Re: radius proxy
Alan DeKok wrote: There's nothing in the server right now to do something different if the home server returned Access-Reject, or simply failed to respond. If the home server sends a Reply-Message along, then there's a difference -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_exec fail V reject
Paul Hampson wrote: On Thu, Nov 18, 2004 at 05:14:47PM -0800, Jev wrote: Ok, great Paul, thank you! Is it this patch: http://lists.freeradius.org/archives/freeradius-users/2004/09/frm00132.html that you plan to apply? Is the patch in that post the most recent? I ask because I may attempt to apply and build it my self, so I can proceed with some testing that I need this feature for... That patch, with the changes described here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10746.html except the line number in rlm_exec is wrong... Oh heck, here's the patch as it sits in my source tree. ^_^ Thanks again Paul, I hope to have time to try it over the weekend myself. If I succeed I'll let you know... Regards, -Jev [snip] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius proxy
"Ron Wahler" <[EMAIL PROTECTED]> wrote: > When a radius reply come back from a proxy server > Can/does FreeRadius know if it was a bad password/bad login or > A timeout of the proxy server ? is there an error code or ID that > Is set ? or an attribute that says why the reply was rejected ? There's nothing in the server right now to do something different if the home server returned Access-Reject, or simply failed to respond. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Hi Alan Thanks for you comments, I used you suggestion as a biases and have found that the accounting stop records do not always have the same port id. This means it does not match correctly and does not release the port. I do not see any way of fixing this from the nas end, so I plan to write some software which checks if a port has been release (using the Alive and Stop records) and then sends a Acct Stop record with the correct port details. If any one has a better idea please email the list. Thanks Mike Alan DeKok wrote: Mike O'Connor <[EMAIL PROTECTED]> wrote: There are 30 address in the pool and at this time 13 of these are listed as active but the radacct record show that the users using these address's have logged off. Maybe the ippool module isn't getting the information it needs to release the address. Run the server in debugging mode ot see. Or, look at the detail file for sessions where the address isn't released. Run a test server in debugging mode, and send copies of those packets to the server, and see what the ippool module does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General question on Radius/802.1x
Thank you all for your help. Andrea -- Andrea G. Forte On Thu, 18 Nov 2004, Joe Matuscak wrote: > On Thu, 18 Nov 2004, Andrea G. Forte wrote: > > > The assumption made here is that the authenticator is the AP. I believe > > things would be much easier and still safe if one authenticator would > > control a group of APs and not just be one itself. This group of APs > > could be a subnet or a smaller group, but at least within this group the > > handoff would be much faster. The authenticator would act in the same > > way except that it would do the job for a group of APs and not for just > > one. > > Thats pretty much what "Wireless Domain Services" (WDS) on the Cisco > Aironet APs does. One of the APs does the direct communication to the > radius server and then caches that for its client APs. Take a look at: > > http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml > > > > Joe Matuscak > Rohrer Corporation > 717 Seville Road > Wadsworth, Ohio 44281 > (330)335-1541 > [EMAIL PROTECTED] > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius proxy
Alan, When a radius reply come back from a proxy server Can/does FreeRadius know if it was a bad password/bad login or A timeout of the proxy server ? is there an error code or ID that Is set ? or an attribute that says why the reply was rejected ? Ron.
