using realm ntdomain fails
Hi, I want to use realm ntdomin, but had no success so far. Debug output always says: modcall[authorize]: module "ntdomain" returns noop for request 47 What am I doing wrong? Please help ... Many thansk in advance! radius.conf is attached. The relevant part of my debug log is: rad_recv: Access-Request packet from host 141.26.92.10:1276, id=213, length=212 User-Name = "LAPLITAUER\\litauer" Cisco-AVPair = "ssid=Uni-Koblenz-EAP" NAS-IP-Address = 141.26.92.10 Called-Station-Id = "004096442c99" Calling-Station-Id = "000423795461" NAS-Identifier = "ap-a-e-n" NAS-Port = 37 Framed-MTU = 1400 State = 0x02d3d6576ad9e1ab0317238591165914 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02b500261900170301001b3b902ed4aa01a324bbefc6b4ad5f33165666e1acf66513406e864e Message-Authenticator = 0xd1baa9b216e1771c5cec6cbb373c63e5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 47 modcall[authorize]: module "preprocess" returns ok for request 47 rlm_realm: Looking up realm "LAPLITAUER" for User-Name = "LAPLITAUER\litauer" rlm_realm: No such realm "LAPLITAUER" modcall[authorize]: module "ntdomain" returns noop for request 47 modcall[authorize]: module "chap" returns noop for request 47 modcall[authorize]: module "mschap" returns noop for request 47 rlm_realm: No '@' in User-Name = "LAPLITAUER\litauer", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 47 rlm_eap: EAP packet type response id 181 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 47 users: Matched DEFAULT at 151 modcall[authorize]: module "files" returns ok for request 47 modcall: group authorize returns updated for request 47 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 47 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 47 modcall: group authenticate returns invalid for request 47 auth: Failed to validate the user. -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and aqua gk
Hi All!
I'd like to do accounting of calls passing through voip "Aqua"
gatekeeper. So the problem is in inserting accounting fields into
database. Aqua sends to freeradius params like
h323-disconnect-time = "h323-disconnect-time=07:09:27.327 UTC Fri Oct 08 2004"
so when freeradius trying to insert
"strip_dot('h323-setup-time=3D07:09:11.148 UTC Fri Oct 08 2004')"
into database it raises an exception.
So the question is: how to say freeradius to use only last part of
accounting parameter?
--
Dmitriy mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem : segmentation fault
On Fri, Oct 08, 2004 at 06:28:17AM +, atul dhingra wrote: [Some HTML stuff] Please don't post HTML-only. Anyway, try OpenSSL 0.9.7... From memory it's required by something in there. Otherwise, after reading the mailing list rules, there's a document (bugs.txt?) which describes how to report this sort of problem ina way that lets us help solve it. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSLV3 error
Hi all, are 2 days that my XP clients after a while disconnect the connection (PEAP/TLS) and in the log I have: Thu Oct 7 19:20:27 2004 : Info: rlm_eap_tls: Length Included Thu Oct 7 19:20:27 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Oct 7 19:20:27 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message Thu Oct 7 19:20:28 2004 : Info: rlm_eap_tls: Length Included Thu Oct 7 19:20:28 2004 : Info: (other): SSL negotiation finished successfully If disconnect the client and reconnect all go like a charm... I dont know waths wrong with my conf. tnx again Vito Pascali L.P.I. Certified S&T Linksystem S.r.l. Tel 051/3140537 Fax 051/3140489 http://www.lnksystem.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: using realm ntdomain fails
What is realm used for anyway? Is it just for proxying? Do we even need to configure that to use ntlm authentication? Regards, Øystein Gåsdal > -Original Message- > From: Christoph Litauer [mailto:[EMAIL PROTECTED] > Sent: 8. oktober 2004 09:26 > To: [EMAIL PROTECTED] > Subject: Re: using realm ntdomain fails > > Christoph Litauer schrieb: > > Hi, > > > > I want to use realm ntdomin, but had no success so far. > Debug output > > always says: > > modcall[authorize]: module "ntdomain" returns noop for request 47 > > > > What am I doing wrong? Please help ... > > Many thansk in advance! > > > > radius.conf is attached. The relevant part of my debug log is: > > Sorry, I forgot the attachment. Here it is. > > -- > Regards > Christoph > __ > __ > Christoph Litauer [EMAIL PROTECTED] > Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer > Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, > Fax: -100 1311 > PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication fail
Hello, I have an authentication problem with my FreeRadius server running on a Linux RedHat 9.0b server. I tired with FreeRadius v1.0 and v1.0.1 with the same result. An authentication request is send from a Cisco AS5350 Router and sometimes it fail. The log messages from the Radius Server is: Thu Oct 7 13:51:04 2004 : Auth: Login incorrect: [VL8PST01usr!/\031\026~^\345\232\360\342Ub\3634\031Wi\246] (from client ASPOP_VL01-1 port 20120 cli 125627513) After some retries the authentication success: Thu Oct 7 13:56:51 2004 : Auth: Login OK: [VL8PST01usr!/VL8PST01pwd!] (from client ASPOP_VL01-1 port 20109 cli 125627513) Any idea? thanking all you, roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Øystein Gåsdal schrieb: What is realm used for anyway? Is it just for proxying? Do we even need to configure that to use ntlm authentication? Yes, I want to use ntlm_auth with the stripped username (username without nt domain). -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wierd FR/MySQL behaviour
--On Thursday, October 07, 2004 16:27:10 -0400 Dustin Doris <[EMAIL PROTECTED]> wrote: I have FR set up to auth/acct against MySQL. It appears to work fine in a high load environment, most of the time. Very, very occasionally FR appears to mis-process requests from the NASes. Even running FR in -X mode fails to catch the incoming/returned packets. As far as FR is concerned, these sessions never happended. That's wierd. Are you sure the NAS isn't configured with a secondary radius server that it may be sending these packets to? No secondary server... This is only happening with a very tiny % of requests. I'm running out of ideas as to how to trace this problem. Any suggestions are very welcome! I'm running FR 0.9.3. You could try enabling detail auth_log and detail reply_log. That will capture all access request packets as well as all access accept packets that you send back. These are the actual authentication packets, rather than the normal detail file/sql that captures accounting. This would help you troubleshoot this. I've done that too - and there's no record of the incoming RADIUS transaction, yet the NAS sees it! Thanks for the suggestions. best regards, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius, Cisco Catalyst 2950, Windwos Domain
