RE: access-challenge question
Ok, I will look elsewhere for client info. But what about my server question? In freeradius, how do I set the RADIUS packet code to 11? So that when a client contacts the server, an access-challenge will be issued? Can you help me with the correct syntax? I assume it is done in the users file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 03, 2004 10:45 PM To: [EMAIL PROTECTED] Subject: Re: access-challenge question Matt [EMAIL PROTECTED] wrote: First, I am new to the RADIUS protocol, and appreciate your help. I'm working with a python web-interface and a remote server running freeradius-current. Using the web-interface, I'm trying to get the client to print very verbose information about the transaction with the server (as verbose as possible). I suggest asking the authors of the python code how to get debugging information from the client. This has nothing to do with FreeRADIUS. I believe I need to print more detail about the client side. So... fix the client, or ask the people who wrote the client to fix it. Any advise on getting more verbose/complete output from the client side is much appreciated. Ask the people who wrote the client. Don't ask here, I doubt anyone here can help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in authenticating users with freeradius
hi, I am not able to make the freeradius server successfully authenticate the end-user. I installed freeradius version 1.0.0 in linux redhat 9 server and it successfully compiled. I did all the configuration that is neccessary according to some documents on the net. I am using EAP(PEAP) with MSCHAPv2 for authentication. However the end-user (wireless laptop)keep on failing in getting authenticated by the radius server. I am using Cisco Aironet 350 Access Point and the AP is communicating with the RADIUS server. Just the server failed to authentication the user want to log in. Why? Below is the log file showing the radius server fail to validate users.I wish someone can help me. Thanks. Frankie rad_recv: Access-Request packet from host172.20.121.223:1032, id=7, length=215 User-Name= "host/Frankie.isecures.com" Cisco-AVPair = "ssid=tsunami" NAS-IP-Address = 172.20.121.223 Called-Station-Id = "004096577875" Calling-Station-Id = "00097c6f1df0" NAS-Identifier = "AP350-577875" NAS-Port = 38 Framed-MTU = 1400 State = 0xcc434f7fa5587277084f617bbb287b03 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message =0x020900261900170301001b0bbb8199a01a8e6942eb7ebb66eb48c359bd02361fc3b61e6302a0 Message-Authenticator =0x15827d309bb02f0b6608f55351368992 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns okfor request 7 modcall[authorize]: module "mschap" returns noop forrequest 7 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAPconversation modcall[authorize]: module "eap" returns updated forrequest 7 users: Matched DEFAULT at 160 modcall[authorize]: module "files" returns ok forrequest 7modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decodingtunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting.rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalidfor request 7modcall: group authenticate returns invalid forrequest 7auth: Failed to validate the user.Delaying request 7 for 1 secondsFinished request 7Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 7 to 172.20.121.223:1032 EAP-Message = 0x04090004 Message-Authenticator =0xWaking up in 2 seconds... Do you Yahoo!? Check out the new Yahoo! Front Page.
HowTo Configure detail module to log specific AV Pairs
Hi List, Is there a way to tell/configure detail module to log just specific attribute-value pairs into detail file? Say I just need the ff. to be logged: 1. callingstationid 2. calledstationid 3. h323connecttime 4. h323disconnecttime 5. acctdelaytime 6. h323confid TIA, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
On Wed, Nov 03, 2004 at 07:27:18PM +0100, Roberto Re wrote: hi, I have applied the patch yesterday only, but the problem still exists. The cursors are allocated and they continuously increase up to the maximum limit imposed by Oracle to the db. I have analysed some of the queries allocating the cursors: there are some query to RADGROUPCHECK and RADGROUPREPLY tables, which are _*empty*_. Could it be those ones raising the problem? As we are not using those 2 tables , would it be possible to modify the cfg of Freeradius, so that it does no longer use them? I will also try to insert some dummy-values in the two RADGROUP... Thanks and regards Roberto I am not using RADGROUPCHECK and RADGROUPREPLY either so I have commented out all the relevant lines for them (including the queries) in oraclesql.conf. I haven't noticed any problem with cursor allocating in oracle 8i. Our DBA told me that there are database parameters you can tune that could help (look at cursor_sharing and instead of the value EXACT use FORCE (for 8i) or SIMILAR (for 9i)). Kostas On Thu, Oct 14, 2004 at 11:13:40AM +0200, Roberto Re wrote: Kostas Zorbadelos wrote: On Wed, Oct 13, 2004 at 06:25:25PM +0200, Roberto Re wrote: First of all thanks for your attention, Alan My problem however seems to be more like this: http://lists.cistron.nl/pipermail/freeradius-devel/2002-December/004052.html I had already checked the working code, which includes that patch and it is exactly the following one: http://www.freeradius.org/cvs-log/radiusd/src/modules/rlm_sql/drivers/rlm_sql_oracle/sql_oracle.c The code in this url does not include the patch Alan is reffering to. Of course the patch in http://bugs.freeradius.org/show_bug.cgi?id=128 addresses the freeradius crash in case of Oracle errors in sql queries. This happens with the Oracle 8i client libraries. I was told that Oracle 9 client libs do not cause the freeradius crash (not tested my self). In my experience with Oracle 9 client (on a Linux RedHat Enterprise) the freeRADIUS dont crash, it dont realease cursors on the oracle side. Roberto OK, if the crashes do not happen on successive Oracle errors, try the patch and let us know if it also solves your problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Systems Developer, Otenet SA mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius authenticate_query over authorize_check_query (D'OH!)