Re: run RADIUS at startup
Michael Basso wrote: What you see from 'top' is technically correct. However, what you have done to start radiusd could be somewhat better. Can you expand on "somewhat better"? Using the rc.radiusd script in your init.d directory. Using chkconfig. All this is general Linux stuff, so maybe you might consider reading some Linux tutorials first :) In addition: reading *all* the documentation in the "doc" directory of freeradius, in particular supervise-radiusd.txt -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: run RADIUS at startup
> What you see from 'top' is technically correct. However, what > you have > done to start radiusd could be somewhat better. Can you expand on "somewhat better"? > > Nevertheless, the reason for seeing seven prosesses will > become clear if > you issue 'ps afx' - this will show you parent and children > processes. > You should see that there is a 'master' process - this is the > one that > was started by rc.local - and six children. From that point > of view all > is well. > > NH > > Michael Basso wrote: > > > > I wanted freeradius to run on startup. In > etc/rc.d/rc.local I entered > > /usr/local/sbin/radiusd. > > > > When I run 'top' to see all processes running is see 7 instances of > > radiusd. Is this correct? > > > > Michael Basso > > > > > > > > > > > > - List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run RADIUS at startup
What you see from 'top' is technically correct. However, what you have done to start radiusd could be somewhat better. Nevertheless, the reason for seeing seven prosesses will become clear if you issue 'ps afx' - this will show you parent and children processes. You should see that there is a 'master' process - this is the one that was started by rc.local - and six children. From that point of view all is well. NH Michael Basso wrote: I wanted freeradius to run on startup. In etc/rc.d/rc.local I entered /usr/local/sbin/radiusd. When I run 'top' to see all processes running is see 7 instances of radiusd. Is this correct? Michael Basso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
run RADIUS at startup
I wanted freeradius to run on startup. In etc/rc.d/rc.local I entered /usr/local/sbin/radiusd. When I run 'top' to see all processes running is see 7 instances of radiusd. Is this correct? Michael Basso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + MySQL + MD5 passwords
Hi masters. I am looking for a tutorial/how-to to set up a radius server using freeradius and Mysql and MD5 passwords. Actually I have a Livingston Portmaster 3 authenticating users on my linux server. The authentication is based on MD5 passwords stored in /etc/shadow, for example $1$u5C6uZb/$FXr/.g1NXTZYh19Zj158y1 (using the SALT feature). I have to migrate these users to a new machine running freeradius, using the same good old school md5 passwords and mysql. Unfortunately my freeradius is only working with plain text authentication mode, I am googling for answers but all results point me to this list. I know that the subject is not new, but I am working on it for days without success, so sorry about the post. Which are the basic parameters in radiusd.conf to authenticate in Mysql with md5 passwords? Do I have to do any modification in the database? I'd appreciate any help Thanks in advance and sorry about the poor English. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple processing heads...
Stuart Harris wrote: MySQL Supports read-only (one way) replication, we replicate all our live databases (customer hosting, internal, etc...) to a single backup DB which has a 'live' copy, it doesn't normally have writes to it, but it can quickly be used to build up a replacement DB that is current as of the time of departure of a dead server.. The replication of the DB also generates load. What I'd like to do is move our 'single point of failure' Free Radius server off a dedicated server and onto to the farm (m00)... If I were you I'd look for a solutions without single point of failure. I'd also be interested in ideas of how I could actually have a continually live radius solution that can query the 'backup' server if the primary goes down... but queue accounting until the master is up... (I can hope :P) To have a redundant setup, you should have 2 radius servers (radA and radB) and 2 DB servers (dbA and dbB). - radA will work with dbA and radB will work with dbB. - radA and radB will copy all accounting to each other with radrelay. - no db replication, so all other processes have to make changes to dbA as well as to dbB. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-tls auth: access accept is sent but xp client keeps resending access-req
On Fri, 2004-11-19 at 07:33, Lara Adianto wrote: > I feel that the following lines (taken from the above log) indicate > that something's not rightbut I'm not sure what they mean...maybe > somebody can help me ? > > [3092] 12:43:31:912: ElKeyReceiveRC4: Signature in Key Desc does not > match > [3092] 12:43:36:929: EAPOL-Key for transmit key *NOT* received within > 5 seconds in AUTHENTICATED state You would be correct in this assessment. For some reason, your AP is not sending the encryption (WEP or WPA) keys after successful authentication. This has nothing to do with FreeRADIUS, as FreeRADIUS is out of the game at that point, and will need to be taken up with the manufacturer of your AP. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