If nothing shows in the radius debug, my guess is that you haven't configured the 2950 properly, i.e you have the wrong ip adress to the radius server. The configuration should look like this: aaa new-model aaa authentication dot1x default group radius radius-server host auth-port 1812 acct-port 1813 key On the ethernet interface, you shold have this: dot1x port-control auto - Øystein Gåsdal > -Original Message- > From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED] > Sent: 4. oktober 2004 21:02 > To: [EMAIL PROTECTED] > Subject: RE: Freeradius, Cisco Catalyst 2950, Windwos Domain > > No wireless, wired environment! Authentication is required > because the port goes into unauthenticated state and I > haven't got any network access. > > > > [EMAIL PROTECTED] said... > > > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Montag, 4. Oktober 2004 21:07 > To: [EMAIL PROTECTED] > Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain > > "M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: > > Sorry for my bad english... the problem is, that I can't post any > > debug information because there isn't any. I start > "freeradius -X" and > > turn > "debug > > radius" on my catalyst on, but with the following windows xp > > configuration nothing occurs on the server and switch until I have > > logged in and the desktop is loaded. > > If the windows box is accessing the network via wireless, > without FreeRADIUS being involved, then you haven't > configured the AP to require authentication. > > Fix that. > > Alan DeKok. > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
Hi Øystein Thanks for your help. I have the Calatlyst already configured like this and even when I turn on the "debug radius" option on the catalyst there is no output before a successful login :-( I now have tried the Aegis Client as Supplicant on Windows and with this supplicant authentication before domain login works perfectly (PEAP). Any other idea? Is the default Microsoft Windows XP supplicant that bad? Cheers Marco Øystein Gåsdal wrote: If nothing shows in the radius debug, my guess is that you haven't configured the 2950 properly, i.e you have the wrong ip adress to the radius server. The configuration should look like this: aaa new-model aaa authentication dot1x default group radius radius-server host auth-port 1812 acct-port 1813 key On the ethernet interface, you shold have this: dot1x port-control auto - Øystein Gåsdal -Original Message- From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 4. oktober 2004 21:02 To: [EMAIL PROTECTED] Subject: RE: Freeradius, Cisco Catalyst 2950, Windwos Domain No wireless, wired environment! Authentication is required because the port goes into unauthenticated state and I haven't got any network access. [EMAIL PROTECTED] said... -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Montag, 4. Oktober 2004 21:07 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain "M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start "freeradius -X" and turn "debug radius" on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
segmentation fault ( eaptls_process returned 3 )
Hi All, I am facing a segmentation fault error while using following snapshots for openssl and freeradius openssl-0.9.6-stable-SNAP-20041002 freeradius-snapshot-20041006 Attched is the logs in debug mode of freeradius Thanks much in advance AD _ Cool ringtones, snazzy logos! Expressive cards, fun games! http://www.msn.co.in/Mobile/ Get it all at MSN mobile! [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local//etc/raddb/proxy.conf Config: including file: /usr/local//etc/raddb/clients.conf Config: including file: /usr/local//etc/raddb/snmp.conf Config: including file: /usr/local//etc/raddb/eap.conf Config: including file: /usr/local//etc/raddb/sql.conf main: prefix = "/usr/local/" main: localstatedir = "/usr/local//var" main: logdir = "/usr/local//var/log/radius" main: libdir = "/usr/local//lib" main: radacctdir = "/usr/local//var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local//var/log/radius/radius.log" main: log_destination = "files" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local//var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local//sbin/checkrad" main: debug_level = 0 main: proxy_requests = yes log: syslog_facility = "daemon" proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Expiration expiration: reply-message = "Password Has Expired " Module: Instantiated expiration (expiration) Module: Loaded Login Time logintime: reply-message = "You are calling outside your allowed timespan " logintime: minimum-timeout = 60 Module: Instantiated logintime (logintime) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local//var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local//etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local//etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local//etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local//etc/raddb/certs/dh" tls: random_file = "/usr/local//etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local//etc/raddb/huntgroups" preprocess: hints = "/usr/local//etc/raddb/hints" p
Re: Simultaneous-Use
Title: Message sorry, but i send yesterday a mail that informed the list that i have problem again.. Anyway, in radgroupcheck table i have a line group-Simultaneous-Use- := 1 and in sql.conf i have changed the simul_count_query query to see groups and no users.. Try it and tell me if goes ok! Kyriaki Gali,IT Applications SpecialistKinetix Tele.com Support Center,Tel & Fax: +30 2310 256140GSM: +30 6947 723737http://www.kinetix.gre-mail: [EMAIL PROTECTED] - Original Message - From: EROS To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 11:58 PM Subject: RE : Simultaneous-Use how have you set it to make it work cause it seems I have the same problem? -Message d'origine-De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kyriaki GaliEnvoyé : jeudi 7 octobre 2004 16:14À : [EMAIL PROTECTED]Objet : Simultaneous-Use Sorry, guys i found it.. thanks. Kyriaki Gali,IT Applications SpecialistKinetix Tele.com Support Center,Tel & Fax: +30 2310 256140GSM: +30 6947 723737http://www.kinetix.gre-mail: [EMAIL PROTECTED]
RE: Freeradius, Cisco Catalyst 2950, Windwos Domain
The WindowsXP supplicant works for me...kinda. It sends requests via my 2950, but i still can't logon, but I guess that has something to do with the configuration on the radius server. In Network Connections -> -> Authentication, it says something like this. Enable IEEE 802.1x etc. is marked EAP type: Protected EAP (PEAP) Press the Properties button Take away the Validate server certificate mark. Under Select Authentication Method, choose Secured password (EAP-MSCHAP v2) Do you have the same? Anyway, does this mean you have been able to authenticate users via a NT domain? What files did you configure to make it work? and what parameters? - Øystein From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED] Sent: 8. oktober 2004 11:45To: [EMAIL PROTECTED]Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain Hi ØysteinThanks for your help. I have the Calatlyst already configured like this and even when I turn on the "debug radius" option on the catalyst there is no output before a successful login :-( I now have tried the Aegis Client as Supplicant on Windows and with this supplicant authentication before domain login works perfectly (PEAP). Any other idea? Is the default Microsoft Windows XP supplicant that bad?CheersMarcoØystein Gåsdal wrote: If nothing shows in the radius debug, my guess is that you haven't configured the 2950 properly, i.e you have the wrong ip adress to the radius server. The configuration should look like this: aaa new-model aaa authentication dot1x default group radius radius-server host auth-port 1812 acct-port 1813 key On the ethernet interface, you shold have this: dot1x port-control auto - Øystein Gåsdal -Original Message- From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 4. oktober 2004 21:02 To: [EMAIL PROTECTED] Subject: RE: Freeradius, Cisco Catalyst 2950, Windwos Domain No wireless, wired environment! Authentication is required because the port goes into unauthenticated state and I haven't got any network access. [EMAIL PROTECTED] said... -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Montag, 4. Oktober 2004 21:07 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain "M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start "freeradius -X" and turn "debug radius" on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different LDAP attribute mappings