Hello Thor, Mike Everest wrote: Mike Everest [EMAIL PROTECTED] wrote: Well, yes - in many ways it does. Is there no way that I am able to use a custom table for additional checks then? Maybe multiple queries in the authorize_check_query would solve a bit. Hmm - can it be done then? That may be the answer - know of any documentation that describes in some detail how that query is interpreted by freeradius? Thanks for the suggestion, Regards, Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with logging
Hello, i'm new on Radius. I have this problem: i use Radius on a Fedora Core 2 and a terminal server, a Dec 900 tm. I want to log all the action of the users of the Dec, but in the file of log i find only this: User-name Nas-Ip-Address Nas-Port Client-Ip-Address Time-stamp The attributes that i want, for example acct-session-time there isn't. I use also the tool NTRadPing for windows, with the default option, and whith it, in the directory where Radius save the log, i find two type of file, the auth-detail and the detail, in both files the attributes session time was. Is the wrong editing of the file radius.conf the reason of this error, or is the Nas that don't send the right information to Radius? Luca. P.s: i'm sorry for my poor english - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authentication probelm
Dear All,
i am using freeradius 0.9.3 and trying to authenticate using crypt
password stored in LDAP, in another field rather that he usual userPassword.
-in the authorize section i added: ldap
-in the authenticate section i added: ldap, as well
-in the ldap section i added:
password_header = {CRYPT}
password_attribute = radiususerPassword
(user defined field, which stores the crypt password)
when trying to authenticate i get the following error when running
radius server in debug mode
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as uid=admin,ou=test,c=us/admin to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=test,c=us, with filter (uid=mfh)
rlm_ldap: checking if remote access for mfh is allowed by dialupAccess
rlm_ldap: Added password ynOJsAyb9oj5o in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21
rlm_ldap: looking for reply items in directory...
Invalid operator for item User-Password: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns reject for request 0
modcall: group authorize returns reject for request 0
Invalid user (rlm_ldap: Pairs do not match): [mfh/234] (from client
localhost port 0)
Thank you
--
Ossama Suleiman
Systems Engineer
TE Data S.A.E
Email: [EMAIL PROTECTED]
Web: www.tedata.net
Phone: +(202)-416-6600, EXT: 1105
Any Dream worth having, is a dream worth fighting for.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oracle cursor leak
Kostas Zorbadelos writes: I am not using RADGROUPCHECK and RADGROUPREPLY either so I have commented out all the relevant lines for them (including the queries) in oraclesql.conf. I haven't noticed any problem with cursor allocating in oracle 8i. Our DBA told me that there are database parameters you can tune that could help (look at cursor_sharing and instead of the value EXACT use FORCE (for 8i) or SIMILAR (for 9i)). Kostas Thanks Kostas, I will follow your advice and keep you informed. Best regards Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication probelm
On Thu, 4 Nov 2004, Ossama Suleiman wrote:
Dear All,
i am using freeradius 0.9.3 and trying to authenticate using crypt
password stored in LDAP, in another field rather that he usual userPassword.
-in the authorize section i added: ldap
-in the authenticate section i added: ldap, as well
If you are not going to use the userPassword attribute there's no point in using
ldap in the authenticate section. It won't work. Use the pap module instead.
