Radius backup
Hello, I have read a lot of docs around, searched among many different archives on the net but still feel I have not correct solution to my problem: Very common setup: I have a cisco router which required radius for authentication and accounting. MySQL is used as backend database. Everything is configured and is working just fine. The task is to configure secondary radius server which will act as backup server if primary server fails. I have found out that I can configure secondary server the same way I did with primary, set up mysql replication to make sure secondary server has the same data that primary has. I also should add secondary radius details to router and whe primary fails, router will fall back to secondary server. But the failures can be of different types: 1. primary server crashed and won't come back without human's help. This is the best case from my point of view, because secondary server contains all data it requires for operation. 2. primary server can't be reached because of network problems which may be solved after a while. If primary server comes back, router will switch back to it and here is a problem: primary server contains different data from secondary server so it can't contain operations properly before data is synced again. Bidirectional replication is not a solution because for example accounting updates or inserts records into accounting table according to already inserted rows, so order matters. I know I am not the first and not the last who faced with this problem and I would like to hear from people who solved such problems. Any suggestions are welcome. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address
Hello, Quick question: does NAS-IP-Address (in huntgroups) could be equals to the shortname defined in the clients.conf ? So I can declare in one line a subnet as a huntgroup in the huntgroups file. I did a quick grep in the source and didn't find anything useful. Thanks. -- Nicolas Justin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.1 + Debian Woody V3R2 + Problem Install
The install is correct now. Thanks Stéphane SALELLES - Original Message - From: rashad To: [EMAIL PROTECTED] Sent: Saturday, November 06, 2004 1:45 PM Subject: Freeradius 1.0.1 + Debian Woody V3R2 + Problem Install You have to install libmysqlclient-dev and zliblg packages.
Distributed Data Base
I have to replicate my RADIUS databases, one in my central office and the another in another city. I prepare my RADIUS server to support that. As it is usual I have a MySQL database. Do you know if MySQL can fucntion as Distributed DataBase ? Santiago _ Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius backup
On Wed, 10 Nov 2004, George Chelidze wrote: Hello, I have read a lot of docs around, searched among many different archives on the net but still feel I have not correct solution to my problem: Very common setup: I have a cisco router which required radius for authentication and accounting. MySQL is used as backend database. Everything is configured and is working just fine. The task is to configure secondary radius server which will act as backup server if primary server fails. I have found out that I can configure secondary server the same way I did with primary, set up mysql replication to make sure secondary server has the same data that primary has. I also should add secondary radius details to router and whe primary fails, router will fall back to secondary server. But the failures can be of different types: 1. primary server crashed and won't come back without human's help. This is the best case from my point of view, because secondary server contains all data it requires for operation. 2. primary server can't be reached because of network problems which may be solved after a while. If primary server comes back, router will switch back to it and here is a problem: primary server contains different data from secondary server so it can't contain operations properly before data is synced again. Bidirectional replication is not a solution because for example accounting updates or inserts records into accounting table according to already inserted rows, so order matters. I know I am not the first and not the last who faced with this problem and I would like to hear from people who solved such problems. Any suggestions are welcome. The solution is to configure radrelay on both servers. See doc/radrelay. That way you can have exactly the same accounting information on both servers and also avoid the troubles of setting up and maintaining sql replication. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring radiusd.conf
Do you know if in radiusd.conf is important to set the value
:"check_cert_cn=%{User-Name}" or i can leave it commented(#)??And if it is
important what i had to write in field "User-Name"??Thanks Raffaello
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Distributed Data Base
On Wed, 10 Nov 2004, [iso-8859-1] Santiago Balaguer Garc?a wrote: I have to replicate my RADIUS databases, one in my central office and the another in another city. I prepare my RADIUS server to support that. As it is usual I have a MySQL database. Do you know if MySQL can fucntion as Distributed DataBase ? Mysql supports replication (i don't think distributed database is what you mean). An even better way is to use radrelay (see doc/radrelay). Santiago _ Acepta el reto MSN Premium: Correos m?s divertidos con fotos y textos incre?bles en MSN Premium. Desc?rgalo y pru?balo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error Connect Remote backend Database Mysql
Hi, I try to connect freeradius on remote backend database on mysql server Win XP Pro. I've this message: rlm-sql-mysql: Couldn't connect socket to mysql server [EMAIL PROTECTED]:radius rlm-sql-mysql:Mysql error 'Client' does not support authentification protocol request by server; consider upgrading MySQL client rlm-sql (sql): Failed to connect DB handle #0 Could you help me? Thanks. Stéphane
Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Hi there,
just to confirm previous posts about this type of configuration: it works!