Hi all, I searched archives and most of doc directoy of freeradius, but couldn`t find the answer. Wat I want to achive - I want to have user authentication LDAP server with ntpassord/lmpassword for PEAP-MSCHAPv2 and have MD5 userpassword attribute in LDAP for all the other authentication services we want to provide (vpn dialin , etc ... ) I have read that I have to map radius-userpassord to LDAP password attribute, so my question is, is there any way to configure freeradius to check against first against ntpassword and if this fails to check again against userpassord attribute of LDAP ? or do you recommend any other solution for this (maybe something based on huntgroup) ? I have seen a thread that different LDAP servers could be selected based on the NAS IP address, is it also possible to have different attribute mappings between LDAP and Freeradius based on NAS IP Address or any other attriute in Access-Request ? I know simplest solution would be to have clear-text passords in userpassword of LDAP, but I think from a security point of view we won`t go this way. So any hints would be great regards Michael -- +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different LDAP attribute mappings
On Fri, 8 Oct 2004 [EMAIL PROTECTED] wrote: > Hi all, > > I searched archives and most of doc directoy of freeradius, but couldn`t > find the answer. > > Wat I want to achive - I want to have user authentication LDAP server with > ntpassord/lmpassword for PEAP-MSCHAPv2 and have MD5 userpassword attribute > in LDAP for all the other authentication services we want to provide (vpn > dialin , etc ... ) > > I have read that I have to map radius-userpassord to LDAP password > attribute, so my question is, is there any way to configure freeradius to > check against first against ntpassword and if this fails to check again > against userpassord attribute of LDAP ? > > or do you recommend any other solution for this (maybe something based on > huntgroup) ? I have seen a thread that different LDAP servers could be > selected based on the NAS IP address, is it also possible to have different > attribute mappings between LDAP and Freeradius based on NAS IP Address or > any other attriute in Access-Request ? > > I know simplest solution would be to have clear-text passords in > userpassword of LDAP, but I think from a security point of view we won`t go > this way. Just use the default configuration as it is. By default rlm_ldap will map ntPassword to NT-PAssword and lmPassword to LM-Password (as can be found by a quick look at ldap.attrmap), so PEAP-MSCHAPv2 will work out of the box. You can just do ldap authentication for the rest of the services which will use the md5 encrypted userpassword attribute (actually it will perform an ldap bind). Hope this helps. > > So any hints would be great > regards > Michael > > -- > +++ GMX DSL Premiumtarife 3 Monate gratis* + WLAN-Router 0,- EUR* +++ > Clevere DSL-Nutzer wechseln jetzt zu GMX: http://www.gmx.net/de/go/dsl > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging....
On Thu, 7 Oct 2004, phorced access wrote: > How would I go about doing that? src/modules/rlm_ldap/rlm_ldap.c > > On Thu, 7 Oct 2004 09:29:17 +0300 (EEST), Kostas Kalevras > <[EMAIL PROTECTED]> wrote: > > > > > > On Wed, 6 Oct 2004, phorced access wrote: > > > > > Since I have multiple LDAP servers configured for bind authentication. > > > How can I tell which current ldap server FreeRADIUS is connecting to > > > besides sitting on those LDAP servers. Can FreeRADIUS report in a log > > > or debug output which server it is forwarding requests too. This > > > would also be a nice feature when freeradius is in proxy mode. > > > > So patch your ldap module to print out a log message with the corresponding ldap > > server information every time it uses one. > > > > > > > > Thanks, > > > > > > Phorced > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 210 7721861 > > 'Go back to the shadow' Gandalf > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
On Thu, 7 Oct 2004, EROS wrote: > Hi, > > How changing the Reply-Message when a user reach the max-monthly-limit > of his account ? > > > now I have this message from the radius : > > Sending Access-Reject of id 22 to 192.168.200.101:1482 > Reply-Message = "Your maximum monthly usage time has been > reached" > > and I wanna have this : > > > Sending Access-Reject of id 22 to 192.168.200.101:1482 > Reply-Message = "Hello World" The Reply-Message is currently hardcoded in rlm_counter so it's rather difficult. > > > thx > > > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de > Kyriaki Gali > Envoy? : jeudi 7 octobre 2004 16:14 > ? : [EMAIL PROTECTED] > Objet : Simultaneous-Use > > > Sorry, guys i found it.. thanks. > > > Kyriaki Gali, > IT Applications Specialist > Kinetix Tele.com Support Center, > Tel & Fax: +30 2310 256140 > GSM: +30 6947 723737 > http://www.kinetix.gr > e-mail: [EMAIL PROTECTED] > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco Catalyst 2950, Windwos Domain
Here my 2950 configuration: usts01# configure terminal <>usts01(config)# aaa new-model usts01(config)# aaa authentication dot1x default group radius <> usts01(config)# dot1x system-auth-control <> usts01(config)# aaa authorization network default group radius <> usts01(config)# interface FastEthernet0/1 <> usts01(config-if)# dot1 port-control auto<> usts01(config-if)# end usts01(config)# radius-server host 192.168.107.43 auth-port 1812 acct-port 1813 key whatever My goal is, that the windows supplicant does the authentication BEFORE the windows login, because without that I don't have any connection to the domain controller. I had the same configuration for the windows supplicant, but it didn't send any request when I did the login, so I didn't get any connection to the DC -> login failed. Now I use the Aegis client and with this, I works perfectly! The disadvantage is, that you have to pay for the client. You understand what I mean? I created a user account for the computer in the users file for the authentication. Did the windows supplicant with your configuration send the user name / password before connecting to the DC? Cheers Marco Øystein Gåsdal wrote: The WindowsXP supplicant works for me...kinda. It sends requests via my 2950, but i still can't logon, but I guess that has something to do with the configuration on the radius server. In Network Connections -> -> Authentication, it says something like this. Enable IEEE 802.1x etc. is marked EAP type: Protected EAP (PEAP) Press the Properties button Take away the Validate server certificate mark. Under Select Authentication Method, choose Secured password (EAP-MSCHAP v2) Do you have the same? Anyway, does this mean you have been able to authenticate users via a NT domain? What files did you configure to make it work? and what parameters? - Øystein From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 8. oktober 2004 11:45 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain Hi Øystein Thanks for your help. I have the Calatlyst already configured like this and even when I turn on the "debug radius" option on the catalyst there is no output before a successful login :-( I now have tried the Aegis Client as Supplicant on Windows and with this supplicant authentication before domain login