peap_eap_chapv2 still not working..
: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = nothing tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1600 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = prefix realm: delimiter = \ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/auth-detail- %Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client- IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y% m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/post-proxy- detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (post_proxy_log) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 130.147.167.9:21657, id=245, length=154 User-Name = domain\\username Framed-MTU = 1400 Called-Station-Id = 000f.24be.37a0 Calling-Station-Id = 000c.f138.502c Service-Type = Login-User Message-Authenticator = 0x8e00272827d0d29cb54093dd66630ab8 EAP-Message = 0x0202001301434f4445315c5457473030383335 NAS-Port-Type = Wireless-802.11 NAS-Port = 1354 NAS-IP-Address = 130.147.167.9 NAS-Identifier = ap005 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 rlm_realm: Looking up realm domain for User-Name = domain\username rlm_realm: Found realm domain rlm_realm: Adding Stripped-User-Name = username rlm_realm: Proxying request from user username to realm domain rlm_realm: Adding Realm = domain rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 0 radius_xlat: '/var/log/radius/radacct/130.147.167.9/auth-detail-20041213' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /var/log/radius/radacct/130.147.167.9/auth-detail-20041213 modcall[authorize]: module auth_log returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module suffix returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module expiration returns noop for request 0 modcall[authorize]: module logintime returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP
Custom authentication and scripts
Thank you thor for your help, but there's still something i don't understand : The only attributes available in my Radius Packet are User-Name and User-Password. Are you mentionning an other Radius attribute or a configuration parameter on the Radius server ? From: Thor Spruyt [EMAIL PROTECTED] I have an application sending a login/pwd but processing is required on the password to accept authentication. So I need to extend the radius server to pass the credentials to a script or an application (specific to the authentication mechanism of our client) that will do the processing and return a code for accept or denied. You can use Exec-Program-Wait for that. In the users file, you'll need this: DEFAULTAuth-Type := Accept Exec-Program-Wait = /path/to/your/script - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Failure
Am Fr, den 10.12.2004 schrieb Mathias Röhl um 16:15: Hi after restarting freeradius with -X (thx to Alan) I got the message -- modcall[authorize]: module ldap returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user. - My eap.conf has no peap sections, it's comment out. Only eap with md5. It's the same like the documentation in rlm_eap. In radiusd.conf is authorize wiht eap and autenticate with eap and ldap. Is it a prob with the eap.conf or with something totally different ? It's my first freeradius setup.. kind regards [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom authentication and scripts
[EMAIL PROTECTED] wrote: The only attributes available in my Radius Packet are User-Name and User-Password. Are you mentionning an other Radius attribute or a configuration parameter on the Radius server ? I don't understand what you mean. All attributes sent by the NAS in the Access-Request packet will appear as environment variables in the external script. If the script exits with 0, then the user is Accepted, otherwise, the user is Rejected. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Can you post the error message? It might help I suppose that would help. :-) Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Hi Tim, I believe that MS made changes to the format of the EAP packets in XP SP2! This breaks PEAP with a number of (but apparently not all) non-MS RADIUS servers. They have a Hotfix for this. Checkout KB 885453. I'm not *sure* that this is your problem. However, it *may* be relevant. Note that the reference to EAP/TLS in FreeRADIUS may be a slight misdirection. EAP/TLS code is referenced by several of the EAP modules. Specifically, both EAP/TTLS and PEAP use a one-way TLS outer tunnel to protect the inner authentication process. Hence, a reference to EAP/TLS is entirely consistent with using PEAP (remember, you had to configure the tls module to get peap working). Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 13:08 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Can you post the error message? It might help I suppose that would help. :-) Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: IP assignment from Perticular Dynamic Pool
Do you mean give a user a specific IP address from a pool, or assign a user to a specific pool? If its the first, I don't believe you can do that. Rlm_ippool is setup for dynamic assignment. You could just assign that value in the users file or sql and then in ippool you set this override = no That way if you statically assign an IP to someone, ippool will not override that address. If you mean assign a user to a specific pool, then yes, that is what ippool is for. There is an example, in radiusd.conf above the main_pool setup. Basically, add this to users file. userUser-Password = something, Pool-Name := pool1 Then setup pool1 in radiusd.conf as an ippool ippool pool1 { config... } On Sun, 12 Dec 2004, Nirmal wrote: Hi, I am using freeradius-0.9 and MySQL... is it possible to allot an IP from perticular Dynamic Pool to user ? Please Help me out. Thanks in advance, Nirmal __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcpd + omshell + freeradius