Freeradius 1.0.1
Fedora Core 1
OpenLDAP with NT and LM hashed samba password
OpenSSL
I don't know it there is a bug in freeradius, but the radeapclient is
not linked correctly by libtool. Instead of the binary, the libtool
wrapper remains in the installed path. I tried on Debian unstable (with
included or system libtool) and I had the same problem.
About Fedora Core 1:
- It is necessary to modify the spec file by removing the
--with-system-libtool from the configure.
- It is also necessary to modify the CFLAGS before the configure:
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et"
PEAP with MSCHAPv2 has been successfully tested to secure a Wifi network
with Windows XP and Mac OS X 10.3 clients.
Freearius configuration:
- check that LM-Password and NT-Password are correctly mapped to the
corresponding ldap entries in ldapattr.map
- don't use the password_header and password_attribute in the ldap section
extract from the configuration file:
authorize {
preprocess
mschap
eap
ldap
files # only used for specific stiff, usually not needed
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
During the authorize phase, the ldap module searches the user and keep
track of the NT and/or LM passwords if there are present.
During the authenticate phase, the mschap module use the previously
found passwords to authenticate the user.
--
Christophe.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius backup
Hello, Kostas Kalevras wrote: On Wed, 10 Nov 2004, George Chelidze wrote: Hello, I have read a lot of docs around, searched among many different archives on the net but still feel I have not correct solution to my problem: Very common setup: I have a cisco router which required radius for authentication and accounting. MySQL is used as backend database. Everything is configured and is working just fine. The task is to configure secondary radius server which will act as backup server if primary server fails. I have found out that I can configure secondary server the same way I did with primary, set up mysql replication to make sure secondary server has the same data that primary has. I also should add secondary radius details to router and whe primary fails, router will fall back to secondary server. But the failures can be of different types: 1. primary server crashed and won't come back without human's help. This is the best case from my point of view, because secondary server contains all data it requires for operation. 2. primary server can't be reached because of network problems which may be solved after a while. If primary server comes back, router will switch back to it and here is a problem: primary server contains different data from secondary server so it can't contain operations properly before data is synced again. Bidirectional replication is not a solution because for example accounting updates or inserts records into accounting table according to already inserted rows, so order matters. I know I am not the first and not the last who faced with this problem and I would like to hear from people who solved such problems. Any suggestions are welcome. The solution is to configure radrelay on both servers. See doc/radrelay. That way you can have exactly the same accounting information on both servers and also avoid the troubles of setting up and maintaining sql replication. Thank you very much for your quick reply. Seems it's what I am looking for. Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: how to check user's account ?
Hi, My task is to check periodically account of permanently connected user. Since it is permanent connection, I use my own client (not PPP client) based on standard radiusclient lib. What kind of request should be used from client to server to get some accounting info for client ? I tried to use request Acct-Status-Type=Alive and wait for response with attribute some a'la Session-Timeout. My acct_users file contained 2 lines: DEFAULT Acct-Status-Type == Alive Session-Timeout = 30 I waited for Session-Timeout in reply from radius server but the server doesn't send reply. Where am I wrong ? Could you give me direction to right solution ? Thanks in advance,---Best regards,Vladimir
Re: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Hi, > OpenLDAP with NT and LM hashed samba password After having read similar stuff several times in the past weeks, what's the real advantage of using NT or LM hashed passwords over using simple clear text passwords? At least securitywise, I can't see any. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Title: RE: Success PEAP/MSCHAPv2 + LDAP + Samba passwords Personally think that clear text is bad as anyone intercepting the packets can easily pick up anything in clear text. If one knows specifically that traffic is one a completely secure path from end to end then not such an issue. This leads one to have different standards for one transmission path over the other though. Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 8:01 AM To: [EMAIL PROTECTED] Subject: Re: Success PEAP/MSCHAPv2 + LDAP + Samba passwords Hi, > OpenLDAP with NT and LM hashed samba password After having read similar stuff several times in the past weeks, what's the real advantage of using NT or LM hashed passwords over using simple clear text passwords? At least securitywise, I can't see any. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * Mueller Industries, Inc. - CONFIDENTIAL INFORMATION This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed. This communication may contain privileged material. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail and any file attachments is not authorized by the sender of this e-mail or Mueller Industries, Inc. If you have received this e-mail in error, please immediately notify us by telephone at 1-800-348-8464 (or 901-753-3200) or reply by e-mail to the sender. If you are not the intended recipient, please destroy the original transmission and its contents.