jagadish gowda <[EMAIL PROTECTED]> wrote: > Apart from the RADIUS server name/IP, port and shared > secret key, is there any other mandatory > information which should be configured for RADIUS > authentication. That depends what kind of authentication the users are doing. > Are there any situations where RADIUS attributes may > be considered as mandatory > and should be appeneded along with Access-Request > other than user name and passsword. No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny Access for users
"Silvestre Malta" <[EMAIL PROTECTED]> wrote: > I've also another question I can't solve. > My Log of radius is displaying some errors like: > "Error: Dropping conflicting packet from client nas2:5 - ID: 234 due to > unfinished request 2831" Either your NAS is re-sending packets very quickly, or your back-end database is very very slow. Find out which problem it is, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1
"Bilal Shahid" <[EMAIL PROTECTED]> wrote: > Now I might be totally off the track here in this analysis but I just wanted > to make sure that the Server is indeed sending out what it is supposed to > send out to the Client. Is it alright that the OID being sent to the Client > has its first 2 bytes (0x01, 0x03) replaced by something else (0x08, 0x2b)? Please read the appropriate specifications to see what the format should be. Whatever's going on, FreeRADIUS is just using the OpenSSL code. I suggest asking SSl questions on their list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool - not releasing ip addresses
Mike O'Connor <[EMAIL PROTECTED]> wrote: > There are 30 address in the pool and at this time 13 of these are listed > as active but the radacct record show that the users using these > address's have logged off. Maybe the ippool module isn't getting the information it needs to release the address. Run the server in debugging mode ot see. Or, look at the detail file for sessions where the address isn't released. Run a test server in debugging mode, and send copies of those packets to the server, and see what the ippool module does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: TLS_accept:error in SSLv3 read client certificate A
Service <[EMAIL PROTECTED]> wrote: > Fri Nov 19 17:26:55 2004 : Error: TLS_accept:error in SSLv3 read client > certificate A ... > How to solve this problem? The debug log you posted shows that the server sends an Access-Accept. So the error isn't critical, and isn't affecting anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: TLS_accept:error in SSLv3 read client certificate A
Hi All, I use freeradius-1.0.1 on linux and WindowXP+Dlink-120E Supplicant. I use cert.sh for generating certificats and "HOWTO: EAP/TLS" Setup for freeradius and WindowXP Supplicant" (http://freeradius.org/doc/EAPTLS.pdf) for setup wireless connection. After setup and start freeradius, when I try to be connected I see in radius.log : Fri Nov 19 17:25:05 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Nov 19 17:25:05 2004 : Info: Ready to process requests. Fri Nov 19 17:25:52 2004 : Info: rlm_eap_md5: Issuing Challenge Fri Nov 19 17:25:52 2004 : Info: rlm_eap_tls: Length Included Fri Nov 19 17:25:52 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Nov 19 17:25:52 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Nov 19 17:25:52 2004 : Info: rlm_eap_tls: Length Included Fri Nov 19 17:25:52 2004 : Info: (other): SSL negotiation finished successfully Fri Nov 19 17:26:55 2004 : Info: rlm_eap_md5: Issuing Challenge Fri Nov 19 17:26:55 2004 : Info: rlm_eap_tls: Length Included Fri Nov 19 17:26:55 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Nov 19 17:26:55 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Nov 19 17:26:56 2004 : Info: rlm_eap_tls: Length Included Fri Nov 19 17:26:56 2004 : Info: (other): SSL negotiation finished successfully Fri Nov 19 17:26:59 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message How to solve this problem? This is logs after strart radiusd -X -A: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms listen: port = 0 listen: type = "auth" radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "gljadikati" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Ins
Compile problem of last CVS version on FreeBSD 4.x
Tried on two FreeBSD 4.x box #gmake gmake[1]: Entering directory `/root/src/radiusd' Making all in libltdl... gmake[2]: Entering directory `/root/src/radiusd/libltdl' gmake[2]: *** No rule to make target `all'. Stop. gmake[2]: Leaving directory `/root/src/radiusd/libltdl' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/src/radiusd' gmake: *** [all] Error 2 #uname -a FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Nov 10 15:58:43 MSK 2003 configure:8639: checking if libtool supports shared libraries configure:8641: result: yes configure:8644: checking whether to build shared libraries configure:8702: result: yes configure:8705: checking whether to build static libraries configure:8709: result: yes configure:8801: creating libtool configure:9348: checking for ld used by g++ configure:9415: result: /usr/libexec/elf/ld configure:9424: checking if the linker (/usr/libexec/elf/ld) is GNU ld configure:9439: result: yes configure:9490: checking whether the g++ linker (/usr/libexec/elf/ld) supports shared libraries configure:10316: result: yes I didn't found in config.log lines related to libltdl. This version can be built successfully if copy libltdl dir from release. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple processing heads...