Hello all, Recently I found that omshell can be use to control the dhcpd server without restarting the server. So I'm thinking would there be a way to ask the freeradius to Talk to omshell when a users auth and assign an ip though omshell. When the users request the ip from dhcpd server, he will get the one that freeradius assign. Nice idea? :) Any Though. Thank You Chan Min Wai Thats an interesting idea. A long time ago I wrote an expect script to change the IP address of a user. This had nothing to do with freeradius, but it could help. This will basically just help you with the syntax that omshell uses. You would need to pull out the variables from freeradius somewhere and execute this script with those variables. I was just setting the client name to the mac address, which is why both name and mac pull from the same argv. You would run the script like this (saying its named something like dhcp.expect) dhcp.expect 192.168.0.5 0:60:1d:f1:75:d Hope this helps in getting you on your way. #!/usr/local/bin/expect -df set name [lindex $argv 1] set mac [lindex $argv 1] set ip [lindex $argv 0] spawn /usr/local/bin/omshell expect send connect\r expect send new host\r expect send set name = \$name\\r expect send set hardware-address = $mac\r expect send set hardware-type = 1\r expect send set ip-address = $ip\r expect send create\r expect exit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Monday 13 December 2004 08:07, Tim Winders wrote: On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Thanks, Guy. I have contacted MS and have applied the hotfix. But, I still have a problem. Will post the debug to another message. -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, I believe that MS made changes to the format of the EAP packets in XP SP2! This breaks PEAP with a number of (but apparently not all) non-MS RADIUS servers. They have a Hotfix for this. Checkout KB 885453. I'm not *sure* that this is your problem. However, it *may* be relevant. Note that the reference to EAP/TLS in FreeRADIUS may be a slight misdirection. EAP/TLS code is referenced by several of the EAP modules. Specifically, both EAP/TTLS and PEAP use a one-way TLS outer tunnel to protect the inner authentication process. Hence, a reference to EAP/TLS is entirely consistent with using PEAP (remember, you had to configure the tls module to get peap working). Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 13:08 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Can you post the error message? It might help I suppose that would help. :-) Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS Problem
Hi I tried FR now with EAP/TLS but after starting with -X -A the output is rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. I installed the debian package for openssl and also freeradius with mysql and ldap. freeradius:/usr/tmp# dpkg -l|grep freeradius ii freeradius 1.0.1-1a high-performance and highly configurable R ii freeradius-dia 1.0.1-1set of PHP scripts for administering a FreeR ii freeradius-lda 1.0.1-1LDAP module for FreeRADIUS server ii freeradius-mys 1.0.1-1MySQL module for FreeRADIUS server I wanna use the FR to authenticate a wireless client (ibook with MACOSX), the NAS is a simple Accesspoint from a german vendor. How can i fix the rlm_eap_tls.so problem, there is no one file with this name at my system. Is it better to build all this from source ? thx in advance [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS Problem
Hi Mathias, Yep, build from source and configure with the --disable-shared option. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathias Röhl Sent: 13 December 2004 16:13 To: [EMAIL PROTECTED] Subject: EAP/TLS Problem Hi I tried FR now with EAP/TLS but after starting with -X -A the output is rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. I installed the debian package for openssl and also freeradius with mysql and ldap. freeradius:/usr/tmp# dpkg -l|grep freeradius ii freeradius 1.0.1-1a high-performance and highly configurable R ii freeradius-dia 1.0.1-1set of PHP scripts for administering a FreeR ii freeradius-lda 1.0.1-1LDAP module for FreeRADIUS server ii freeradius-mys 1.0.1-1MySQL module for FreeRADIUS server I wanna use the FR to authenticate a wireless client (ibook with MACOSX), the NAS is a simple Accesspoint from a german vendor. How can i fix the rlm_eap_tls.so problem, there is no one file with this name at my system. Is it better to build all this from source ? thx in advance [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using scratch-Card SERIAL number instead of RADIUS username/pwd
Hi All, I am using FreeRADIUS for Hotspot Wireless Internet System. I would like to have a PIN number(16 Digits) on my Scratch card rather than username password pair. User will buy scratch card ,use PIN printed on card to login at hotspot locations. My question is, How can I make RADIUS Server accept and authenticate just PIN number (16 Digits) instead of username and password pair? Thanks, Sagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 237 to 10.0.1.231:21646 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe2c50ab039bff81ff87783b7c4dc1736 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 237 with timestamp 41bdb8b7 Nothing to do. Sleeping until we see a request. I see where it matches the DEFALT entry in the users file. This is simply: DEFAULT Auth-Type = System Fall-Through = 1 I am trying to authenticate to the /etc/passwd file on the system. Dial up PPP users are able to connect and authenticate OK using the default Framed-User service type: DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes Perhaps the