works perfectly (PEAP). Any other idea? Is the default Microsoft Windows XP supplicant that bad? Cheers Marco Øystein Gåsdal wrote: If nothing shows in the radius debug, my guess is that you haven't configured the 2950 properly, i.e you have the wrong ip adress to the radius server. The configuration should look like this: aaa new-model aaa authentication dot1x default group radius radius-server host auth-port 1812 acct-port 1813 key On the ethernet interface, you shold have this: dot1x port-control auto - Øystein Gåsdal -Original Message- From: M.Cerqui - PUBLISHERIA [mailto:[EMAIL PROTECTED]] Sent: 4. oktober 2004 21:02 To: [EMAIL PROTECTED] Subject: RE: Freeradius, Cisco Catalyst 2950, Windwos Domain No wireless, wired environment! Authentication is required because the port goes into unauthenticated state and I haven't got any network access. [EMAIL PROTECTED] said... -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Montag, 4. Oktober 2004 21:07 To: [EMAIL PROTECTED] Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain "M.Cerqui - PUBLISHERIA" <[EMAIL PROTECTED]> wrote: Sorry for my bad english... the problem is, that I can't post any debug information because there isn't any. I start "freeradius -X" and turn "debug radius" on my catalyst on, but with the following windows xp configuration nothing occurs on the server and switch until I have logged in and the desktop is loaded. If the windows box is accessing the network via wireless, without FreeRADIUS being involved, then you haven't configured the AP to require authentication. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
I was told to change as little as possible in the configuration files and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend DB would work fine. This is not the case and I would appreciate any suggestions on what to modify to make this work. The only portion of the config that I changed was the ldap module section (to point to my ldap server) and the ldap line in the authorize section (uncommented the single line). I have included some output from the server when I attempt to authenticate. Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone m
Problems with counter module
Hi all, I need help with counter module. I'd like to allow internet connection for 1 hour. users file: Pablo Auth-Type := Local, Max-Daily-Session := 3600, User-Password == "Pablo", NAS-IP-Address = "192.168.0.135" Service-Type = Framed-User, Session-Timeout := 3600, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 So it works, but at the end of the hour, you can connect again, without any reject, so i tried Pablo Auth-Type := Local, Max-Daily-Session := 3600, User-Password == "Pablo", NAS-IP-Address = "192.168.0.135", Daily-Session-Time > 3600, Auth-Type := Reject Service-Type = Framed-User, Session-Timeout := 3600, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 and that's the answer Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Pablo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 97 users: Matched Pablo at 142 modcall[authorize]: module "files" returns ok for request 0 rlm_counter: Entering module authorize code rlm_counter: Searching the database for key 'Pablo' rlm_counter: Could not find the requested key in the database. rlm_counter: Check item = 3600, Count = 0 rlm_counter: res is greater than zero rlm_counter: (Check item - counter) is greater than zero rlm_counter: Authorized user Pablo, check_item=3600, counter=0 rlm_counter: Sent Reply-Item for user Pablo, Type=Session-Timeout, value=3600 modcall[authorize]: module "daily" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. I tried to change Daily-Session-Time < 3600 in the users file, just to try, but i get the same answer, so I don't know what to do. If anybody can help me or send a correct users file and radiusd.conf file, it would be great. thanks. __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 14 ottobre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ntlm_auth how-to
I still can't get this to work... After configuring samba, I get ntlm_auth to work manually: [EMAIL PROTECTED] raddb]# ntlm_auth --username=og4 --request-nt-key --domain=AALESUND password: NT_STATUS_OK: Success (0x0) But it still does not work via radius: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=AALESUND\\OG4 --challenge=ca836119d50fefab --nt-response=81c243a7096b1aea98ebf7c171df2d842daf37d69868d220 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 I can't figure out what's wrong, so I'm attaching both my radius.conf and the radiusd debug/log file if anyone please could take a look at it? Thanks, Øystein > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: 5. oktober 2004 16:13 > To: [EMAIL PROTECTED] > Subject: Re: Ntlm_auth how-to > > =?iso-8859-1?Q?=D8ystein_G=E5sdal?= <[EMAIL PROTECTED]> wrote: > > Which brings me back to one of my questions: how on earth does > > ntlm_auth (or the machine it is running on) know where the > nt4 domain > > is? > > Please consult the ntlm_auth documentation to discover how > to get it working from the command line. > > Once that's set up, it will work from FreeRADIUS. > > > There must be lots of people out there with ntlm_auth and > freeradius > > working... What did you do? > > Followed the ntlm_auth documentation. It's not included > with FreeRADIUS, because ntlm_auth isn't included with FreeRADIUS. > > > Error 1: > > rlm_realm: Looking up realm "AALESUND" for User-Name =3D > "AALESUND\OG4" > > rlm_realm: No such realm "AALESUND" > > Does this break anything? If not, it's not an error. > > > Error2: > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 19 > > rlm_eap: Request found, released from the list > > rlm_eap: EAP/mschapv2 > > rlm_eap: processing type mschapv2 > > Processing the authenticate section of radiusd.conf > > modcall: entering group Auth-Type for request 19 > > rlm_mschap: No User-Password configured. Cannot create > LM-Password. > > rlm_mschap: No User-Password configured. Cannot create > NT-Password. > > rlm_mschap: Told to do MS-CHAPv2 for OG4 with NT-Password > > radius_xlat: Running registered xlat function of module > mschap for = > > string 'Challenge' > > mschap2: b9 > > If you're using ntlm_auth, I don't see any errors there. > > > Is this something to worry about, or is it connected with the > > ntlm_auth problem? > > It's just the server telling you what it's doing. If those > messages were errors, then the words "error" or "fail" would > probably appear in them. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > radiusfiles.rar Description: Binary data
RE: Freeradius, Cisco Catalyst 2950, Windwos Domain
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of M.Cerqui - PUBLISHERIA > Sent: Friday, October 08, 2004 8:01 AM > To: [EMAIL PROTECTED] > Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain > > > My goal is, that the windows supplicant does the > authentication BEFORE the windows login, because without that > I don't have any connection to the domain controller. When a Windows machine belongs to a domain, it needs to contact the DC on boot (way before a successful login or any user interaction). At that time the PC acquires policies from GPO's. This means that you must have 802.1X credentials stored somewhere on the PC so the box can authenticate without any user interaction. The only way I know making it work is by using EAP-TLS. I got this to work by setting up the PC to use EAP-TLS, get a client certificate, and store it in the COMPUTER ACCOUNT certificate store of the PC. When an XP box (post SP1) boots, it will check the computer account certificate store for a valid cert, do an EAP-TLS auth session and change the authenticator mode (doesn't matter if it's a switch port or an AP) to authorized and get the PC on the network to continue with domain association. When a user logs into this box, the default behavior (post SP1) will be to re-authenticate with the user credentials (this can be changed in the registry). Read all about it at: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/en-us/w2k3tr_wir_tools.asp -- Matanya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Selecting correct LDAP instance (long)