If the radius servers are writing to the same database then the accounting packet will be sent to one radius server only and written to the database only once. I hope this helps From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Harris Sent: Thursday, November 18, 2004 4:56 PM To: [EMAIL PROTECTED] Subject: RE: Multiple processing heads... For me having an SQL server fail isn’t a problem, I’m lucky in a way as I’ve got too many servers and not enough to do with them ;) if our radius SQL server failed, I could have a replacement up within 30 minutes as I’ve got a slave that polls all our other SQL servers to keep a current transaction log… all I need to know is that I’m not going to get problems with accounting packet duplication or some other weird thing ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cris Boisvert Sent: 18 November 2004 21:36 To: [EMAIL PROTECTED] Subject: RE: Multiple processing heads... I have it running with multiple servers connecting to one mysql server ..so all the accounting goes to the same place.. Then I have all the servers synchronize (locally) with it nightly and fail over to the local one if the primary stopped working? I’m redoing it now because my server motherboard died. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Harris Sent: Thursday, November 18, 2004 4:16 PM To: [EMAIL PROTECTED] Subject: Multiple processing heads... Has anyone here got a setup with multiple processing servers connected to a single DB (mySQL) server? The only issue I can think of is when it’s writing accounting… Anyone got any experience of doing this? --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
RE: COMPILATION ERROR
Eva, I had the same problem couple of days before and got it fixed. Disable rlm_x99_token when using configure command. It would help to get rid of this error. Regards, Janakan Rajendran From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eva Kolega Sent: Friday, November 19, 2004 7:22 AM To: [EMAIL PROTECTED] Subject: COMPILATION ERROR I used to have an error in compilation with mysql components, so I thought of changing machine (SUN Fire 280R) and begin from scratch. So I installed mysql 2.0.21 and openssl as recommended by Sun. And then I had the following error in bold upon compilation. However, this file is there ! I have seen this error in a newsgroup in early October but I did not see any answer provided. But of course freeradius runs on Sol 9! So, has anybody come accross to this error ? Thanks a lot, Eva COMPILATION LOG- make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: x99.h:146: error: parse error before "des_cblock" x99.h:146: warning: no semicolon at end of struct or union x99.h:147: warning: type defaults to `int' in declaration of `x99_user_info_t' x99.h:147: warning: data definition has no type or storage class x99.h:152: error: parse error before "des_cblock" x99.h:152: warning: function declaration isn't a prototype x99.h:153: error: parse error before "des_cblock" x99.h:153: warning: function declaration isn't a prototype x99.h:165: error: parse error before "des_cblock" x99.h:165: warning: function declaration isn't a prototype x99.h:166: warning: type defaults to `int' in declaration of `des_cblock' x99.h:166: error: parse error before "keyblock" x99.h:167: warning: function declaration isn't a prototype x99.h:170: error: parse error before "x99_user_info_t" x99.h:170: warning: function declaration isn't a prototype x99.h:180: error: parse error before "des_cblock" x99.h:180: warning: function declaration isn't a prototype x99.h:182: warning: type defaults to `int' in declaration of `des_cblock' x99.h:182: error: parse error before "keyblock" x99.h:182: warning: function declaration isn't a prototype x99_rlm.c: In function `x99_token_authorize': x99_rlm.c:294: error: parse error before "user_info" x99_rlm.c:331: error: `user_info' undeclared (first use in this function) x99_rlm.c:331: error: (Each undeclared identifier is reported only once x99_rlm.c:331: error: for each function it appears in.) x99_rlm.c: In function `x99_token_authenticate': x99_rlm.c:460: error: parse error before "user_info" x99_rlm.c:492: error: `user_info' undeclared (first use in this function) x99_rlm.c:550: warning: deprecated use of label at end of compound statement make[6]: *** [x99_rlm.o] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.1' make: *** [all] Error 2
Re: eap-tls auth: access accept is sent but xp client keeps resending access-req
I still can't solve this problem.
To all people who have successfully configured EAP/TLS and FreeRadius, how did you generate the cert ? Through certificate authority in windows ? or openssl in linux ?
Is it necessary for the windows XP supplicant to be able to contact the domain of the cert ?
I tried with D-Link-650+ wireless card and eapol.log shows:
[3092] 12:43:31:912: ProcessReceivedPacket: != EAP_Packet[3092] 12:43:31:912: ProcessReceivedPacket: == EAPOL_Key[3092] 12:43:31:912: FSMKeyReceive entered for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: ElKeyReceiveRC4 entered for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: KeyLength = 13, KeyIndex = 131[3092] 12:43:31:912: ElKeyReceiveRC4: Signature in Key Desc does not match[3092] 12:43:31:912: ElKeyReceiveRC4 completed for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: FSMKeyReceive completed for port D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport[3092] 12:43:31:912: ProcessReceivedPacket: STATE_AUTHENTICATED[3092] 12:43:31:912: ProcessReceivedPacket: Reposting buffer on port {CCB07A09-4681-4980-A6E7-6AEE66016B3B}[3092]
12:43:31:912: ElReadFromPort entered[3092] 12:43:31:912: ElReadFromPort: pPCB = 03247188, RefCnt = 3[3092] 12:43:31:912: ProcessReceivedPacket: pPCB= 03247188, RefCnt = 3[3092] 12:43:31:912: ProcessReceivedPacket exit[3092] 12:43:36:929: ElTimeoutCallbackRoutine entered[3092] 12:43:36:929: EAPOL-Key for transmit key *NOT* received within 5 seconds in AUTHENTICATED state[3092] 12:43:36:929: EAPOL Failure: Fail Count = 2[3092] 12:43:36:929: ElVerifyEAPOLKeyReceived: Calling ElZeroConfigNotify: failcount=2, prevauthtype=1, type=(2)[3092] 12:43:36:929: ElVerifyEAPOLKeyReceived: RpcCmdInterface[12] SUCCEEDed[3092] 12:43:36:929: ElZeroConfigNotify: Handle=(13), failcount=(2), lastauthtype=(1)
I feel that the following lines (taken from the above log) indicate that something's not rightbut I'm not sure what they mean...maybe somebody can help me ?