Cisco Aironet's WDS and FreeRadius Peap
I have Cisco Aironet 1100's that I am setting up on a private LAN that go through a Firewall to get to the internal LAN. The FreeRadius server is on the internal LAN. Ok, so what works: I can connect the client (supplicant) to the Wireless G Aironet that authenticates to the FreeRadius Server. I can then connect to the VPN (which also authenticates to the Radius server). Everything there is happy. What does not work: The Aironet's use a system called WDS to allow roaming between the access points. I set up one unit to be the primary WDS, and configure a second Aironet to use WDS. The Aironets use the Radius server for authentication, but they never are able to authenticate with the WDS. What I think I am doing wrong: I believe that I need to activate peap for the Cisco Aironets to authenticate. I have tried to set this up per documentation, but I get the following error when I now try to activate the FreeRadius server using radiusd -A -X, cut to just show the eap module failure: ** Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = (null) tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) 9616:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTICATE 9616:error:0200100E:system library:fopen:Bad address:bss_file.c:259:fopen('','r') 9616:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: 9616:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:513: rlm_eap_tls: Error reading certificate file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. *** I have tried to use CA.all to create a certificate, but it gives an error during the certificate creation. I have created a certificate manually using openssl, and moved it into the /usr/local/etc/raddb/certs folders (and DemoCA folders), but the server still fails. I am running RedHat 9, kernel 2.4.20-8smp; openssl-0.9.7a-2; freeradius-0.9.3-1.1 Does anyone know if the peap is even needed with the Aironets? If so, is there another howto or other docs I can RTFM to resolve this certificate issue, or do I just need to hack all of the config files, CA.all, etc... Has anyone got this type of setup working (Cisco Aironet's running WDS and FreeRadius)? Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP SIM question
I am trying to declare a user with EAP/SIM authentication method. I had a look to example in src/tests and try to run radeapclient as described but it does not work. If someone has a complete example working with a user configured with EAP/SIM authentication method. That means /usr/local/etc/raddb/radiusd.conf , /usr/local/etc/raddb/users, /usr/local/etc/raddb/naslist, /usr/local/etc/raddb/eap.conf. I will be very pleased.
Re: Cisco Aironet's WDS and FreeRadius Peap
That did it! I did not think that Cisco was still using LEAP. At least I can run tests now on the infrastructure. Thank you for your hint. Dave On Mon, 2004-12-13 at 10:08, Joe Matuscak wrote: On 13 Dec 2004, David Howard wrote: What does not work: The Aironet's use a system called WDS to allow roaming between the access points. I set up one unit to be the primary WDS, and configure a second Aironet to use WDS. The Aironets use the Radius server for authentication, but they never are able to authenticate with the WDS. What I think I am doing wrong: I believe that I need to activate peap for the Cisco Aironets to authenticate. Nope. From what I can tell, the client APs use LEAP to authenticate. Has anyone got this type of setup working (Cisco Aironet's running WDS and FreeRadius)? Yes, I've got it running in a test mode at the moment. Only two APs, but it seems to be behaving fine. I'm using the 1200 APs with IOS 12.2(15)JA and FreeRadius on Fedora Core 2 (freeradius-1.0.1-0.FC2). To get the client APs to authenicate, I had to set: default_eap_type = leap In eap.conf. Joe Matuscak Rohrer Corporation 717 Seville Road Wadsworth, Ohio 44281 (330)335-1541 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
G. It's always something. Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? When I enable TTLS, what default_eap_type do I specify? I would guess PAP. I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot) -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 237 to 10.0.1.231:21646 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe2c50ab039bff81ff87783b7c4dc1736 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 237 with timestamp 41bdb8b7 Nothing to do. Sleeping until we see a request. I see where it matches the DEFALT entry in the users file. This is simply: DEFAULT Auth-Type = System Fall-Through = 1 I
Re: rlm_eap_tls not built because OpenSSL not found
Tim Winders [EMAIL PROTECTED] wrote: Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? http://www.alfa-ariss.com When I enable TTLS, what default_eap_type do I specify? I would guess PAP. No. Please re-read the comments describing that configuration item. PAP is not an EAP type. If you are using PAP inside of TTLS, then you do not need to set default_eap_type inside of the TTLS subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Hi Tim, EAP-TTLS is not supported by default by the MS 802.1x supplicant. *However*, you can get a copy of SecureW2 at http://www.securew2.com/, which behaves as a plugin to the MS 802.1x supplicant to provide support for EAP-TTLS. If you want to use a third party complete supplicant, I'd recommend Funk's Odyssey client. It's not free, but you can download a 30 day free trial from http://www.funk.com/. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 18:32 To: [EMAIL PROTECTED] Subject: RE: rlm_eap_tls not built because OpenSSL not found G. It's always something. Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? When I enable TTLS, what default_eap_type do I specify? I would guess PAP. I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot) -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate
Re: Removing/modifying attributes per realm before proxying
Mike, Alan, This policy module sounds interesting. Where can I find out more? Is it only in CVS? josh. Michael Griego wrote: Thor, You might want to take a look at the new policy module Alan has been working on. You could possibly set up different instances of the rlm_attr_filter for each realm and then use the policy module to control which instance gets called based on which realm the request is for. --Mike On Mon, 2004-12-13 at 13:40, Thor Spruyt wrote: Hi, Maybe I have overlooked, but I can't seem to find documentation on how to remove or modify attributes per realm before proxying. If someone can point me out where I have to look, that would be great. I'm willing to write some documentation after I have managed to do this. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing/modifying attributes per realm before proxying
Josh Howlett [EMAIL PROTECTED] wrote: This policy module sounds interesting. Where can I find out more? Is it only in CVS? Yes. See raddb/policy.txt, and man rlm_policy It's simple, but very, very, powerful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing/modifying attributes per realm before proxying
Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: This policy module sounds interesting. Where can I find out more? Is it only in CVS? Yes. See raddb/policy.txt, and man rlm_policy It's simple, but very, very, powerful. Sweet. I can see this being very useful. Thanks! josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Documentation rlm_attr_filter
Hi, I have noticed that the preproxy_users file is not used anywhere in radiusd.conf Am I right to say that the preproxy_users file should be used be the rlm_attr_filter module in the pre-proxy section, just like the attrs file in the post-proxy section? If so, I can make some documentation updates about this if you want me you to. Also, I'd add a commented out example for preproxy_users in radiusd.conf is you want me to. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation rlm_attr_filter
Thor Spruyt [EMAIL PROTECTED] wrote: I have noticed that the preproxy_users file is not used anywhere in radiusd.conf It's part of the files module. I'd like to replace much of this in 1.1.x and following with the new policy module. It's a *lot* more powerful, and can be much easier to use. Also, I'd add a commented out example for preproxy_users in radiusd.conf is you want me to. Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing/modifying attributes per realm before proxying
Thor Spruyt [EMAIL PROTECTED] wrote: raddb/policy.txt is Chinese to me :( man rlm_policy Then still, there's the problem of how to remove an attribute before proxying? man users. You can use preproxy_users to delete attributes. When the policy module is a little more complete, you will be able to use it to remove selected attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: replication with radrelay: Failed to aquire filelock
My setup: Running FreeRADIUS 1.0.1 on Debian sarge server2 (secondary) - detail-relay/radrelay - server1 (primary) - mysql The servers are far away from being under (dual Xeon 2,8, 1GB, SCSI 15k etc) As long as the primary runs and is reachable, everything is fine but whenever the secondary server comes into action due to the primary being unreachable, I see this Error: rlm_detail: Failed to aquire filelock for...detail-relay frequently. (~1000 acct per hour with ~25 Error: rlm_detail: messages per hour) Is there really nothing that can be done about this because I'm concerned to loose some accounting as whenever this happens the primary is most likely down ? Maybe it'd help i.e. to make radrelay doing less frequent checks on the detail-file but I found no option for this.. Accounting is the most important thing, when I see freeradius reporting problems with it, I always feel very uncomfortable ;) Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Serkin Sent: Friday, October 01, 2004 7:27 AM To: [EMAIL PROTECTED] Subject: Re: replication with radrelay: Failed to aquire filelock Kostas Kalevras wrote: On Thu, 30 Sep 2004, Alexander Serkin wrote: Hello again. While replicating accounting info to secondary server with radrelay i see the following message in radius.log: Thu Sep 30 10:48:51 2004 : Error: rlm_detail: Failed to aquire filelock for /opt/fr/radacct/detail, giving up Does it mean that i'm losing some accounting records when radrelay and radiusd processes are bumped with each other on detail file lock? Only if you see these messages all the time. If the detail module fails to The message appears approximately once a minute (~1000 simultaneous logins). The amount of simultaneous logins grows with about 100 per month. So in 10 months we'll come to 2000 of them. And the message will be more frequent. And i've no idea when i shoud degin to worry about that :-). acquire the file lock it will return failure and the whole accounting process will fail. As a result the Access-Server *should* resend the corresponding accounting request which will probably get stored sucessfully the second time. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: groupmembership_filter