-in the ldap section i added:
password_header = {CRYPT}
password_attribute = radiususerPassword (user
defined field, which stores the crypt password)
when trying to authenticate i get the following error when running radius
server in debug mode
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as uid=admin,ou=test,c=us/admin to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=test,c=us, with filter (uid=mfh)
rlm_ldap: checking if remote access for mfh is allowed by dialupAccess
rlm_ldap: Added password ynOJsAyb9oj5o in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21
rlm_ldap: looking for reply items in directory...
Invalid operator for item User-Password: reverting to '=='
rlm_ldap: Pairs do not match. Rejecting user.
Set compare_check_items to no. Use something like the checkval to achieve that.
ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns reject for request 0
modcall: group authorize returns reject for request 0
Invalid user (rlm_ldap: Pairs do not match): [mfh/234] (from client localhost
port 0)
Thank you
--
Ossama Suleiman
Systems Engineer
TE Data S.A.E
Email: [EMAIL PROTECTED]
Web: www.tedata.net
Phone: +(202)-416-6600, EXT: 1105
Any Dream worth having, is a dream worth fighting for.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge question
Matt [EMAIL PROTECTED] wrote: Ok, I will look elsewhere for client info. But what about my server question? In freeradius, how do I set the RADIUS packet code to 11? If you're trying to send a challenge for the same reasons as your last message, the answer is you're wasting your time. Access-Challenge doesn't work that way. If you want to challenge the client as part of an authentication protocol, the answer is that the protocol is already supported in FreeRADIUS, and you don't have to do anything additional to make the server send challenges. If you're trying to write your own authentication protocol using Access-Challenge, then I suggest discussing that, first. Once the protocol is designed correctly, then you can configure the server to use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in authenticating users with freeradius
Frankie Chan [EMAIL PROTECTED] wrote: I installed freeradius version 1.0.0 in linux redhat 9 server and it successfully compiled. I did all the configuration that is neccessary according to some documents on the net. I am using EAP(PEAP) with MSCHAPv2 for authentication. However the end-user (wireless laptop)keep on failing in getting authenticated by the radius server. Ok... I am using Cisco Aironet 350 Access Point and the AP is communicating with the RADIUS server. Just the server failed to authentication the user want to log in. Why? Below is the log file showing the radius server fail to validate users.I wish someone can help me. Thanks. ... rlm_eap_peap: Had sent TLV failure, rejecting. sigh Please read the ENTIRE debug output. It will tell you what's going wrong, and why. Reading only the last 20 lines is a guaranteed way to learn nothing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HowTo Configure detail module to log specific AV Pairs
ROY [EMAIL PROTECTED] wrote: Is there a way to tell/configure detail module to log just specific attribute-value pairs into detail file? No. The detail module logs all of the attributes in the packet. You can always post-process the detail file with a script, and grep to get only certain attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with logging
eLLe By [EMAIL PROTECTED] wrote: Is the wrong editing of the file radius.conf the reason of this error, or is the Nas that don't send the right information to Radius? The NAS isn't sending the right information to RADIUS. See the FAQ. If an attribute isn't in the detail file, it's because the NAS isn't sending it. And there's nothing you can do to the RADIUS server to make the NAS send those attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
It never gives one with this configuration, it just keeps repeating the same request over and over again, never accepting or rejecting after the Access-Challenge is sent back to the access point. Dan On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ATA 186 and FreeRADIUS
