might have misinterpreted an earlier statement by you. (I thought you were claiming he could not distribute a closed-source dynamically loaded module, even if that was all he was distributing). Jon On Sep 29, 2004, at 3:12 PM, Alan DeKok wrote: Jon Moore [EMAIL PROTECTED] wrote: From section 2 of the GPL (regarding the rights to modify the Program): These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, Any module used *in* FreeRADIUS cannot be considered to be independent from FreeRADIUS. That is, the module is *completely* useless unless it's built as part of FreeRADIUS. It's not a separate application, it's not a separate software package, it's intended to be used inside of FreeRADIUS. So if his module contains no source code from FreeRadius, he can do what he likes with it if he doesn't distribute his module with FreeRadius. Certainly. But if he's not distributing FreeRADIUS, then the license terms of FreeRADIUS don't apply. If he is distributing FreeRADIUS, then either: a) he doesn't include his module, in which case there's no problem. or b) he does include his module, in which case the license terms apply. How does your reading of the license differ? IF he's distributing FreeRADIUS as part of a VOIP application suite, AND he includes his module, THEN his module MUST be distributed under the terms of the FreeRADIUS license. IF he's not distributing FeeeRADIUS, THEN he can distribute any software he wants under any license he wants. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - -- Jon Moore ISC Networking Telecommunications University of Pennsylvania -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (Darwin) iD8DBQFBWw5px8TaElR3qMMRAvoyAJ4or5T1wLpDpDjztYwDm7jyOKZGBACgk+7e Dy8c/NLOzsy3qf1pd1LrVN4= =guVt -END PGP SIGNATURE- __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
Andrew Werbowy [EMAIL PROTECTED] wrote: I am giving right password. Yes, I know. That's not the point. The point is that the *server* doesn't know what the correct password is. Put the following at the top of the users file: #--- tor_sysop_2 User-Password == insert_correct_password_here Fall-Through = Yes #--- and the authentication will succeed. If you do not tell the server what the users correct password is, all the server knows is that the user is trying to log in with a password, but it has no idea if that password is correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP config trouble.
I know this seems to be a common question, and I have seen many
replies, but no conclusions on how to actally fix it.
I have setup on a Redhat 9.0 server freeradius-1.0.1.tar.gz and did a
standard compile, with just ./configure make make install.
I also have OpenSSL 0.9.7a Feb 19 2003 on the system.
I am trying to set up a wireless access point using WPA and EAP.
The touble I seem to be unable to get away from is the no
User-Password attibute.
I know I must be missing something simple, but having never set up
radius for wireless I can't seem to find what it is I am missing.
I have a WinXP pro system that i am trying to login with, and using a
netgear wg511 pcmcia card. The newest drivers and SP 2 installed.
So any help would be a great help *snicker*
Shaun
My clients.conf file
client 10.1.1.54 {
secret = whatever
shortname = wireless
nastype = other
}
My users file
egnaro Auth-Type := EAP
My eap.conf file
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = yes
check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Normal log output:
Wed Sep 29 12:21:05 2004 : Info: Using deprecated naslist file.
Support for this will go away soon.
Wed Sep 29 12:21:05 2004 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Wed Sep 29 12:21:05 2004 : Info: Ready to process requests.
Wed Sep 29 12:21:14 2004 : Info: rlm_eap_tls: Length Included
Wed Sep 29 12:21:14 2004 : Error: TLS_accept:error in SSLv3 read
client certificate A
Wed Sep 29 12:21:14 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Wed Sep 29 12:21:14 2004 : Info: rlm_eap_tls: Length Included
Wed Sep 29 12:21:14 2004 : Info: (other): SSL negotiation finished
successfully
Wed Sep 29 12:21:14 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Wed Sep 29 12:21:14 2004 : Info: rlm_eap_mschapv2: Issuing Challenge
Wed Sep 29 12:21:14 2004 : Auth: Login incorrect: [ewrdfw/no
User-Password attribute] (from client localhost port 0)
Wed Sep 29 12:21:14 2004 : Auth: Login incorrect: [ewrdfw/no
User-Password attribute] (from client wireless port 1 cli
00-09-5B-45-DD-70)
Debug log output:
[EMAIL PROTECTED] raddb]# radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec:
freeRADIUS/Cisco 5300 configuration? issue?