Hi Kostas, I was thinking about it and I see that changing the order will not do much good. I have serveral groups defined and typically a user has a groupmembership_attribute set to one value. When radius checks groups it tries all groups form the config, one by one. If the user does not belong to a given group then changing the order will still run two searches. I think the only choice is to disable the groupmembership_filter search by some setting in the config file. Since it now has a default value it could break peoples' servers to change this default behaviour, but setting it to NULL or something could be acceptable. Yours Tomasz On Tue, Nov 30, 2004 at 01:40:26PM +0200, Kostas Kalevras wrote: On Tue, 30 Nov 2004, Tomasz Wolniewicz wrote: I am using the groupmembership_attribute to add users to certain groups, unfortunately rlm_ldap will always also run a subtree search using the groupmembership_filter, which for my case is completely useless. From what I see in the code, there seems to be no way to switch this search off. Would it not be a good idea to allow the user to set this filter (or perhaps the groupname_attribute) to something like NONE that would tell rlm_ldap not to bother? Saving one unnecessary search over possibly a large tree could be worth the bother. To make things easier I have set up the groupmembership_filter to (objecClass = nosuchclass), this way with indexing over the object class the negative reply to this search should be quick enough, but still I would prefer to simply save this extra call. Perhaps there is some way that I have overlooked? You 're right on that. The code should first do a search based on the groupmembership_attribute (if it is set) and if that fails then use groupmembership_filter. Can you also open a bug report on bugs.freeradius.org for that please? I 'll try and make the changes (they 're rather trivail) as soon as possible. Yours Tomasz -- Tomasz Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tomasz Wolniewicz [EMAIL PROTECTED]http://www.uni.torun.pl/~twoln Uczelniane Centrum Informatyczne InformationCommunication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam Radius Compilation Issues on Solaris 9
Try change all occurances of u_int32_t to uint32_t it works with me in solaris 8 Silves On Mon, 13 Dec 2004 14:47:15 -0800, Stevo wrote Hi Team, I've been using the pam_radius module on FreeBSD and Redhat Linux now for a while quite successfully. I am, however, having problems getting the module to compile under Solaris 9. Am I missing something silly here? --Steve bash-2.03# make /usr/local/bin/gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of `md5_secret' isn't known pam_radius_auth.c:497: error: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 bash-2.03# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.11i
The AP must support 802.11i. For Enterprise 802.11i, you must use 802.1x, which FreeRADIUS supports. --Mike On Mon, 2004-12-13 at 22:46, Bilal Shahid wrote: Hi, Does FreeRADIUS support 802.11i? On a more general level; in the wireless environment, does the RADIUS Server (any RADIUS Server) need to support 802.11i or just the intervening Access Point with this support is required? Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users digest, Vol 1 #4060 - 12 msgs
I would like to monitor my users(wireless) and I try writing a system and I'm using table radacct. But value for Calling-Station-Id is not recorded and we are using DHCP server.All user can get ip address from dhcp but my radius server doesn't record it. Can anyone help me how to grab users ip and mac address ? in your situation RADIUS is not managing the IP pools. DCHP is doing that and you have to look to your dhcp server configuration and log files. As for Calling-Station-ID, I presume you are looking for the MAC address of the requestor. First off, DHCP logs that (assuming you have logging turned on in DHCP etc.). Second if the RADIUS client (which is NOT the end-user) doesn't supply a value for Calling-Station-ID freeradius can't very well log it for you. I still don't undertstand. Why I can't grab ip and mac address of requestor. Perhaps ip but mac address is appear when Access-Request: rad_recv: Access-Request packet from host 10.201.8.1:4016, id=221, length=183 User-Name = nurulfaizal.kb23687 NAS-IP-Address = 10.201.8.1 Called-Station-Id = 00409656abfb - Calling-Station-Id = 00032f042f51 NAS-Identifier = AP350-56abfb NAS-Port = 37 Framed-MTU = 1400 State = 0x1d3be2a084a942dde9ec62e4fc93063d NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b4ae46d616dba0cea39cf42f90ce91e3ec9b4aa71af6df8d06be2 72 Message-Authenticator = 0xbc714574fa8945c2f384bb0dde7a58fe Plz help me how to grab this mac address, so that I can manipulate it with expat to kick bad user immediately.. plz help me P/S : My NAS is Cisco 350 AP and I;m using PEAP to authenticate. You can use that mac. If you want to deny certain mac addresses, then add it to your users file. DEFAULT Calling-Station-Id == 00032f042f51, Auth-Type := Reject Or do something similar with an SQL database. Or you can run an external script against that variable, check out exec module to see how to call an external script. When you talk about the radius server doesn't record it, I assume you are talking about accounting packets? You will need to setup your NAS to send accounting packets to freeradius and then you can record it in a detail file or an sql database, depending on how you set it up. The packet you showed above is an access request, not an accounting request. These are seperate things. The NAS should send an access request to authenticate the user. Then the NAS should send a seperate accounting request to record the fact that the user logged in. see http://www.freeradius.org/radiusd/doc/aaa.txt (overview of AAA) http://www.freeradius.org/rfc/rfc2866.html (accounting RFC) http://www.freeradius.org/rfc/rfc2865.html (auth RFC) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple framed-route replies