Hi all I have 2 Cisco ATA 186 and in my network exists a server running FreeRADIUS-1.0.0 and another server running vovida software (vocal-1.5) - vocal software is about a the server SIP. I want to know if ATA 186 is possible authentication in the FreeRADIUS server - which dictionary that if must use, or some configuration specifies. I already made some searches in the Internet, already I tried some different dictionaries for the FreeRADIUS, already I ordered several e-mails for maillist of the vovida, but nothing and nobody helped me; sincerely I do not know more what to make. Somebody already passed for the same problem, or knows where can find help? Thanks Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Are you sure that you have the CA certificate you're using with FreeRADIUS installed on the XP system you're using as a supplicant? This could be a symptom of XP not recognizing the signer of the certificate presented in the 802.1x conversation and refusing to continue authentication. FYI, here, we're using the ntPassword attribute in LDAP *without* the 0x in front, and its working fine. The code will use it either way. --Mike On Thu, 2004-11-04 at 10:58, Daniel Davidson wrote: It never gives one with this configuration, it just keeps repeating the same request over and over again, never accepting or rejecting after the Access-Challenge is sent back to the access point. Dan On Thu, 2004-11-04 at 10:48, Alan DeKok wrote: Daniel Davidson [EMAIL PROTECTED] wrote: while looking at the radiusd.conf file, I noticed that the ldap area said something about that to use the sambaNTPassword field that it has to start with a 0x. Does this mean that in LDAP that this value must be stored as: sambaNTPassword: 0x01FC5A6BE7BC6929AAD3B435B51404EE I don't think that's necessary. The MS-CHAP module is the only one which interprets that string, and it is forgiving of the format. The larger issue is that the debug log you posted doesn't finish. i.e. It doesn't contain a reject OR a success. Get a debug log with an accept or reject, and it will then be possible to tell what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Thanks for the info, now we are getting somewhere I just have unchecked the validate server certificate area for now. Now I am getting a rejection. Any ideas? thanks again for the help, Dan rad_recv: Access-Request packet from host 128.174.124.2:1024, id=0, length=224 User-Name = dbdavids NAS-IP-Address = 128.174.124.2 Called-Station-Id = 000f66e4c41c Calling-Station-Id = 009096b43336 NAS-Identifier = 000f66e4c41c NAS-Port = 49 Framed-MTU = 1400 State = 0x05d6753b0d1d6b5e153b275d9693ef57 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206005a1900170301004f8c8a20407e2068158e8d78c30ec38160e43b0f78ff2b701605b5c79b9de8900c48fb91b49db5bf9dcddd5ccabb4790c6ae46fc07f331bd23bbc88023d68b2e78a4ab7763627926a560ed58927beae5 Message-Authenticator = 0xa25e2734559e8d05f9cb602baa181907 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 PEAP: Setting User-Name to dbdavids PEAP: Adding old state with c7 00 PEAP: Sending tunneled request EAP-Message = 0x020600431a0206003e3164e5402640d5988f1d47d58297a06a95c2571a9c92f4970284a462469ceac06779f68025392ddf8f006462646176696473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = dbdavids State = 0xc7001f0cb231ff08af3c8015aa53f2fd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x552ade3c50 3 MS-CHAP-Error = \006E=691 R=1 EAP-Message = 0x04060004 Message-Authenticator = 0x
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
Daniel Davidson [EMAIL PROTECTED] wrote: Thanks for the info, now we are getting somewhere I just have unchecked the validate server certificate area for now. Now I am getting a rejection. Any ideas? You said you were storing the passwords in LDAP, but the debug log doesn't show the LDAP module being used: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '@' in User-Name = dbdavids, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 6 modcall: group authorize returns updated for request 6 There's no mention of LDAP, so the server doesn't have the NT password. rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for dbdavids with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Yup. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I uncommented and did appropriate changes (below) to the ldap section of
the modules area. What else needs done? I am deleting the commented
lines.
Dan
ldap {
server = lap server's real name
basedn = ou=People,dc=igb,dc=uiuc,dc=edu
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Un-comment other references to ldap in radiusd.conf. At least in the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openlap wireless (WPA-radius with PEAP auth on client) problem
That did it, thanks everyone, Dan On Thu, 2004-11-04 at 12:49, Alan DeKok wrote: I uncommented and did appropriate changes (below) to the ldap section of the modules area. What else needs done? I am deleting the commented lines. Un-comment other references to ldap in radiusd.conf. At least in the authorize section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair Help (help!!) Part 1
= 10.100.255.17,Acct-Session-Id =
0x002339ee,User-Name = '
rlm_acct_unique: Acct-Unique-Session-ID = 80142e378dd3cad0.