access-reject
Hi, i am using freeradius-1.0.1 with redhat8. but always have access-reject (i'm using NTRadping on winwdowswp for the test). The user-name, password and secret i use for the test are those i've declared on the users and clients.conf files. the radius server always says "group authorize return ok" for therequest but says after "auth"No authenticate method (Auth-Type) configuration found for the request:Rejecting the user.Login incorrect". Please how to solve that problem? Carlos MSN Hotmail : antivirus et antispam intégrés - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Hi, > Personally think that clear text is bad as anyone intercepting the > packets can easily pick up anything in clear text. You mean intercepting the packets between LDAP server and RADIUS server (since the communication with the RADIUS client isn't affected anyway)? But knowing the LM or NT password is sufficient to log in anyway, if you spend some minutes to modify some open source client accordingly , isn't it? You don't need the clear text password anyway in Windows' authentications scheme, AFAICT, so what's the point? Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add attribute in post-proxy?
On Tue, Nov 09, 2004 at 07:34:33PM +0100, Nicolas Baradakis wrote: > Pasi Kärkkäinen wrote: > > > How do I add new attribute in post-proxy section? > > See module rlm_attr_rewrite. > Thanks for you reply. Reading the man-page, I didn't see how to _add_ attribute with rlm_attr_rewrite. According to man-page, you can only change value of some attribute, not add completely new attribute. I'd like to add attribute 'Pool-Name' with value 'foo-pool' when processing a packet in post-proxy section for user with realm '@foo.com'. -- Pasi Kärkkäinen ^ . . Linux /-\ Choice.of.the .Next.Generation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication with Machine-Certificate does not work
Hello, I want our Windows-XP-Machines to authenticate with 802.1x. This authentication should happen before a user logs in to make it possible to contact the domain controller for the user authentication. I'm using freeradius 1.01 on a Debian Sarge-System. When I import the client-certificate to the local administrator's certificate-store, it all works fine. When I import the same certificate to the computer's certificate-store and activate the authentication as computer, it does not work. After booting, the computer sends a accept-request, in the auth-logfile I find this: -- snip -- Packet-Type = Access-Request Wed Nov 10 13:54:36 2004 Framed-MTU = 1480 NAS-IP-Address = 192.168.41.10 NAS-Identifier = "HP1" User-Name = "host/admin3.dhc-mailtest" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-30-6e-7e-21-38" Calling-Station-Id = "00-c0-9f-0a-c0-7e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xe383dcf2dbfb2ed82a4aee048c6172fd EAP-Message = 0x020600060d00 Message-Authenticator = 0xdbd03853c9d5e2a830823c0e96e9056c Client-IP-Address = 192.168.41.10 Stripped-User-Name = "admin3.dhc-mailtest" Hint = "EAP" - snap -- I find the following in the radius.log: - snip -- Wed Nov 10 13:54:35 2004 : Info: rlm_eap_md5: Issuing Challenge Wed Nov 10 13:54:35 2004 : Info: rlm_eap_tls: Length Included Wed Nov 10 13:54:35 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Nov 10 13:54:35 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message - snap --- After logging on the local administrator, the authentication works and the logs are a lot longer: radius.log: - snip -- Wed Nov 10 14:11:15 2004 : Info: rlm_eap_md5: Issuing Challenge Wed Nov 10 14:11:16 2004 : Info: rlm_eap_tls: Length Included Wed Nov 10 14:11:16 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Nov 10 14:11:16 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message Wed Nov 10 14:11:16 2004 : Info: rlm_eap_tls: Length Included Wed Nov 10 14:11:16 2004 : Info: (other): SSL negotiation finished successfully Wed Nov 10 14:11:16 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message Wed Nov 10 14:11:16 2004 : Auth: Login OK: [admin3.dhc-mailtest/] (from client hp1 port 24 cli 00-c0-9f-0a-c0-7e) snap -- auth.log: snip -- Packet-Type = Access-Request Wed Nov 10 14:11:15 2004 Framed-MTU = 1480 NAS-IP-Address = 192.168.41.10 NAS-Identifier = "HP1" User-Name = "admin3.dhc-mailtest" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-30-6e-7e-21-38" Calling-Station-Id = "00-c0-9f-0a-c0-7e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x020100180161646d696e332e6468632d6d61696c74657374 Message-Authenticator = 0xaed0e693bc618d82cb2bdb17c733db6b Client-IP-Address = 192.168.41.10 Packet-Type = Access-Request Wed Nov 10 14:11:15 2004 Framed-MTU = 1480 NAS-IP-Address = 192.168.41.10 NAS-Identifier = "HP1" User-Name = "admin3.dhc-mailtest" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-30-6e-7e-21-38" Calling-Station-Id = "00-c0-9f-0a-c0-7e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd5e64979f16b1ba9d067006e9d5a6477 EAP-Message = 0x02020006030d Message-Authenticator = 0x878efcb2ba470d52795c1fccec744f08 Client-IP-Address = 192.168.41.10 Packet-Type = Access-Request Wed Nov 10 14:11:16 2004 Framed-MTU = 1480 NAS-IP-Address = 192.168.41.10 NAS-Identifier = "HP1" User-Name = "admin3.dhc-mailtest" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 24 NAS-Port-Type = Ethernet NAS-Port-Id = "24" Called-Station-Id = "00-30-6e-7e-21-38" Calling-Station-Id = "00-c0-9f-0a-c0-7e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0
Re: Error Connect Remote backend Database Mysql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 10 November 2004 05:25, Stéphane SALELLES wrote: > I've this message: > > rlm-sql-mysql: Couldn't connect socket to mysql server [EMAIL > PROTECTED]:radius > rlm-sql-mysql:Mysql error 'Client' does not support authentification > protocol request by server; consider upgrading MySQL client rlm-sql (sql): > Failed to connect DB handle #0 Are you connecting to a MySQL 4.1.X server? If yes, then look at the upgrade notes for MySQL 4.0 -> 4.1...they say how to resolve this problem. Kevin Bonner -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBkjDD/9i/ml3OBYMRAqWXAJ0RNdBy+gjL5a3GzksiChZNczTScwCdE1WM OCvgdmhOTBVu2oQHCqJmnhI= =H+m5 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius reply question
I have a radius server configured for CHAP and PAP (clear password) authentication. Authentication works fine. My problem is that when a CHAP request comes in the server does not seem to be returning the Service-Type or the Framed-Protocol attributes or any other for that matter. Following are the commands used for testing and the output: [EMAIL PROTECTED] root]# echo "User-Name = "[EMAIL PROTECTED]", Password = "password", NAS-Port=10, Called-Station-Id=7039970040, NAS-Identifier=RadTest " | radclient localhost 01 testing123 Received response ID 99, code 2, length = 56 Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 Service-Type = Framed-User Session-Timeout = 43200 Idle-Timeout = 3600 Framed-Protocol = PPP [EMAIL PROTECTED] root]# echo "User-Name = "[EMAIL PROTECTED]", CHAP-Password = "password", NAS-Port=10, Called-Station-Id=7039970040, NAS-Identifier=RadTest " | radclient localhost 01 testing123 Received response ID 110, code 3, length = 20 >From our users file: DEFAULT Auth-Type == LDAP Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Session-Timeout = 43200, Idle-Timeout = 3600, Framed-Protocol=PPP, Service-Type = Framed-User, Fall-Through = Yes Can somebody point me in the correct direction? Please let me know if I need to include more information. Thanks Garry Stanfill pgp www.us.pgp.net PGP.sig Description: This is a digitally signed message part
Re: Error Connect Remote backend Database Mysql
=?iso-8859-1?Q?St=E9phane_SALELLES?= <[EMAIL PROTECTED]> wrote: > I've this message: > > rlm-sql-mysql: Couldn't connect socket to mysql server > [EMAIL PROTECTED]:radius > rlm-sql-mysql:Mysql error 'Client' does not support authentification > protocol request by server; consider upgrading MySQL client > rlm-sql (sql): Failed to connect DB handle #0 The word "authentification" does not appear in any message produced by the server. If you are going to post log messages to the list, DO NOT RE-TYPE THEM. Post them via CUT AND PASTE. That way, the list gets the real log message, and not what you think the log message might have been. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: how to check user's account ?