http://www.freeradius.org/rfc/rfc2865.html#Framed-Route On Mon, 13 Dec 2004, Nirmal wrote: Hi, I am using FR-0.9 and MySQL as backend. how can i add single framed-route for a user ? e.g. i just want to forward /30 to a user. what is the exact format for framed-route attribute ? what i tried is 192.192.168.1 is the static ip user and route would be added for 192.192.168.2 gw would be 192.192.168.1 metric 1 In RadReply Table: Id Attribute Op Value == 259 Framed-Route := 192.192.168.2/32 192.192.168.1 1 above is not working in my case. is it possible my PPP is configured properly ? Please do needful Nirmal --- Nikolas Geyer [EMAIL PROTECTED] wrote: Hi all, Just wondering if anyone is able to tell me how to do multiple Framed-Route replies for a single user? We have a single user that needs a /24 and a /30. We are using MySQL as the backend and having two entries for the user in radreply doesnt work. Any ideas/suggestions would be appreciated. Regards - Nikolas Geyer Systems Network Administration Infinite Networks Ph: 1300 790 337 Fax: 02 6280 1155 13 Wiluna Street Fyshwick ACT 2609 http://www.infinite.net.au/ IMPORTANT NOTICE: This message may contain privileged and confidential information intended only for the above named addressee. If you are not the intended recipient of this message, you are hereby notified that any use, distribution or reproduction of this message or any part thereof is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Infinite Networks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: replication with radrelay: Failed to aquire filelock
On Tue, 14 Dec 2004, Michael Markstaller wrote: My setup: Running FreeRADIUS 1.0.1 on Debian sarge server2 (secondary) - detail-relay/radrelay - server1 (primary) - mysql The servers are far away from being under (dual Xeon 2,8, 1GB, SCSI 15k etc) As long as the primary runs and is reachable, everything is fine but whenever the secondary server comes into action due to the primary being unreachable, I see this Error: rlm_detail: Failed to aquire filelock for...detail-relay frequently. (~1000 acct per hour with ~25 Error: rlm_detail: messages per hour) Is there really nothing that can be done about this because I'm concerned to loose some accounting as whenever this happens the primary is most likely down ? Does this happen when the primary server comes back up or while it is down? For instance does the detail file get larger when these messages are printed? radrelay should not create any problem especially in this case (where the target radius server is down), since it will fill up it's accounting slots and not read the detail file untill the corresponding packets have been acknowledged by the primary radius server. Maybe it'd help i.e. to make radrelay doing less frequent checks on the detail-file but I found no option for this.. Accounting is the most important thing, when I see freeradius reporting problems with it, I always feel very uncomfortable ;) Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander Serkin Sent: Friday, October 01, 2004 7:27 AM To: [EMAIL PROTECTED] Subject: Re: replication with radrelay: Failed to aquire filelock Kostas Kalevras wrote: On Thu, 30 Sep 2004, Alexander Serkin wrote: Hello again. While replicating accounting info to secondary server with radrelay i see the following message in radius.log: Thu Sep 30 10:48:51 2004 : Error: rlm_detail: Failed to aquire filelock for /opt/fr/radacct/detail, giving up Does it mean that i'm losing some accounting records when radrelay and radiusd processes are bumped with each other on detail file lock? Only if you see these messages all the time. If the detail module fails to The message appears approximately once a minute (~1000 simultaneous logins). The amount of simultaneous logins grows with about 100 per month. So in 10 months we'll come to 2000 of them. And the message will be more frequent. And i've no idea when i shoud degin to worry about that :-). acquire the file lock it will return failure and the whole accounting process will fail. As a result the Access-Server *should* resend the corresponding accounting request which will probably get stored sucessfully the second time. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running test cases for EAP-Sim
Hi, I just started using free radius. I was trying to run the test cases, to check if the configuration done by me is correct. I have the following error information, Kindly help me. I am getting the following messages for the radiusd -X started. I am unable to locate what went wrong? [/usr/local/etc/raddb/users]:177 WARNING! Check item EAP-Sim-KC2 ?found in reply item list for user eapsim. ?This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:177 WARNING! Check item EAP-Sim-Rand3 ?found in reply item list for user eapsim. ?This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:177 WARNING! Check item EAP-Sim-SRES3 ?found in reply item list for user eapsim. ?This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:177 WARNING! Check item EAP-Sim-KC3 ?found in reply item list for user eapsim. ?This attribute MUST go on the first line with the other check items Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port I have made the following configuration in the users file. eapsim Auth-Type := EAP, Autz-Type:=EAP, EAP-Type := SIM EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC3 = 0x30415263748596a7 and ran the test eapsim-03. I am getting the following error message. rlm_eap: Underlying EAP-Type set EAP ID to 0 rlm_eap: reply code 0 is unknown, Rejecting the request. rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. When the packet is sent, using the test script, I have verified the triplets with the configuration of triplets in the users file. They are the same. I am not sure why there is auth failure. Has looked out based on the error messages in the code. Haven't gone much in to the code yet. Kindly tell me, is there any thing wrong with the configuration or some thing else. How should I make eap-sim test work? regards Suresh