"Tarun Bhushan" <[EMAIL PROTECTED]> wrote: > I see your point. However, how does FR select which instance needs to > handle this request right at the start of handling the request? I'm not sure what you mean. The various sections are processed in order, from top to bottom, so any decision to make is easy. > In the > debug log, the first thing I can see with respect to the first authorize > part of handling the request is "rlm_ldap: Entering ldap_groupcmp()". > From what I can see, the modcall code has already selected the instance > at this stage, as "instance" is an input parameter to this function. Not exactly. The attribute is tied to a particular instance, so any reference to that attribute naturally refers to an instance. There's no fail-over or redundancy, as the attribute is tied to an instance, not to a fail-over/redundancy section in "radiusd.conf". If you use the same attribute in any other section (authenticate, post-auth, etc), you will see the server selecting the same instance of the same module. The LDAP group comparison has nothing to do with "authorize", as it's dependent on the instance of the module, and not on any section in "radiusd.conf". > > Please use "Autz-Type", the "autztype" name is deprecated, and may > > be removed in a future release. > > This does not appear to work. Within the 'users' file, Autz-Type is > fine. However, when 'autz-type' is used instead of 'autztype' used > within the 'Authorize' section in radiusd.conf, radiusd reports an error > while processing the 'users' file (Unexpected trailing comma in check > item list for entry DEFAULT), which goes away when 'autztype' is used. Which version of the server are you using? > Also, there is also a corresponding 'authtype' in the 'Authenticate' > section too, not 'auth-type'. Not in any recent version of the server. > > Maybe we need sections for callbacks, where the callback code can > > package multiple modules together in a redundant section. > > Wouldn't these callback sections need to be within/related-to the > corresponding higher level sections (authorize, authenticate, etc)? Why? There is no "higher level" sections. They're all completely independent, and ignorant of each other. That's what makes the server so powerful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Christoph Litauer <[EMAIL PROTECTED]> wrote: > I want to use realm ntdomin, but had no success so far. Debug output > always says: > modcall[authorize]: module "ntdomain" returns noop for request 47 OK > rlm_realm: Looking up realm "LAPLITAUER" for User-Name = > "LAPLITAUER\litauer" > rlm_realm: No such realm "LAPLITAUER" So... did you define that realm in "proxy.conf", or in the "realms" file? I'd bet that the answer is "no". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSLV3 error
"Vito Pascali" <[EMAIL PROTECTED]> wrote: > Hi all, > are 2 days that my XP clients after a while disconnect the connection > (PEAP/TLS) and in the log I have: > > Thu Oct 7 19:20:27 2004 : Info: rlm_eap_tls: Length Included > > Thu Oct 7 19:20:27 2004 : Error: TLS_accept:error in SSLv3 read client > certificate A ... Does this affect the users ability to log in? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication fail
"Roberto Belletti" <[EMAIL PROTECTED]> wrote: > I have an authentication problem with my FreeRadius server running on a > Linux RedHat 9.0b server. > I tired with FreeRadius v1.0 and v1.0.1 with the same result. > > An authentication request is send from a Cisco AS5350 Router and sometimes > it fail. > > The log messages from the Radius Server is: > Thu Oct 7 13:51:04 2004 : Auth: Login incorrect: > [VL8PST01usr!/\031\026~^\345\232\360\342Ub\3634\031Wi\246] (from client > ASPOP_VL01-1 port 20120 cli 125627513) Run it in debugging mode. Read the FAQ. I have no idea why you would look at the log file, which is a SUMMARY of what's going on, and not the debug log, which tells you EXACTLY what's going on, and WHY. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wierd FR/MySQL behaviour
Josh Howlett <[EMAIL PROTECTED]> wrote: > I've done that too - and there's no record of the incoming RADIUS > transaction, yet the NAS sees it! Run tcpdump on the network. I'd bet that the packets are going to a different IP and/or port. If the packets aren't seen in the debug log or in the detail files, then the server isn't receiving them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segmentation fault ( eaptls_process returned 3 )
"atul dhingra" <[EMAIL PROTECTED]> wrote: > I am facing a segmentation fault error while using following snapshots for > openssl and freeradius > > openssl-0.9.6-stable-SNAP-20041002 Use 0.9.7b or later. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different LDAP attribute mappings
[EMAIL PROTECTED] wrote: > Wat I want to achive - I want to have user authentication LDAP server with > ntpassord/lmpassword for PEAP-MSCHAPv2 and have MD5 userpassword attribute > in LDAP for all the other authentication services we want to provide (vpn > dialin , etc ... ) That should work. > I have read that I have to map radius-userpassord to LDAP password > attribute, so my question is, is there any way to configure freeradius to > check against first against ntpassword and if this fails to check again > against userpassord attribute of LDAP ? You shouldn't have to. If both ntPassword && md5 passwords are defined for the user in LDAP, then the server will add both to the request, and the module doing authentication will use whichever one makes sense for the particular authentication method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting null realm
I am still having trouble finding a way to reject users who do not use a realm. Googleing and man pages havent shown me anything yet. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
"Christopher Price" <[EMAIL PROTECTED]> wrote:
> I was told to change as little as possible in the configuration files
> and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend
> DB would work fine. This is not the case and I would appreciate any
> suggestions on what to modify to make this work.
OK...
> The only portion of the config that I changed was the ldap module
> section (to point to my ldap server) and the ldap line in the
> authorize section (uncommented the single line).
You have to configure the tls{} subsection of eap.conf, too.
> I have included some output from the server when I attempt to
> authenticate.
You've edited the output. Don't do that. It makes it impossible
for anyone to help you.
> rad_recv: Access-Request packet from host 172.16.83.1:32830, id=20,
> length=111
> User-Name = cprice
> NAS-IP-Address = 172.16.80.4
> NAS-Port = 29
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 00904B91CCAF
> Called-Station-Id = 000B86010C80
> Framed-MTU = 1300
> EAP-Message = 0x0217000b01637072696365
> Message-Authenticator = 0xa125c1b253031500294644d1f713050e
> rlm_ldap: - authorize
There should be a LOT more text between the "Message-Authenticator"
line and the "rlm_ldap" line.