Hello group I am running freeRADIUS successfully for authorization; however, I have recently included a CISCO 5300 into the mix, not getting a password from the CISCO server (O/S RH AS 2.1/ freeradius .08) Line from the log file: Mon Sep 20 16:10:30 2004 : Auth: Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 33) So it was recommended that I upgrade the IOS, which I have, now I get same message. I am allowing mschap authentication freeradius and the cisco is set do to ms-chap. Im not sure what to send to assist you all in resolving this, but if you say what to send, I will send it. Thanks in advance. Tim
Re: freeRADIUS/Cisco 5300 configuration? issue?
Tim Rich, Jr. [EMAIL PROTECTED] wrote: I'm not sure what to send to assist you all in resolving this, but if you say what to send, I will send it. Run the server in debugging mode, as suggested in the FAQ and README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP config trouble.
Shaun McCloud [EMAIL PROTECTED] wrote: The touble I seem to be unable to get away from is the no User-Password attibute. That message just says that the user was rejected. I know I must be missing something simple, but having never set up radius for wireless I can't seem to find what it is I am missing. Look for the word reject or fail in the debug log. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for egnaro with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 7 modcall: group Auth-Type returns reject for request 7 i.e. You didn't tell the server what the users correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS/Cisco 5300 configuration? issue?
List - Here is the clip from the output as Alan requested. (and thanks, Alan, I should have mentioned that I looked in the FAQ, the book, and the archives before posting the note - thanks for the reminder. I have been on the list for 17 months or so and realize how much you add to the list - Thanks for all you do.) rad_recv: Access-Request packet from host 192.168.10.29:1645, id=8, length=142 Framed-Protocol = PPP User-Name = timrichjr MS-CHAP-Challenge = 0xb39bb991e902d032 MS-CHAP-Response = 0x01012a34cb19a85800dd407a41 fe232b1ae628db274e527280a4 NAS-Port-Type = Async Calling-Station-Id = async NAS-Port = 9 Service-Type = Framed-User NAS-IP-Address = 192.168.10.29 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = timrichjr, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'timrichjr' rlm_sql (sql): sql_set_user escaped user -- 'timrichjr' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'timrichjr' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'timrichjr' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'timrichjr' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'timrichjr' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module sql returns ok modcall: group authorize returns ok auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 9 cli async) rad_lowerpair: User-Name now 'timrichjr' rad_rmspace_pair: User-Name now 'timrichjr' modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = timrichjr, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop radius_xlat: 'timrichjr' rlm_sql (sql): sql_set_user escaped user -- 'timrichjr' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'timrichjr' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'timrichjr' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'timrichjr' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'timrichjr' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'timrichjr' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
Re: EAP config trouble.
OK, now i am just more confused.
I changed the line in my users file to read
egnaro Auth-Type := EAP, User-Password == test
And I can login just fine... It works, but I still get the no
User-Password attribute
Any clues then as to what that is refering too?
here again is the complete radius -X -A output.
[EMAIL PROTECTED] raddb]# radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAPv2
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dh
tls: random_file = /usr/local/etc/raddb/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = %{User-Name}
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile =
Re: EAP config trouble.
Shaun McCloud [EMAIL PROTECTED] wrote: I changed the line in my users file to read egnaro Auth-Type := EAP, User-Password == test You shouldn't have to specify Auth-Type, the server should figure it out. See eap.conf. And I can login just fine... It works, but I still get the no User-Password attribute Because there's no User-Password attribute in the EAP protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS/Cisco 5300 configuration? issue?
Tim Rich, Jr. [EMAIL PROTECTED] wrote: Here is the clip from the output as Alan requested. (and thanks, Alan, I should have mentioned that I looked in the FAQ, the book, and the archives before posting the note - thanks for the reminder. I have been on the list for 17 months or so and realize how much you add to the list - Thanks for all you do.) Thanks. rad_recv: Access-Request packet from host 192.168.10.29:1645, id=8, length=142 Framed-Protocol = PPP User-Name = timrichjr MS-CHAP-Challenge = 0xb39bb991e902d032 ... auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 9 cli async) Don't set Auth-Type. The server will figure it out. In this case, setting Auth-Type := Local ensures that MS-CHAP, EAP, etc. won't work. Don't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dead link to impossiblereflex.com
I am trying to set up eap-tls yadda yadda I have been following these instructions to a tee: http://www.broadbandreports.com/forum/remark,9286052~mode=flat ... (kudos to jbibe btw) I am stuck trying to locate a script on this howto: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm Does anyone out there have a copy of this how to I could get my grubby little paws on? - seems to be a dead link. The wireless security gods would shine down upon you. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP config trouble.