"V.Kukushkin" <[EMAIL PROTECTED]> wrote: > What kind of request should be used from client to server to get some > accounting info for client ? See the FAQ. The client sends data, and the server logs it. The client controls what data is sent, and why. > I tried to use request Acct-Status-Type=3DAlive and wait for response > with attribute some a'la Session-Timeout. RADIUS doesn't work like that. See the RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring radiusd.conf
[EMAIL PROTECTED] wrote:
> Do you know if in radiusd.conf is important to set the value
> :"check_cert_cn=%{User-Name}" or i can leave it commented(#)??And if it is
> important what i had to write in field "User-Name"??Thanks Raffaello
The comments in the file above that entry say how to use it, and what it does.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
"Berry, William" <[EMAIL PROTECTED]> wrote: > Personally think that clear text is bad as anyone intercepting the packets > can easily pick up anything in clear text. RADIUS passwords are encrypted. Connections from FreeRADIUS to an LDAP server should be encrypted using ldaps, or starttls. Using clear-text passwords make it a LOT easier to manage different authentication types. The NT-Password is "clear-text equivalent" in security terms, which means that it's as good as the clear-text password for many purposes. The only thing that NT-Password "gains" is the inability to do CHA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-reject
"carlos akitani" <[EMAIL PROTECTED]> wrote: > Hi, i am using freeradius-1.0.1 with redhat8. but always have > access-reject (i'm using NTRadping on winwdowswp for the test). The > user-name, password and secret i use for the test are those i've > declared on the users and clients.conf files. the radius server > always says "group authorize return ok" for therequest but says > after "auth"No authenticate method (Auth-Type) configuration found > for the request:Rejecting the user.Login incorrect". Please how to > solve that problem? Read the FAQ and README. Run the server in debugging mode. And please, don't post HTML to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius reply question
Garry Stanfill <[EMAIL PROTECTED]> wrote: > I have a radius server configured for CHAP and PAP (clear password) > authentication. Authentication works fine. My problem is that when a > CHAP request comes in the server does not seem to be returning the > Service-Type or the Framed-Protocol attributes or any other for that > matter. So... run the server in debugging mode, as suggested in the FAQ and README. > Following are the commands used for testing and the output: the client. Which is useless. The server is the one doing authentication, not the client. > From our users file: > > DEFAULT Auth-Type == LDAP That should be ":=". And LDAP doesn't do CHAP. > Can somebody point me in the correct direction? Please let me know if > I need to include more information. Like the information asked for in the FAQ and READM? Can you explain why you're not already following those instructions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius reply question
Alan Thanks for your response. I really do appreciate it. On Nov 10, 2004, at 10:39 AM, Alan DeKok wrote: I have a radius server configured for CHAP and PAP (clear password) authentication. Authentication works fine. My problem is that when a CHAP request comes in the server does not seem to be returning the Service-Type or the Framed-Protocol attributes or any other for that matter. So... run the server in debugging mode, as suggested in the FAQ and README. Following are the commands used for testing and the output: the client. Which is useless. The server is the one doing authentication, not the client. From