If you don't understand why it doesn't work, you don't know which
parts of the debug log are important, so editing it means you WILL
delete the important bits, making it impossible for anyone to help
you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wierd FR/MySQL behaviour
--On Friday, October 08, 2004 10:41:34 -0400 Alan DeKok <[EMAIL PROTECTED]> wrote: Josh Howlett <[EMAIL PROTECTED]> wrote: I've done that too - and there's no record of the incoming RADIUS transaction, yet the NAS sees it! Run tcpdump on the network. I'd bet that the packets are going to a different IP and/or port. I'm doing that, matching packets to & from udp/1812. If the packets aren't seen in the debug log or in the detail files, then the server isn't receiving them. That's what I would be inclined to believe ordinarily, but the NASes' logs say otherwise :-/ thanks, josh. -- --- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting null realm
AJ Grinnell <[EMAIL PROTECTED]> wrote: > I am still having trouble finding a way to reject users who do not use > a realm. Googleing and man pages havent shown me anything yet. Any > ideas? #--- DEFAULT Realm == NULL, Auth-Type := Reject #--- That should do it, I think. Or, #--- DEFAULT User-Name !~ ".*@", Auth-Type := Reject #--- Which will work if you have regexes, and all realms use "[EMAIL PROTECTED]". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Here is the full output after I uncommented the tls and peap sections in eap.conf. I still seems to have a problem Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth
Re: Ntlm_auth how-to
=?iso-8859-1?Q?=D8ystein_G=E5sdal?= <[EMAIL PROTECTED]> wrote:
> I still can't get this to work...
> After configuring samba, I get ntlm_auth to work manually:
Ok...
> But it still does not work via radius:
Yup.
> I can't figure out what's wrong
Look at the arguments to the two ntlm_auth commands. They're
different. I'll bet that if you made them look the same, then it
would work with FreeRADIUS.
Try:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
> so I'm attaching both my radius.conf and the radiusd debug/log file
...
> filename="radiusfiles.rar"
In a format that few people can use. Plain text would be better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
"Christopher Price" <[EMAIL PROTECTED]> wrote: > Here is the full output after I uncommented the tls and peap sections in > eap.conf. I still seems to have a problem Ok > Module: Loaded eap > eap: default_eap_type = md5 So... are you using PEAP or not? > rlm_eap: processing type md5 > rlm_eap_md5: Issuing Challenge No, you're not using PEAP. > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 10 with timestamp 4166a949 > Nothing to do. Sleeping until we see a request. And the client never responds to the EAP-MD5 challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with Mysql Data Base
Dear list: This is my first experience with freeradius. I installed freeradius-1.0.1.tar.gz into a Red Hat box 7.3 (it is old but I don´t have other option), however radius server is running OK. This week I worked with PPP basic authentication and authorization options working clients and user flat files and all is working OK. I´d like to use freeradius to router (Cisco) management access from my users. I have some questions and I´ll appreciate your help: 1.- I have this lines in my cisco ocnfiguration: aaa authentication login default group radius enable aaa authorization exec default group radius with the second line, when the customer login in into router he enter his username and password and he receive a Router> promt for example, then if he likes to access to enbale mode configuration, he type "enable" command and the router ask for a Password. My question is: How should I to configure my user profile for this operation? and where I to keep that password?, the pasword have to be the same for all routers. Now, I´d like to work with MySQL database for a better administration. For create my Database I used the db_mysql.sql script provided when I untarted the tar.gz file, now: 1.- How should I to configure my freeradius to work with MySQL? Thank you for your help. EDWIN LIMACHI N.
Re: freeradius with Mysql Data Base
Hi, Just some suggestions: 1) use plain text mail 2) split up your problem in several parts (e.g. the mysql part and the Cisco part) For the Cisco part, reading the Cisco manuals might help For the Mysql part, reading documentation and configuration files might help (e.g. /etc/raddb/sql.conf and /etc/raddb/radiusd.conf) -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 08, 2004 5:26 PM Subject: freeradius with Mysql Data Base Dear list: This is my first experience with freeradius. I installed freeradius-1.0.1.tar.gz into a Red Hat box 7.3 (it is old but I don´t have other option), however radius server is running OK. This week I worked with PPP basic authentication and authorization options working clients and user flat files and all is working OK. I´d like to use freeradius to router (Cisco) management access from my users. I have some questions and I´ll appreciate your help: 1.- I have this lines in my cisco ocnfiguration: aaa authentication login default group radius enable aaa authorization exec default group radius with the second line, when the customer login in into router he enter his username and password and he receive a Router> promt for example, then if he likes to access to enbale mode configuration, he type "enable" command and the router ask for a Password. My question is: How should I to configure my user profile for this operation? and where I to keep that password?, the pasword have to be the same for all routers. Now, I´d like to work with MySQL database for a better administration. For create my Database I used the db_mysql.sql script provided when I untarted the tar.gz file, now: 1.- How should I to configure my freeradius to work with MySQL? Thank you for your help. EDWIN LIMACHI N. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSLV3 error
> Does this affect the users ability to log in? No but still I have to reconnect the XP(SP2) PC.. I dont know if is a client problem or maybe Im loosing something on the radius conf. Let me know if need more debug log tnx again 4 help Vito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute value
hello,
Is there a way to access the value of an integer attribute rather
than the dictionary (string) translated value ?
I have the following problem:
In the dictionary file I have:
ATTRIBUTE Service-Type6 integer
VALUE Service-TypeSip-Session
15
when I use %{Service-Type} in sql config I get "Sip-Session" for value
15
how can I get 15 instead of "Sip-Session" without removing the
dictionary entry ?