[3092] 12:43:31:912: ElKeyReceiveRC4: Signature in Key Desc does not match
[3092] 12:43:36:929: EAPOL-Key for transmit key *NOT* received within 5 seconds in AUTHENTICATED state
Thanks,
lara
Lara Adianto <[EMAIL PROTECTED]> wrote:> > The log file of freeradius shows that the authentication is> successful, with access-accept being sent. I use tcpdump to confirm> that access-accept is indeed sent and received by the> access-point. However, after about 1 minute, the client will resend> an access-request. And this keeps repeating... Ok...> The only error log I can suspect from event viewer is this:...> Automatic certificate enrollment for local system failed to contact the >active directory (0x8007054b). The specified domain either does not exist >or could not be contacted.> Enrollment will not be performed.> For more information, see Help and Support Center at >http://go.microsoft.com/fwlink/events.asp. That looks like the problem to me. Fix that, and the machine shouldstay on the network. And no, there's nothing you can do to FreeRADIUS to fix that problem. Alan DeKok.Lara Adianto <[EMAIL PROTECTED]> wrote:
Hi list,
I have a strange problem with EAP/TLS authentication.
I have done the setup with the guide from Ken Roser's howto provided in freeradius site:
- The client is XP, wireless card: linksys WPC54G
- The freeradius server is installed in linux
- The access point is linksys WRT54G
- The certificates (with enhanced key usage for server and client authentication) for server and client are generated using openssl installed in freeradius server
The log file of freeradius shows that the authentication is successful, with access-accept being sent. I use tcpdump to confirm that access-accept is indeed sent and received by the access-point. However, after about 1 minute, the client will resend an access-request. And this keeps repeating...and the client seems to fail the authentication though the radius server keeps sending access-accept:
Sending Access-Accept of id 23 to 192.168.168.60:1232MS-MPPE-Recv-Key = 0xeb0e81327b50c60eb6bd54a9a02da65bcc87136bfdf0d0708f9be01db4078473MS-MPPE-Send-Key = 0xb01787160d97e7cf0ac614e56479ee7870a6068f142a2279b71e5d3894225f72EAP-Message = 0x03150004Message-Authenticator = 0x
No session-timeout attribute is sent though, like in ken roser's log file. Could this be a problem ?
The eapol.log shows : [1648] 15:45:13:583: ElWriteCompletionRoutine sent out 0 bytes with error -1073741823, but I'm not quite sure what it means.
The only error log I can suspect from event viewer is this:
Event Type: ErrorEvent Source: AutoEnrollmentEvent Category: NoneEvent ID: 15Date: 17-Nov-04Time: 7:50:04 PMUser: N/AComputer: LAR4SDescription:Automatic certificate enrollment for local system failed to contact the active
COMPILATION ERROR
I used to have an error in compilation with mysql components, so I thought of changing machine (SUN Fire 280R) and begin from scratch. So I installed mysql 2.0.21 and openssl as recommended by Sun. And then I had the following error in bold upon compilation. However, this file is there ! I have seen this error in a newsgroup in early October but I did not see any answer provided. But of course freeradius runs on Sol 9! So, has anybody come accross to this error ? Thanks a lot, Eva COMPILATION LOG- make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_unix' Making static dynamic in rlm_x99_token... make[6]: Entering directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -DX99_MODULE_NAME=\"rlm_x99_token\" -DFREERADIUS -c x99_rlm.c -o x99_rlm.o In file included from x99_rlm.c:54: x99.h:26:42: openssl/des.h: No such file or directory In file included from x99_rlm.c:54: x99.h:146: error: parse error before "des_cblock" x99.h:146: warning: no semicolon at end of struct or union x99.h:147: warning: type defaults to `int' in declaration of `x99_user_info_t' x99.h:147: warning: data definition has no type or storage class x99.h:152: error: parse error before "des_cblock" x99.h:152: warning: function declaration isn't a prototype x99.h:153: error: parse error before "des_cblock" x99.h:153: warning: function declaration isn't a prototype x99.h:165: error: parse error before "des_cblock" x99.h:165: warning: function declaration isn't a prototype x99.h:166: warning: type defaults to `int' in declaration of `des_cblock' x99.h:166: error: parse error before "keyblock" x99.h:167: warning: function declaration isn't a prototype x99.h:170: error: parse error before "x99_user_info_t" x99.h:170: warning: function declaration isn't a prototype x99.h:180: error: parse error before "des_cblock" x99.h:180: warning: function declaration isn't a prototype x99.h:182: warning: type defaults to `int' in declaration of `des_cblock' x99.h:182: error: parse error before "keyblock" x99.h:182: warning: function declaration isn't a prototype x99_rlm.c: In function `x99_token_authorize': x99_rlm.c:294: error: parse error before "user_info" x99_rlm.c:331: error: `user_info' undeclared (first use in this function) x99_rlm.c:331: error: (Each undeclared identifier is reported only once x99_rlm.c:331: error: for each function it appears in.) x99_rlm.c: In function `x99_token_authenticate': x99_rlm.c:460: error: parse error before "user_info" x99_rlm.c:492: error: `user_info' undeclared (first use in this function) x99_rlm.c:550: warning: deprecated use of label at end of compound statement make[6]: *** [x99_rlm.o] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.1/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.1/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.1' make: *** [all] Error 2