our users file: DEFAULT Auth-Type == LDAP That should be ":=". >From your FAQ about CHAP and LDAP: o The := operator should not be used in the users file to set the Auth-Type since it will set the Auth-Type regardless of wether it has already being set to some other value. Am I missing the point? I actually just changed that from := to == yesterday based upon the FAQ... And LDAP doesn't do CHAP. Chap authentication is working just fine for us so I don't understand why you say LDAP doesn't do CHAP. Of course LDAP doesn't do CHAP but it doesn't do PAP either for that matter. It is simply a matter of setting the password_attribute to a clear password field (yes you have to have one) instead of say, userPassword... Can somebody point me in the correct direction? Please let me know if I need to include more information. Like the information asked for in the FAQ and READM? Can you explain why you're not already following those instructions? Hmm, I will resist the temptation as I am asking for your help. Although I am not an expert, I have configured many a RADIUS server and have never had a need for anything more than your FAQ and README. This time, however, I haven't been able to find the help I need but recognize that I may be missing something obvious... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html PGP.sig Description: This is a digitally signed message part
Re: radius reply question
Garry Stanfill <[EMAIL PROTECTED]> wrote: > From your FAQ about CHAP and LDAP: > > o The := operator should not be used in the users file to set the > Auth-Type since >it will set the Auth-Type regardless of wether it has already being > set to some >other value. > > Am I missing the point? I actually just changed that from := to == > yesterday based upon the FAQ... The operator you use should be '='. See the "users" file "man" page. > Chap authentication is working just fine for us so I don't understand > why you say LDAP doesn't do CHAP. Of course LDAP doesn't do CHAP but > it doesn't do PAP either for that matter. Actually, LDAP servers can do PAP authentication. If CHAP works for you, then you're pulling clear-text passwords from ldap during the "authorize" phase, and FreeRADIUS is doing the authentication. Setting "Auth-Type = LDAP" makes the server go ask LDAP to authenticate the user. For 99.9% of th ecases, you don't want that. So... don't set "Auth-Type = LDAP" in any way shape or form. > It is simply a matter of > setting the password_attribute to a clear password field (yes you have > to have one) instead of say, userPassword... Exactly. You then don't need "Auth-Type = LDAP". > Hmm, I will resist the temptation as I am asking for your help. > Although I am not an expert, I have configured many a RADIUS server and > have never had a need for anything more than your FAQ and README. This > time, however, I haven't been able to find the help I need but > recognize that I may be missing something obvious... The debug log exists for one purpose: To give the administrator an excruciatingly detailed description of what the server did, and why. I have been caught MANY times by thinking I knew what was going on, and fighting with a problem. When I finally accepted that I had to read the debug log, the problem and solution were obvious. The difficulties with written communication is that with English text, you can only describe what you think you did, or what you think the server is doing. The pieces from the configuration files, and debug logs, are *definitive*. There's no room for misinterpretation, typos, egos, or other problems. That's why I keep asking for debug logs: they're the only way to know what's really going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add attribute in post-proxy?