thanks,
Razvan Radu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use - Reply-Message
Hello, does anyone knows how can i change the Reply-Message that i get with another RAD_REPLY when the user is rejected because Simultaneous-Use = 1? thanks. Kyriaki Gali,IT Applications SpecialistKinetix Tele.com Support Center,Tel & Fax: +30 2310 256140GSM: +30 6947 723737http://www.kinetix.gre-mail: [EMAIL PROTECTED]
client vpn - routeur cisco - freeradius 0.9.3
Hello everyone, I would like to connect to my private network with ip address depend on "login/mot_de_passe" by internet (RTC) with : 1/ The vpn client 4.02 (win2k) with the Group Authentification "group3000" and pre-shared key "grouppass" | client vpn | -> | Router Cisco 837 | ->| freeradius 0.9.3 (mdk9.2)+mysql | 2/ Login/mot_de_passe for the user authentication Problem : Client VPN connects with his parameters (Group Authentification "group3000" and key "grouppass" that I do not know where to put in freeradius/mysql) to the router then it asks for to me a login/mot_de_passe (user in freeradius/mysql) and i can connect to the router, but it does not give me IP addresses of freeradius/mysql it but that defines in the "ippool" "group3000" group. My conf : aaa authentication login userauthen group radius local aaa authentication ppp default if-needed group radius local aaa authorization network grouplist group radius local aaa accounting delay-start aaa accounting update periodic 1 aaa accounting network default start-stop group radius ... crypto isakmp client configuration group group3000 key grouppass dns xxx.xxx.xxx.xxx wins xxx.xxx.xxx.xxx domain toto.fr pool ippool ... crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list grouplist crypto map clientmap client configuration address respond crypto map clientmap 3 ipsec-isakmp dynamic dynmap ... ip local pool ippool 192.168.200.1 192.168.200.100 ... radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 radius-server key xxx radius-server vsa send accounting In the radius.log, the login is OK for the login/mot_de_passe but it try login le group "group3000"/key "grouppass". Please help me. Alfafa Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
writing a FreeRADIUS module in perl: where to start
Hi, I've read from previous discussions that a module can be used to change the format of the FreeRADIUS logs. In particular, I'd like to add replies from 802.1x authenticator switches like HP 2650 which have vlan id's, port, and other information. I hear this is possible with a module that can be written in PERL. Is there any documentation on how to do this? Has anyone done this, yet? Where should I start? Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with counter module
Hi, What type of do you use ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : vendredi 8 octobre 2004 15:57 À : [EMAIL PROTECTED] Objet : Problems with counter module Hi all, I need help with counter module. I'd like to allow internet connection for 1 hour. users file: Pablo Auth-Type := Local, Max-Daily-Session := 3600, User-Password == "Pablo", NAS-IP-Address = "192.168.0.135" Service-Type = Framed-User, Session-Timeout := 3600, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 So it works, but at the end of the hour, you can connect again, without any reject, so i tried Pablo Auth-Type := Local, Max-Daily-Session := 3600, User-Password == "Pablo", NAS-IP-Address = "192.168.0.135", Daily-Session-Time > 3600, Auth-Type := Reject Service-Type = Framed-User, Session-Timeout := 3600, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Idle-Timeout = 3600, Port-Limit = 1 and that's the answer Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Pablo", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 97 users: Matched Pablo at 142 modcall[authorize]: module "files" returns ok for request 0 rlm_counter: Entering module authorize code rlm_counter: Searching the database for key 'Pablo' rlm_counter: Could not find the requested key in the database. rlm_counter: Check item = 3600, Count = 0 rlm_counter: res is greater than zero rlm_counter: (Check item - counter) is greater than zero rlm_counter: Authorized user Pablo, check_item=3600, counter=0 rlm_counter: Sent Reply-Item for user Pablo, Type=Session-Timeout, value=3600 modcall[authorize]: module "daily" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. I tried to change Daily-Session-Time < 3600 in the users file, just to try, but i get the same answer, so I don't know what to do. If anybody can help me or send a correct users file and radiusd.conf file, it would be great. thanks. __ Tiscali Adsl 640 Free: fino al 15 novembre i consumi sono GRATIS! Se sottoscrivi un'Adsl Free 640 entro il 14 ottobre avrai gratis tutti i consumi fino al 15/11/04 compreso! In piu' sono gratis il modem in comodato e l'attivazione. Cosa aspetti? Prima attivi, piu' risparmi! http://abbonati.tiscali.it/adsl/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute value
<[EMAIL PROTECTED]> wrote: > Is there a way to access the value of an integer attribute rather > than the dictionary (string) translated value ? Not really. Editing the dictionaries is the simplest way to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a question....
that might already be answered, but googling hasn't found me the magic. I have redundant RADIUS server frontend boxes with slaved MySQL databases. I would like: Read auth* data from Write accounting data to and I can't find the magic yet. Anyone wanna wack me with a clue? -- Mike Horwath [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Hello for all! Right now, I've installed a freeradius with postgres support. I have got some (5) cisco aironet access points, and want to authenticate the clients from database, and account their total traffic also to the postgres. Could anybody help to me with sample configfiles or anything else, because I know less about it to ask. thanks Kako - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom Logger module
Does anyone have the module( or get one like it) listed in this thread? http://lists.cistron.nl/pipermail/freeradius-devel/2002-October/003675.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy requests....
Title: Proxy requests Hi all, I have 3 computers. Computer 1 - Realm A Computer 2 - PROXY Computer 3 - Realm B What should I place in the proxy.conf of computer 1 and computer 2 ??? The goal is to kick the request to the proxy whenver it's need. The PROXY is only machine that knows REALM A and REALM B. The computer 1 doesn't know where is REALM B and vice-versa, so all of this requests should be kicked to the COMPUTER 2 (PROXY) and after that kicked to the right REALM/COMPUTER. Thanks all. Regards, Hugo Sousa
Looking for commercial support for mod_auth_radius in Canada
Hello freeradius-users, Sorry for non-technical quick question. My employer needs to find a reliable company that can support mod_auth_radius in our apache 1.3 proxy environment. We are located in Toronto. -- Best regards, Gaziz Nugmanov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[sorry, sending again, please help]. Overwrite reply item
Dear List, I'm using freeRadius 0.9.3. In the default block of users file, Exec-Program-Wait = "/usr/local/iradius/radplug -t auth" USR-Framed_IP_Address_Pool_Name = "ippool" In some cases, my program is returning, USR-Framed_IP_Address_Pool_Name := "unreg" The 'man 5 users' says, it will overwrite the pool name. But, it's not doing. I ran freeRadius in debug mode and checked the outputs. Can anyone please help me? I think,there is someone who has surely done this. -- tanveer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for commercial support for mod_auth_radius in Canada
Hi, Is it a contract position? Which OS are you running on? Thanks. Kafui Amedzekor. --- Gaziz Nugmanov <[EMAIL PROTECTED]> wrote: > Hello freeradius-users, > > Sorry for non-technical quick question. > > My employer needs to find a reliable company > that can support mod_auth_radius in our apache 1.3 > proxy > environment. We are located in Toronto. > > -- > Best regards, > Gaziz Nugmanov > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
>> James,
>>
>> We have gotten LEAP to work with Cisco access points. My last posting
>> on the subject might help if you haven't gotten there yet...
>>
>
>>
>> However, we have not been able to get LEAP for Cisco's WDS worked out.
>> All of the access points in the group authenticate successfully, but
>> the WLSE does not.