Re: sql.conf 'server' field
zack musa wrote: HI there is something that confused me. In sql.conf. the server field should be any IP of a server running Mysql. Is it? When i try using localhost, the radius running properly (from the debug mode) but when i used the IP addr of which the same mechine i run radius server using localhost, there's an error of attempting ..something about socket...to connect with mysql..but in the other pc I tried, when i change localhost to it's own IP, or other IP which run the mysql server, it seems to be ok. Where could it be wrong? You're probably using the server's real IP instead of localhost IP (which resolved to 127.0.0.1) If you use 127.0.0.1 instead of localhost, it should work. Otherwise, check you DNS configuration! If you use another IP to the same machine, you might have to tell your DB to allow such connections. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dhcpd + omshell + freeradius
Hello all, Recently I found that omshell can be use to control the dhcpd server without restarting the server. So I'm thinking would there be a way to ask the freeradius to Talk to omshell when a users auth and assign an ip though omshell. When the users request the ip from dhcpd server, he will get the one that freeradius assign. Nice idea? :) Any Though. Thank You Chan Min Wai signature.asc Description: OpenPGP digital signature
Removing/modifying attributes per realm before proxying
Hi, Maybe I have overlooked, but I can't seem to find documentation on how to remove or modify attributes per realm before proxying. If someone can point me out where I have to look, that would be great. I'm willing to write some documentation after I have managed to do this. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing/modifying attributes per realm before proxying
Thor, You might want to take a look at the new policy module Alan has been working on. You could possibly set up different instances of the rlm_attr_filter for each realm and then use the policy module to control which instance gets called based on which realm the request is for. --Mike On Mon, 2004-12-13 at 13:40, Thor Spruyt wrote: Hi, Maybe I have overlooked, but I can't seem to find documentation on how to remove or modify attributes per realm before proxying. If someone can point me out where I have to look, that would be great. I'm willing to write some documentation after I have managed to do this. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Mon, 13 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? http://www.alfa-ariss.com YES! When I enable TTLS, what default_eap_type do I specify? I would guess PAP. No. Please re-read the comments describing that configuration item. PAP is not an EAP type. If you are using PAP inside of TTLS, then you do not need to set default_eap_type inside of the TTLS subsection. OK. back to md5. YES!!! It works! Amazing!!! I could not find a reference to this in the list archives. Of course, searching on SecureW2 comes up with plenty of hits. But, I didn't know what I was looking for. I also don't see anything about this in the FAQ. Any change this might be added to the FAQ for easy reference? This is great! Thank you! -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Thank you Guy! The SecureW2 free plugin works perfectly! -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, EAP-TTLS is not supported by default by the MS 802.1x supplicant. *However*, you can get a copy of SecureW2 at http://www.securew2.com/, which behaves as a plugin to the MS 802.1x supplicant to provide support for EAP-TTLS. If you want to use a third party complete supplicant, I'd recommend Funk's Odyssey client. It's not free, but you can download a 30 day free trial from http://www.funk.com/. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 18:32 To: [EMAIL PROTECTED] Subject: RE: rlm_eap_tls not built because OpenSSL not found G. It's always something. Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? When I enable TTLS, what default_eap_type do I specify? I would guess PAP. I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot) -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP
Re: Removing/modifying attributes per realm before proxying
Michael Griego wrote: You might want to take a look at the new policy module Alan has been working on. You could possibly set up different instances of the rlm_attr_filter for each realm and then use the policy module to control which instance gets called based on which realm the request is for. raddb/policy.txt is Chinese to me :( Then still, there's the problem of how to remove an attribute before proxying? -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam Radius Compilation Issues on Solaris 9