help
Hi all, I am currently working on RADIUS authentication. I need a clarification regarding one of my requirement, where our customers use any flavour of RADIUS server with PAP, CHAP authentication to authenticate user who use our product. I should be able to provide a flexibility to connect to those server and get the user authenticated by that server to provide cetralised user info management. Mostly server independent. Apart from the RADIUS server name/IP, port and shared secret key, is there any other mandatory information which should be configured for RADIUS authentication. Are there any situations where RADIUS attributes may be considered as mandatory and should be appeneded along with Access-Request other than user name and passsword. What I mean is, should I allow customers to configure those attributes in order to authenticate using RADIUS authentication. Thanks and Regards, jagadish T __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny Access for users
> Do you have reverse lookup dns configured for these IP's? I think it should work > (but through DNS, not clients.conf). Yes. I've Reverse DNS configured for this IPs. That's why I'm not understanding why the output of radwho only displays the IP addresses. I've talked about the file clients.conf due to the short name of the NAS it is here that we specify this information, isn´t it? > > See the checkval module. The exact details depend on your user database. I'm sorry for the stupid guy I'm. but I've found any support documentation to elucidate me correctly how to use this module. Can you give some links or an example on how to proceed. My Users are on a Mysql Database. I've also another question I can't solve. My Log of radius is displaying some errors like: "Error: Dropping conflicting packet from client nas2:5 - ID: 234 due to unfinished request 2831" I've searched through the lists and someone talked about the delay, (reject_delay) I've increased it to 2 seconds but the error still appears. Can you help me here, again, please ? Thanks for the reply Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
On Fri, 19 Nov 2004, LALOT Dominique wrote: It does not work either, may be I should avoid pools for default IP settings?. I put a value toto in supannaffectation which does not exist as a pool name Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 199 users: Matched DEFAULT at 227 users: Matched DEFAULT at 254 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for fred ... rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (uid=fred) rlm_ldap: looking for check items in directory... rlm_ldap: Adding supannaffectation as Pool-Name, value toto & op=21 It DOES work. You have a Pool-Name in ldap and it overwrites any existing values. That's expected behaviour. I thought you wanted the Pool-Name to be set in cases where it is not included in ldap... -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
It does not work either, may be I should avoid pools for default IP settings?. I put a value toto in supannaffectation which does not exist as a pool name Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 199 users: Matched DEFAULT at 227 users: Matched DEFAULT at 254 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for fred ... rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (uid=fred) rlm_ldap: looking for check items in directory... rlm_ldap: Adding supannaffectation as Pool-Name, value toto & op=21 rlm_ldap: Adding ntPassword as NT-Password, value CF835867E40871E2C625A51ABFA4F8F5 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value B2D6BDED78797D0125AD3B83FA6627C7 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "fred" with password "xxx" rlm_ldap: user DN: uid=fred,ou=people,ou=u2,dc=univ,dc=fr rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=fred,ou=people,ou=u2,dc=univ,dc=fr/xxx to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user fred authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Login OK: [fred] (from client localhost port 1813) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 modcall[post-auth]: module "ScEco" returns noop for request 0 modcall[post-auth]: module "IUT" returns noop for request 0 modcall[post-auth]: module "Medecine" returns noop for request 0 modcall[post-auth]: module "Esil" returns noop for request 0 modcall[post-auth]: module "Pharo" returns noop for request 0 modcall[post-auth]: module "Sciences" returns noop for request 0 modcall[post-auth]: module "Pharmacie" returns noop for request 0 modcall[post-auth]: module "OSU" returns noop for request 0 modcall[post-auth]: module "IM2" returns noop for request 0 modcall[post-auth]: module "STAPS" returns noop for request 0 modcall[post-auth]: module "DEF" returns noop for request 0 modcall: group post-auth returns noop