Hmm, The only way I can seem to login is if I use the line egnaro Auth-Type := EAP, User-Password == test I have tried some veriance to that line, such as: egnaro Auth-Type := Local, User-Password == test egnaro Auth-Type := Local egnaro Auth-Type := System No login success with any of those. So if i do not need to specify EAP as the Auth-Type, what am i missing? PS: Alan, you rock. On Wed, 29 Sep 2004 16:54:53 -0400, Alan DeKok [EMAIL PROTECTED] wrote: Shaun McCloud [EMAIL PROTECTED] wrote: I changed the line in my users file to read egnaro Auth-Type := EAP, User-Password == test You shouldn't have to specify Auth-Type, the server should figure it out. See eap.conf. And I can login just fine... It works, but I still get the no User-Password attribute Because there's no User-Password attribute in the EAP protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS/Cisco 5300 configuration? issue?
Alan - Thanks for the quick reply. I am assuming that when you say Don't set Auth-Type The server will figure it out you mean on the cisco as I don't know where that would be set in the radiusd.conf; however, I have followed the book to the t and it has local in it. So you say just remove the local from the ppp authentication? Tim -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:02 PM To: [EMAIL PROTECTED] Subject: Re: freeRADIUS/Cisco 5300 configuration? issue? Tim Rich, Jr. [EMAIL PROTECTED] wrote: Here is the clip from the output as Alan requested. (and thanks, Alan, I should have mentioned that I looked in the FAQ, the book, and the archives before posting the note - thanks for the reminder. I have been on the list for 17 months or so and realize how much you add to the list - Thanks for all you do.) Thanks. rad_recv: Access-Request packet from host 192.168.10.29:1645, id=8, length=142 Framed-Protocol = PPP User-Name = timrichjr MS-CHAP-Challenge = 0xb39bb991e902d032 ... auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 9 cli async) Don't set Auth-Type. The server will figure it out. In this case, setting Auth-Type := Local ensures that MS-CHAP, EAP, etc. won't work. Don't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP config trouble.
Hehe, Ok call me a little thick. I changed the line to egnaro User-Password == test and it logs in just fine. Though am I asuming correctly that I cannot use the system passwords? Thanks again Alan, you got great patience. On Wed, 29 Sep 2004 13:58:48 -0700, Shaun McCloud [EMAIL PROTECTED] wrote: Hmm, The only way I can seem to login is if I use the line egnaro Auth-Type := EAP, User-Password == test I have tried some veriance to that line, such as: egnaro Auth-Type := Local, User-Password == test egnaro Auth-Type := Local egnaro Auth-Type := System No login success with any of those. So if i do not need to specify EAP as the Auth-Type, what am i missing? PS: Alan, you rock. On Wed, 29 Sep 2004 16:54:53 -0400, Alan DeKok [EMAIL PROTECTED] wrote: Shaun McCloud [EMAIL PROTECTED] wrote: I changed the line in my users file to read egnaro Auth-Type := EAP, User-Password == test You shouldn't have to specify Auth-Type, the server should figure it out. See eap.conf. And I can login just fine... It works, but I still get the no User-Password attribute Because there's no User-Password attribute in the EAP protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP config trouble.
Shaun McCloud [EMAIL PROTECTED] wrote: I have tried some veriance to that line, such as: egnaro Auth-Type := Local, User-Password == test egnaro Auth-Type := Local egnaro Auth-Type := System No login success with any of those. So if i do not need to specify EAP as the Auth-Type, what am i missing? As I said: You shouldn't have to specify Auth-Type, the server should figure it out. See eap.conf. Tell the server what the user's clear-text password is, and don't set Auth-Type. 99.9% of the time, telling the server about a username clear-text password for that user means that all of the authentication protocols will work. Don't set Auth-Type or anything else, unless you want to confuse the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS/Cisco 5300 configuration? issue?