Pasi Kärkkäinen wrote: > > > How do I add new attribute in post-proxy section? > > > > See module rlm_attr_rewrite. > > Thanks for you reply. > > Reading the man-page, I didn't see how to _add_ attribute with > rlm_attr_rewrite. You can add an attribute with the option "new_attribute = yes", as documented in the man page. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Success PEAP/MSCHAPv2 + LDAP + Samba passwords
Christophe Boyanique <[EMAIL PROTECTED]> wrote: > I don't know it there is a bug in freeradius, but the radeapclient is > not linked correctly by libtool. Instead of the binary, the libtool > wrapper remains in the installed path. I tried on Debian unstable (with > included or system libtool) and I had the same problem. Ah, yes. That's a bug in the Makefile for radeapclient. I've fixed it, thanks. The fix will be in 1.0.2, and all later versions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius reply question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Nov 10, 2004, at 11:43 AM, Alan DeKok wrote: Garry Stanfill <[EMAIL PROTECTED]> wrote: From your FAQ about CHAP and LDAP: o The := operator should not be used in the users file to set the Auth-Type since it will set the Auth-Type regardless of wether it has already being set to some other value. Am I missing the point? I actually just changed that from := to == yesterday based upon the FAQ... The operator you use should be '='. See the "users" file "man" page. Ok, will change. Chap authentication is working just fine for us so I don't understand why you say LDAP doesn't do CHAP. Of course LDAP doesn't do CHAP but it doesn't do PAP either for that matter. Actually, LDAP servers can do PAP authentication. If CHAP works for you, then you're pulling clear-text passwords from ldap during the "authorize" phase, and FreeRADIUS is doing the authentication. Setting "Auth-Type = LDAP" makes the server go ask LDAP to authenticate the user. For 99.9% of th ecases, you don't want that. So... don't set "Auth-Type = LDAP" in any way shape or form. Absolutely! I was confused. Thanks. It is simply a matter of setting the password_attribute to a clear password field (yes you have to have one) instead of say, userPassword... Exactly. You then don't need "Auth-Type = LDAP". Right... I am now looking at the correct docs and will get this figured out. Hmm, I will resist the temptation as I am asking for your help. Although I am not an expert, I have configured many a RADIUS server and have never had a need for anything more than your FAQ and README. This time, however, I haven't been able to find the help I need but recognize that I may be missing something obvious... The debug log exists for one purpose: To give the administrator an excruciatingly detailed description of what the server did, and why. I have been caught MANY times by thinking I knew what was going on, and fighting with a problem. When I finally accepted that I had to read the debug log, the problem and solution were obvious. The difficulties with written communication is that with English text, you can only describe what you think you did, or what you think the server is doing. The pieces from the configuration files, and debug logs, are *definitive*. There's no room for misinterpretation, typos, egos, or other problems. That's why I keep asking for debug logs: they're the only way to know what's really going on. Again, you are right. I was completely missing the fact that CHAP was in fact failing now (access-reject) and that was why the attributes aren't being returned. Now that I am searching for the correct things, I will be able to figure it out. I thought I was at a dead end when in fact I wasn't utilizing my logs and was making assumptions about the issue(s). LDAP+CHAP configuration appears to have been covered several times already so I will go back to doing my homework... Once again, thanks for your help and all of the hard work you do! Garry Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBkli40Eb3bqei5qgRAuLlAKCYlusF19A921EOIdMU3vSf6PA/BQCeLzL8 By9U/+GVyeKX8E+l5qu6Brs= =tkf5 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP errors with a win2003 active directory (WAS: Re: 4 questions regarding possibilities of radius.)
1) Authentication against two different AD-forests (two different
realms) using 4 domain controllers (2 per realm). I've tried getting
freeradius to authenticate using the LDAP module but after a short while
I gave up and instead configured PAM-support and the libpam-ldap module.
Does anyone know of an AD+FreeRadius-specific mini-howto?
I suggest finding out WHY AD doesn't work in your situation. Debug
logs and configuration file pieces would help.
Here's an interesting problem. I got ldap authentication working but
ONLY as long as I have ldap_debug = 0x. Configuration as follows:
ldap {
server = ad-dc.domain.com
ldap_debug = 0x
identity = "cn=ldapQuery,dc=domain,dc=com"
password = yep
basedn = "dc=domain,dc=com"
filter = "(sAMAccountName=%u)"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(&(objectClass=Group)(member=%{Ldap-UserDn}))"
timeout = 4
timelimit = 3
net_timeout = 1
}
And in users:
DEFAULT Auth-Type := LDAP
This config works but as soon as I remove ldap_debug = 0x or change
the value to, as an example, 0x0028 things go mad with the following
debug (-X) information:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect ad-dc.domain.com:389, authentication 0
rlm_ldap: bind as cn=ldapQuery,dc=domain,dc=com/yep to ad-dc.domain.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=domain,dc=com, with filter
(sAMAccountName=user)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authenticate]: module "ldap" returns fail for request 0
Now, this seemed a bit odd so I tried the same config using another AD
forest and it of course works no matter what ldap_debug setting I had.