modcall[preacct]: module acct_unique returns ok for request 3
modcall: group preacct returns ok for request 3
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
radius_xlat: '/var/log/radius/radacct/10.100.255.17/detail-20041104'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.100.255.17/detail-20041104
modcall[accounting]: module detail returns ok for request 3
modcall[accounting]: module unix returns ok for request 3
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: ''
modcall[accounting]: module radutmp returns ok for request 3
radius_xlat: ''
radius_xlat: 'INSERT into radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay, TunnelClientEndpoint,
SourceIPAddress, DestinationIPAddress) values('0x002339ee',
'80142e378dd3cad0', '', '', '10.100.255.17', '0', '', '2004-11-04
13:01:16', '0', '0', '', '', '', '0', '0', '', '', '', '', '', '', '',
'0', '', 'ip:source-ip=3D10.100.248.2', 'ip:source-ip=3D10.100.248.2')'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
modcall[accounting]: module sql returns ok for request 3
modcall: group accounting returns ok for request 3
Sending Accounting-Response of id 229 to 10.100.255.17:1813
Finished request 3
Going to the next request
--- Walking the entire request list ---
Cleaning up request 3 ID 229 with timestamp 418a7c7c
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 58 with timestamp 418a7c77
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVPair Help (help!!) Part 2
Continued from Cisco-AVPair Help (help!!) Part 1:
radiusd.conf file:
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.188 2004/05/13 20:10:19 pnixon Exp $
##
# The location of other config files and
# logfiles are declared in this file
#
# Also general configuration for modules can be done
# in this file, it is exported through the API to
# modules that ask for it.
#
# The configuration variables defined here are of the form ${foo}
# They are local to this file, and do not change from request to
# request.
#
# The per-request variables are of the form %{Attribute-Name}, and
# are taken from the values of the attribute in the incoming
# request. See 'doc/variables.txt' for more information.
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that
symbol,
# and add the directory containing that library to the end of
'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = /usr/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few
permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to 'nobody'.
#
#On SCO (ODT 3) use user = nouser and group = nogroup.
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 6; don't use group nobody on these
systems!
#
# On systems with shadow passwords, you might have to set 'group =
shadow'
# for the server to be able to read the shadow password file. If you
can
# authenticate users while in debug mode, but not in daemon mode, it
may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
user = radiusd
group = radiusd
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it
takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See
your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# delete_blocked_requests: If the request takes MORE THAN
'max_request_time'
# to be handled, then maybe the server should delete it.
#
# If you're running in threaded, or thread pool mode, this setting
# should probably be 'no'. Setting it to 'yes' when using a threaded
# server MAY cause the server to crash!
#
delete_blocked_requests = no
# cleanup_delay: The time to wait (in
Request for help/sample configurations
Hope there is somebody here who can point me in the right direction. I have been been trying for several weeks to get a freeradius system up and running. I have been trying to use openssl so that I can generate certificates in order to use eap-tls. I have had major problems trying to get openssl to generate certificates and havent been able to get anyone to respond to me on the openssl listserv to explain the errors I am getting. At this point, I am abandoning trying to get eap-tls functional using openssl. Can someone point me to sample configurations that will allow me to either authenticate against two different MS AD domains or what the config files should look like for the user database to exist on the freeradius server to allow wireless access ? My main goal is to not require any additional software on the client pc. I have done other linux projects and havent had this much trouble. Any assistance will be appreciated ! Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Adding a module
Matthew Ryan [EMAIL PROTECTED] wrote: I have an ambition to write a module for FreeRadius and am having quite a bit of difficulty. - I basically took rlm_example, made a copy and renamed it - Made all modifications to the C file - Every other file that needed correct references - Built that module which was fine - Added it to radiusd.conf Add it where? I made an entry in the Modules section, the a 'call' in the authorize section. However, on the event such as authentication my module and the contents of the method I expect to get called does nothing. Odds are you didn't add it to the right place in radiusd.conf, or tell the server to use it for authentication. For sure I have done something wrong. Probably there. Without much documentation, or a noggin to nicely figure it all out myself I am looking for advice. doc/module_interface contains a lot of information. I will take a look, thanks. I simply want to pass the information of the authenticationand its time to an external data source. You do NOT want to do this during the authentication phase. You want to do this during the authorize phase. Alan DeKok. My mistake. Yes, in the authorize phase. Big thanks Alan. Really appreciate the help. Matthew Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I configure a delay in the Radius server response?
I am trying to simulate a scenario and I would like to be able to configure a +1 sec delay in the radius servers response to my authentication request. Is there something I can configure to add a delay in the response being sent. Thanks, Sharon
Re: Can I configure a delay in the Radius server response?
Sharon Auby [EMAIL PROTECTED] wrote: I am trying to simulate a scenario and I would like to be able to configure a +1 sec delay in the radius servers response to my authentication request. Is there something I can configure to add a delay in the response being sent. In the users file: #--- DEFAULT Exec-Program-Wait = sleep 1, Fall-Through = yes #--- That will work, unless you're already using Exec-Program-Wait for something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can I configure a delay in the Radius server response?