Tim, Looks like you are having some of the same trouble I am. The config file that I am working with that I had to remove the Auth-Type from is the user file. Shaun On Wed, 29 Sep 2004 17:04:05 -0400, Tim Rich, Jr. [EMAIL PROTECTED] wrote: Alan - Thanks for the quick reply. I am assuming that when you say Don't set Auth-Type The server will figure it out you mean on the cisco as I don't know where that would be set in the radiusd.conf; however, I have followed the book to the t and it has local in it. So you say just remove the local from the ppp authentication? Tim -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:02 PM To: [EMAIL PROTECTED] Subject: Re: freeRADIUS/Cisco 5300 configuration? issue? Tim Rich, Jr. [EMAIL PROTECTED] wrote: Here is the clip from the output as Alan requested. (and thanks, Alan, I should have mentioned that I looked in the FAQ, the book, and the archives before posting the note - thanks for the reminder. I have been on the list for 17 months or so and realize how much you add to the list - Thanks for all you do.) Thanks. rad_recv: Access-Request packet from host 192.168.10.29:1645, id=8, length=142 Framed-Protocol = PPP User-Name = timrichjr MS-CHAP-Challenge = 0xb39bb991e902d032 ... auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 9 cli async) Don't set Auth-Type. The server will figure it out. In this case, setting Auth-Type := Local ensures that MS-CHAP, EAP, etc. won't work. Don't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeRADIUS/Cisco 5300 configuration? issue?
Alan - so sorry - it was in the MySQL table for a test user that I formerly used and just used it to try again. I am sorry to waste your time. Tim -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:02 PM To: [EMAIL PROTECTED] Subject: Re: freeRADIUS/Cisco 5300 configuration? issue? Tim Rich, Jr. [EMAIL PROTECTED] wrote: Here is the clip from the output as Alan requested. (and thanks, Alan, I should have mentioned that I looked in the FAQ, the book, and the archives before posting the note - thanks for the reminder. I have been on the list for 17 months or so and realize how much you add to the list - Thanks for all you do.) Thanks. rad_recv: Access-Request packet from host 192.168.10.29:1645, id=8, length=142 Framed-Protocol = PPP User-Name = timrichjr MS-CHAP-Challenge = 0xb39bb991e902d032 ... auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [timrichjr/no User-Password attribute] (from client USSCRAS01 port 9 cli async) Don't set Auth-Type. The server will figure it out. In this case, setting Auth-Type := Local ensures that MS-CHAP, EAP, etc. won't work. Don't do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Re: Re: Re: Wireless gateway -Radius-LDAP-eDIRECTORY (Novell)
Do I have to do this to all users? I thought that LDAP server would give me a password. [EMAIL PROTECTED] 09/29/04 4:04 PM Andrew Werbowy [EMAIL PROTECTED] wrote: I am giving right password. Yes, I know. That's not the point. The point is that the *server* doesn't know what the correct password is. Put the following at the top of the users file: #--- tor_sysop_2 User-Password == insert_correct_password_here Fall-Through = Yes #--- and the authentication will succeed. If you do not tell the server what the users correct password is, all the server knows is that the user is trying to log in with a password, but it has no idea if that password is correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AP1230 + VLAN assignment
Hi, It's possible to switch VLAN when the user connecting to Cisco Aironet. For 802.1x with VLAN switching, three radius attribute-value pairs are defined. In the user file for example: xxx User-Password == xxx Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 17 So the integer values 13 and 6 are representing VLAN and 802 ASCII strings respectively. The value 17 is the VLAN id to be used Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 29 septembre 2004 20:21 À : [EMAIL PROTECTED] Objet : Re: AP1230 + VLAN assignment Jean-Marie GUILLEMOT [EMAIL PROTECTED] wrote: I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN thanks to Freeradius. I'm not sure that's possible. See the Cisco AP documentation for a list of what attributes it can understand in an Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AP1230 + VLAN assignment
Hi Jean-Marie, it's preferable to use the integer values instead of ASCII strings. So for the switching VLAN, I create a local VLAN on Cisco Aironet with a speficied SSID. The user configuration questions this SSID and according to the user, this one is switched in the VLAN defines in configuration file. If I'm not enough clear does not hesitate to say it ;) Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : jeudi 30 septembre 2004 7:47 À : [EMAIL PROTECTED] Objet : RE: AP1230 + VLAN assignment Hi, It's possible to switch VLAN when the user connecting to Cisco Aironet. For 802.1x with VLAN switching, three radius attribute-value pairs are defined. In the user file for example: xxx User-Password == xxx Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 17 So the integer values 13 and 6 are representing VLAN and 802 ASCII strings respectively. The value 17 is the VLAN id to be used Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 29 septembre 2004 20:21 À : [EMAIL PROTECTED] Objet : Re: AP1230 + VLAN assignment Jean-Marie GUILLEMOT [EMAIL PROTECTED] wrote: I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN thanks to Freeradius. I'm not sure that's possible. See the Cisco AP documentation for a list of what attributes it can understand in an Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