The difference is that the one it worked with is a Win2k AD and the one
it doesn't work with is a win2003 AD. The log on the 2003 domain
controller shows a successful ldap bind but nothing more. Has anyone
seen this before?
Magnus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
list-related suggestion
Hi. I joined this list about a week ago. A suggestion for whoever maintains the list...perhaps adding an identifying tag to the subject lines of list messages? Something like [freeradiuslist] or some-such. Something to make the emails from the list easier to identify, and in turn filter to a dedicated folder. Just a suggestion. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Samuel SullivanAlbany Law SchoolAssistant UNIX/Network Administrator[EMAIL PROTECTED]518.472.5854=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: list-related suggestion
Samuel, A suggestion for whoever maintains the list...perhaps adding an identifying tag to the subject lines of list messages? Something like [freeradiuslist] or some-such. Something to make the emails from the list easier to identify, and in turn filter to a dedicated folder. while I agree that this is a good idea I also want to make you aware of the List-ID header. This header will always show the information (no linebreak) List-Id: FreeRadius users mailing list which makes it easy to configure your filters. It's more reliable than a subject tag as well. Magnus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: list-related suggestion
On Wed, Nov 10, 2004 at 01:33:10PM -0500, Samuel Sullivan wrote: > Hi. I joined this list about a week ago. > A suggestion for whoever maintains the list...perhaps adding an > identifying tag to the subject lines of list messages? Something like > [freeradiuslist] or some-such. Something to make the emails from the > list easier to identify, and in turn filter to a dedicated folder. I could be wrong, but I think this was discussed here sometime last year. Check the list archives, maybe, and see what was said then. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho appears out of sync with accounting "detail" file
Hi there I'm running FreeRADIUS 1.0.1 and for this release (and previously 0.9x) have had a problem where radwho doesn't appear to always remove entries after someone has logged out. We have a network of Cisco VPN3000 concentrators and use FreeRADIUS as the accounting backends. When someone logs in, their accounting details (i.e. START records) show up in /var/log/radius/radacct/ip.add.ress/detail, and radwho shows they're logged in. When they logout/timeout, the STOP record shows up in /var/log/radius/radacct/ip.add.ress/detail, but *radwho doesn't always remove them*... I have checked out STOP records from ones that successfully got removed from the radwho file (i.e. radutmp), and cannot see any real difference between that and one that didn't update radwho correctly. Is this a bug? As the detail file is correct, it does imply this isn't a network or frontend problem. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho appears out of sync with accounting "detail" file
Jason Haar <[EMAIL PROTECTED]> wrote: > I'm running FreeRADIUS 1.0.1 and for this release (and previously 0.9x) > have had a problem where radwho doesn't appear to always remove entries > after someone has logged out. It removes people only when it can match the logout record to a login record. > Is this a bug? As the detail file is correct, it does imply this isn't a > network or frontend problem. The detail file can't be "correct", it's just a blind dump of packets. I suggest running the server in debugging mode to see what the radutmp module does with the accounting stop record. Since you have the "detail" files, you can set up a test server, and use the packets from the detail files to send test "start" and "stop" packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool_tool option 'r' removes ip address from pool
Hi All I have had a look thought the source code for this program and can not see why it would be deleting these record instead of just releasing them. Could someone have a look at this who is a little more experience with the source code and give me an idea of whats going on ? Thanks Mike Mike O'Connor wrote: Hi All Using Freeradius 1.0.1 I wrote a program to keep my ippool in line with my the online list, this used the rlm_ippool_tool to set an ip address as inactive when there was a problem. After reading the rlm_ippool_tool options I decided that the option '-r: remove active entries' was the one to uses. Problem is it does not seem to be the correct one because instead of just setting the ip address as inactive it removes it all together. Does this seem to be correct ? if so what method should I be using ? Thanks Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Local and System auth type
is it possible to use two different Auth-Type, my DEFAULT Auth-Type is System, and I have one user who needs to be authenticated with Local. I am getting authentication error with the user who has Local auth-type, thanks for any help. Lito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