Alan, Thanks for your response. The Fall-Through command... will it cause the server to drop the first request? I really need the Server to respond to the 1st request after 1-2 seconds of receiving it. I imagine sleep 2 will also work. Thanks for the info! Sharon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Thursday, November 04, 2004 4:34 PM To: [EMAIL PROTECTED] Subject: Re: Can I configure a delay in the Radius server response? Sharon Auby [EMAIL PROTECTED] wrote: I am trying to simulate a scenario and I would like to be able to configure a +1 sec delay in the radius servers response to my authentication request. Is there something I can configure to add a delay in the response being sent. In the users file: #--- DEFAULT Exec-Program-Wait = sleep 1, Fall-Through = yes #--- That will work, unless you're already using Exec-Program-Wait for something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Let me just make sure I'm clear on this idea... Your AP will give out private IP addresses from a DHCP pool (presumably with 802.11x so you get the good WPA-Enterprise security) and then the machine must launch a PPP tunnel (over PPTP/L2TP I presume?) which then authenticates to the RADIUS server (again) to get a real IP address so it can start playing on the network? Well, It seem to be right, and I also think that this is hell alot of work... Any other way. my situation here is a little different. It is not through Wireless (AP) BUT through a Wire Switch. A 24 Port 10/100 Switch and wired to the users client :) That seems like an awful lot of effort, and an attempt to shoehorn two solutions into one (not clearly defined) problem. The problem is the ip address assignment from radius (ippool or Dhcpd for the best control) Regards, Thank You Chan Min Wai -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a module
Odds are you didn't add it to the right place in radiusd.conf, or
tell the server to use it for authentication.
I double checked how I added this module and it seems fine
modules {
mymodule {
}
.. etc etc
}
authorize {
mymodule
.. etc etc
}
doc/module_interface contains a lot of information.
I read through this document and noticed that at startup my module
should be loaded and its init() called.
Running radiusd -X I do not see my module load, and thus the
DEBUG(DB message);
in the init() of my module does not get called.
I think I have pretty much followed everything correctly yet no success.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ippool Or DHCP Server.
Craig Huckabee wrote: Paul Hampson wrote: On Wed, Nov 03, 2004 at 07:04:09PM +0800, Chan Min Wai wrote: I hope that radius server can talk to the DHCP server and tell the DHCP server what ip address to be allocate... Write a script in that adds the authenticated client's MAC address and the IP Address you've assigned to the DHCP server's config and reloads the DHCP server. It'll also have to get rid of other stanzas for that MAC address/IP address (trusting rlm_ippool to know what IP addresses are free, which means you need to be getting Accounting packets, I expect.) Woo That meant when any user login my dhcp server is reloading... WOO, that is hell a lot of work and If there are multiple users login at the same time... hehe my dhcpd server will kept on reload without doing anything good :( However I found something like this... http://www.ietf.org/internet-drafts/draft-ietf-dhc-agentopt-radius-08.txt Hopping someone will be able read into it. This assumes rlm_ippool can even work with 802.1x... What does it use for NAS-Port? Put this in an rlm_exec with (wait=1) after your rlm_ippool module. Again, this assumes 802.1x (did I call it 802.11x earlier???) happens before DHCP does. ^_^ 802.1x turns the physical port on in the case of a wired network, or completes the association of a client to a wireless AP in a wireless seetup. The next step is usually your protocol level setup, i.e. getting an IP address. The RADIUS server would normally be out of the loop at the protocol level. You can write a script, or just let the DHCP server give out addresses out of a pool, etc. Write a script? What kind of script doing that? Anywhere to find them? and what kind of script I'm looking for? BTW, all the question I'm asking is about Radius with wired network (on a 10/100 Base-T) And the users I'm looking at is about 100K ~500K ;) Regards, Thank You Chan Min Wai -- This message has been scanned for viruses and dangerous content by OCE Sdn Bhd (http://www.ocesb.com.my) MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a module
Matthew Ryan [EMAIL PROTECTED] wrote: I read through this document and noticed that at startup my module should be loaded and its init() called. Well, no. The instantiate method is the important one. See the rest of the modules. I'm not even sure if the init method is *ever* called. I think I have pretty much followed everything correctly yet no success. If all else fails, copy another module, change the name, and poke at it until it contains nothing but your source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool_tool option 'r' removes ip address from pool
Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