for request 0 Sending Access-Accept of id 65 to 127.0.0.1:32781 Framed-MTU = 1500 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 65 with timestamp 419dbb54 Nothing to do. Sleeping until we see a request. in 199 of users: DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool" in 227 DEFAULT Auth-Type = ldap Fall-Through = 1 in 254 DEFAULT Framed-Protocol == PPP Framed-MTU = 1500, Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Kostas Kalevras a écrit : On Fri, 19 Nov 2004, fred Dominique wrote: Works well (on debug). But I've juste two more questions: 1. I would like to have a catch all definition if suppannaffectation gives a non existing pool-name I put this in users: DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool" Framed-MTU = 1500, Fall-Through = Yes but didn't work You should have the files module *before* the ldap module in the authorize section for this to work. 2. I would like the pool-name to be case insensitive, so it will work for SCECO or ScEco Is it possible?. Not that much. What you could probably do is lowercase the Pool-Name and use that one for the ippool module instance name. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dominique fred Ingénieur Système Réseau CISCAM Pole Réseau Université de la Méditerranée http://annuaire.univ.fr/showuser.php?uid=fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bandwidth management Cisco
At 15.15 17/11/2004, you wrote: Hi, I would like to set up a max bandwidth over my cisco 1200AP (ios v12). My question is : what attribute I should use in radius to set the max download and upload for the client ? First you MUST use the virtual template feature of Cisco After that you can send via radius the ios commands like rate-limit. As Reply Item I use: Attribute: Cisco-AVPair Value: "lcp:interface-config=rate-limit input 200 200 200 conform-action transmit exceed-action drop\nrate-limit output 200 200 200 conform-action transmit exceed-action drop" thx -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 17 novembre 2004 15:17 À : [EMAIL PROTECTED] Objet : Re: problem with freeradius - ldap - peap =?iso-8859-1?Q?P=E5l?= Hjelmeseth Myklebust <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] log]# /usr/sbin/radiusd -x -A Please run the server as "/usr/sbin/radiusd -X". You will get MUCH more debugging information, which will help you solve your problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- A user friendly computer first requires a friendly user. --- Ing. Andrea Gabellini Email: [EMAIL PROTECTED] Tel: 0549 886111 (Italy) Tel. +378 0549 886111 (International) Intelcom San Marino S.p.A. Strada degli Angariari, 3 47891 Rovereta Repubblic of San Marino http://www.omniway.sm http://www.intelcom.sm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
On Fri, 19 Nov 2004, LALOT Dominique wrote: Works well (on debug). But I've juste two more questions: 1. I would like to have a catch all definition if suppannaffectation gives a non existing pool-name I put this in users: DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool" Framed-MTU = 1500, Fall-Through = Yes but didn't work You should have the files module *before* the ldap module in the authorize section for this to work. 2. I would like the pool-name to be case insensitive, so it will work for SCECO or ScEco Is it possible?. Not that much. What you could probably do is lowercase the Pool-Name and use that one for the ippool module instance name. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help groups and LDAP
Works well (on debug). But I've juste two more questions: 1. I would like to have a catch all definition if suppannaffectation gives a non existing pool-name ÂÂ I put this in users: ÂÂ DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool" ÂÂÂ Framed-MTU = 1500, ÂÂÂ Fall-Through = Yes ÂÂ but didn't work 2. I would like the pool-name to be case insensitive, so it will work for SCECO or ScEco Is it possible?. Dustin Doris a ÃcritÂ: What happens if you do this. Add the following to ldap.attrmap checkItem Pool-Name supannaffectation Then remove all those users file entries with Ldap-Group, so it just does an LDAP lookup, not specifically matching on groups. This should pool the supannafecction attribute from ldap and make that the Pool-Name check item, which should then fire ippool. -Dusty Doris On Thu, 18 Nov 2004, LALOT Dominique wrote: Thanks for all, because it's starting to work. But: I noticed that I call ldap for each group before founding the right one. An for me the group name is just an ldap attr to read. Then when finding the group, for the IP pool, I have to read all the pools even when it return ok. Hopefully, I have less than 10 groupes!. groupmembership is supannaffectation. Is there something else to do?. Thanks dom users: DEFAULT Ldap-Group == IUT, Pool-Name := "IUT_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Medecine, Pool-Name := "Medecine_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == ESIL, Pool-Name := "Esil_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharo, Pool-Name := "Pharo_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Sciences, Pool-Name := "Sciences_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == Pharmacie, Pool-Name := "Pharmacie_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == OSU, Pool-Name := "OSU_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == IM2, Pool-Name := "IM2_pool" Service-Type == Framed-User, Fall-Through = no DEFAULT Ldap-Group == STAPS, Pool-Name := "STAPS_pool" Service-Type == Framed-User, Fall-Through = no rlm_ldap: user fred authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (&(supannaffectation=ScEco)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group ScEco not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (&(supannaffectation=IUT)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group IUT not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (&(supannaffectation=Medecine)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, with filter (objectclass=*) rlm_ldap::groupcmp: Group Medecine not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' radius_xlat: '(uid=fred)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with filter (&(supannaffectation=ESIL)(uid=fred)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm
Re: Multiple Stop Packets for same AcctSessionId
On Fri, 19 Nov 2004, Joyce Choong wrote: Hi All, I am currently using freeradius version 0.8.1. I have been getting this strange record in my radacct table. I am using a Wireless Subscriber Gateway. Kindly refer to the sample log below. + | AcctSessionId| UserName | AcctStartTime | AcctStopTime | AcctSessionTime | +--+--+-+--- --+-+ | 00904b538dda0c03 | zainal | 2004-10-18 16:29:25 | 2004-10-18 16:48:35 |1140 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-19 12:52:56 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-20 08:29:08 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-21 08:23:18 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-10-26 11:39:54 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-03 09:32:03 | 16778 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-04 17:47:06 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-10 09:38:39 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-10 14:13:53 | 16779 | | 00904b538dda0c03 | zainal | -00-00 00:00:00 | 2004-11-19 08:24:13 | 16779 | +--+--+-+--- --+-+ This user 'zainal' actually has his final login session on 2004-10-18 16:29:25. His account expired on the following day. However, the later records were found added to my radacct table. I am surprised to see the same AcctSessionId for all the logs. Anyone has similar problem or have any idea on why this situation occurs ? What does your accounting_stop_query look like? I 'll bet you have a 'AND AcctStopTime = 0' at the end. If that is the case, then the Gateway sent an accounting record, that got recorded in the database but the reply timed out. The Gateway kept sending the same request, accounting_stop_query failed since AcctStopTime != 0 and freeradius fell back to the accounting_stop_query_alt which is an INSERT. The replies for some reason didn't reach the Gateway so it sent the requests for a number of times (the number you 've probably configured it to do). Hope this clears things up. Would appreciate help. Thanks a lot ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny Access for users
On Thu, 18 Nov 2004, Silvestre Malta wrote: Hi. Sorry for disturbing. I'm Using FreeRadius 0.9.3 and I've two question I can't solve by myself. 1) When Using Radwho It is not used short name of Nas. The output display the IP addresses. I've the clients.conf well configured has also the naslist file. What can I do to solve this ? Do I have to enable the resolution of names on radiusd.conf ? Do you have reverse lookup dns configured for these IP's? I think it should work (but through DNS, not clients.conf). 2) Is It possible to deny users if they connect from a specific NAS ? For example, I've have two NAS (access1 and access2) , how can I tell that the users can do a login from access1 but not from access2 ? Is this configuration possible? See the checkval module. The exact details depend on your user database. Thanks for the help and for your time. Kindly Bruno -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Hi, I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The certificates are being generated using the script CA.all. For the Server certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1. Now what the FreeRADIUS Server is actually sending out to the Client (XSupplicant) (as seen from the Access Challenge packet dump while running the FreeRADIUS Server in the debug mode) is the following byte sequence: 0x08 2b 06 01 05 05 07 03 01 as opposed to 0x01 03 06 01 05 05 07 03 01 Now I might be totally off the track here in this analysis but I just wanted to make sure that the Server is indeed sending out what it is supposed to send out to the Client. Is it alright that the OID being sent to the Client has its first 2 bytes (0x01, 0x03) replaced by something else (0x08, 0x2b)? Problem is, upon receiving the Server certificate my Client recognizes correctly that an EKU is included in the certificate but fails to recognize that it is to be used for TLS Web Server Authentication. Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