>>
>Yes, WLSE is not running exatly like an access point :-((
>Comparing the answer of Cisco server radius ACS who authenticate
>WLSE and access points, with freeradius, we can see that ACS don't
>increment the EAP ID as said in doc/rfc/leap.txt :
>-
> 4. RS->AP: Access-Challenge/EAP Success (with EAP id++)
> + State (may be different than the satate send in <2>)
>-
>So with this first patch in
>freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
>leap :
>---
>--
>--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200
>+++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200
>@@ -147,7 +147,10 @@
>/*
> * Do this only for Success.
> */
>- handler->eap_ds->request->id =
handler->eap_ds->response->id
>+ 1;
>+/* RT Oops WLSE don't like CISCO LEAP
standard
>+ handler->eap_ds->request->id =
handler->eap_ds->response->id
>++ 1; */
>+
>+ handler->eap_ds->request->id =
handler->eap_ds->response->id ;
>handler->eap_ds->set_request_id = 1;
>
>/*
>---
>
>
>The WLSE accept the response of freeradius and send an Access-Request/EAP
>Request/LEAP
>
>But in stage 6 the WLSE does not accept the SUCCESS response of RS if the
>normal id++
>so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap
:
>---
>
>--- eap.c.FCS 2004-08-16 18:25:05.0 +0200
>+++ eap.c 2004-08-16 18:28:47.0 +0200
>@@ -393,6 +393,16 @@
>
>hdr->code = (reply->code & 0xFF);
>hdr->id = (reply->id & 0xFF);
>+
>+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as
ACS
>+do
> */
>+ if((reply->code == PW_EAP_RESPONSE) &&
>+ (reply->type.type == PW_EAP_LEAP) &&
>+ (reply->type.length == 30)) { hdr->id -= 1 ;}
>+
>+DEBUG2(" rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d",
>+ reply->type.type,reply->type.length);
>+/* END MODIF RT */
>+
>total_length = htons(total_length);
>memcpy(hdr->length, &total_length, sizeof(uint16_t));
>
>---
>
>
>Since i have freeradius working with thousands of users with many
protocols,
>i made a rogue_radius with this 2 bad patchs listening on port 1645 only
for
>Cisco WDS !!!
>
Richard,
I have been trying to get my WLSE working with FreeRadius for a very long
time, untill I finally stumbled onto your post.
I have applied the patches you provided to freeradius 1.0.1 and I am
definetly getting further along then I used to with WLSE authenticating to
the WDS enabled AP, however it's not getting to the final "SECURITY KEYS
SETUP" state. I can only get it to go as far as "AUTHENTICATED" state when
I execute "sh wlccp wnm status" on the AP. I am able to get this working
using "built in" radius server on the Access point, but no luck with
Freeradius (I wish Cisco would follow a standard protocol)
Do you have any suggestions?
Here is the output from the freeradius when WLSE attemps to authenticate.
(I appologize for the long email)
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = y
Re: Installation problem in Solaris 2.6 error: AF_INET undeclared
Hi, thanks for the help. The following is the procedure to install in Solaris 2.6 1.- Install (or check) the following packets: expat libiconv gdbm openssl apache libpcap tcpdump libnet zlib ncurses mysql 2.- Run: ./configure 3.- Edit the src/include/autoconf.h file 4.- Comment the following lines: /* #define HAVE_INET_NTOP 1 */ /* Define if you have the inet_pton function. */ /* #define HAVE_INET_PTON 1 */ 4.- run Make 5.- run Make Install That's all. HC "Hernan Cortez" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED] eradius.org Subject: Re: Installation problem in Solaris 2.6 error: AF_INET undeclared 04-10-2004 08:57 Please respond to freeradius-users Sorry, i didn't post the answer in the last reply. Hi, thanks for the answer. Which config.h file? The find command show me 13 config.h files: bash-3.00# find . -name config.h -print ./libltdl/config.h ./src/modules/rlm_attr_rewrite/config.h ./src/modules/rlm_checkval/config.h ./src/modules/rlm_counter/config.h ./src/modules/rlm_eap/types/rlm_eap_peap/config.h ./src/modules/rlm_eap/types/rlm_eap_sim/config.h ./src/modules/rlm_eap/types/rlm_eap_tls/config.h ./src/modules/rlm_eap/types/rlm_eap_ttls/config.h ./src/modules/rlm_ippool/config.h ./src/modules/rlm_pam/config.h ./src/modules/rlm_radutmp/config.h ./src/modules/rlm_sql/drivers/rlm_sql_mysql/config.h ./src/modules/rlm_unix/config.h Also ./configure show this: checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for regex.h... (cached) yes creating ./config.status creating Makefile creating config.h config.h is unchanged Thanks in advance. HC [EMAIL PROTECTED] Sent by:To: [EMAIL PROTECTED] [EMAIL PROTECTED]cc: eradius.org Subject: Re: Installation problem in Solaris 2.6 error: AF_INET undeclared 02-10-2004 09:55 Please respond to freeradius-users Hi, > Hi, i'm trying to install freeradius v1.0.1 in solaris 2.6, however when i > try to compile it shows the following errors: > > misc.c:355: error: `AF_INET6' undeclared (first use in this function) > misc.c:355: error: (Each undeclared identifier is reported only once > misc.c:355: error: for each function it appears in.) What I have been doing is manually undefining HAVE_INET_PTON and HAVE_INET_NTOP in the configure-generated config.h after running configure. The proper fix probably would be to replace the check for the availability of inet_pton by testing compilation of a dummy main involving both inet_pton and AF_INET6 (and similar for inet_ntop), however, since I don't have AF_INET6, I can't really test if the trivial modification that I'd do locally does break compilation on systems which do support IPv6 (e.g. thanks to a typing error on my part), so I can't submit a patch... HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/
WPA Enterprise
Dear All
I followed the documentation 802.1X Port Based Authentication HOWTO and
the related documents. I am using Mac OS X as to run my freeRADIUS 1.0.1.
Everything works fine except for the authentication. The client is Win2K.
Nothing seems to work for me.
radiusd.conf
-
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
==
eap.conf
--
eap {
default_eap_type = peap
..
}
tls {
private_key_password = password
private_key_file = ${raddbdir}/1x/192.168.10.1.pem
certificate_file = ${raddbdir}/1x/192.168.10.1.pem
CA_file = ${raddbdir}/1x/root.pem
dh_file = ${raddbdir}/1x/DH
random_file = ${raddbdir}/1x/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
=
clients.conf
---
client 192.168.10.0/24 {
secret = test
shortname = private-network-1
}
users
-
wpatest User-Password == "wpatest"
The client has imported the required certificate.
1) root.der
2) wpatest.p12
For Mac clients the followinf the documention http://homepage.mac.com/andreaswolf/
public/wpaeap.html works perfectly fine.
Regards & Thanks
Mahesh S Kudva
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