Hi Team, I've been using the pam_radius module on FreeBSD and Redhat Linux now for a while quite successfully. I am, however, having problems getting the module to compile under Solaris 9. Am I missing something silly here? --Steve bash-2.03# make /usr/local/bin/gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of `md5_secret' isn't known pam_radius_auth.c:497: error: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 bash-2.03# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing/modifying attributes per realm before proxying
Thor Spruyt wrote: Michael Griego wrote: You might want to take a look at the new policy module Alan has been working on. You could possibly set up different instances of the rlm_attr_filter for each realm and then use the policy module to control which instance gets called based on which realm the request is for. raddb/policy.txt is Chinese to me :( Then still, there's the problem of how to remove an attribute before proxying? I found the solution: rlm_attr_filter I have sent another mail with proposals for documentation updates. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple framed-route replies
Hi all, Just wondering if anyone is able to tell me how to do multiple Framed-Route replies for a single user? We have a single user that needs a /24 and a /30. We are using MySQL as the backend and having two entries for the user in radreply doesnt work. Any ideas/suggestions would be appreciated. Regards - Nikolas Geyer Systems Network Administration Infinite Networks Ph: 1300 790 337 Fax: 02 6280 1155 13 Wiluna Street Fyshwick ACT 2609 http://www.infinite.net.au/ IMPORTANT NOTICE: This message may contain privileged and confidential information intended only for the above named addressee. If you are not the intended recipient of this message, you are hereby notified that any use, distribution or reproduction of this message or any part thereof is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Infinite Networks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: platypus
Hi Rick, Andrew, I have been using freeradius with Plat for a long time and it works well. Have you downloaded the *nix binary and scripts off of boardtown's website to interface with your windows server? What on earth for? Isn't freeRadius supposed to have inbuilt MS SQL support? All of our systems, whether it is win32 or *nix based, auth directly from plat. The binary runs as a daemon and uses the *nix user/password list for authentication. When you create a new account in Plat it sends the info to Which is useless in our case as we have 8 different radius profiles. the binary which runs a script on the *nix server and adds the user to the list where freeradius can authenticate it. So, FreeRadius is not able to natively interact with MS SQL server for both pulling radius auth data and pushing radius accounting details? We are currently running vopradius (win32) and were hoping to replace it completely (preferably plugging it straight in, with minimal changes to the DB and the rest of the system) with freeRadius. Cheers cya Andrew Rick Williams System Administrator AICON Internet Services, Inc. - Original Message - From: Andrew D [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, December 12, 2004 11:39 PM Subject: platypus Hi all, Just wondering if anyone has managed to get freeradius to work with platypus (ISP billing software) which is setup within a MS-SQL server? If you have managed to get it working, could you let us know what you did and possibly provide some config files. Thanks in Advance Cheers, cya Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple framed-route replies
On Monday 13 December 2004 21:26, Nikolas Geyer wrote: Hi all, Just wondering if anyone is able to tell me how to do multiple Framed-Route replies for a single user? We have a single user that needs a /24 and a /30. We are using MySQL as the backend and having two entries for the user in radreply doesnt work. Any ideas/suggestions would be appreciated. Regards - Nikolas Geyer man 5 users and read the section on operators. The operators apply to both the flat users file and the rows in your MySQL table. Kevin Bonner pgp9TrCDUb7e7.pgp Description: PGP signature
RE: Freeradius-Users digest, Vol 1 #4060 - 12 msgs
I would like to monitor my users(wireless) and I try writing a system and I'm using table radacct. But value for Calling-Station-Id is not recorded and we are using DHCP server.All user can get ip address from dhcp but my radius server doesn't record it. Can anyone help me how to grab users ip and mac address ? in your situation RADIUS is not managing the IP pools. DCHP is doing that and you have to look to your dhcp server configuration and log files. As for Calling-Station-ID, I presume you are looking for the MAC address of the requestor. First off, DHCP logs that (assuming you have logging turned on in DHCP etc.). Second if the RADIUS client (which is NOT the end-user) doesn't supply a value for Calling-Station-ID freeradius can't very well log it for you. I still don't undertstand. Why I can't grab ip and mac address of requestor. Perhaps ip but mac address is appear when Access-Request: rad_recv: Access-Request packet from host 10.201.8.1:4016, id=221, length=183 User-Name = nurulfaizal.kb23687 NAS-IP-Address = 10.201.8.1 Called-Station-Id = 00409656abfb - Calling-Station-Id = 00032f042f51 NAS-Identifier = AP350-56abfb NAS-Port = 37 Framed-MTU = 1400 State = 0x1d3be2a084a942dde9ec62e4fc93063d NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b4ae46d616dba0cea39cf42f90ce91e3ec9b4aa71af6df8d06be2 72 Message-Authenticator = 0xbc714574fa8945c2f384bb0dde7a58fe Plz help me how to grab this mac address, so that I can manipulate it with expat to kick bad user immediately.. plz help me P/S : My NAS is Cisco 350 AP and I;m using PEAP to authenticate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.11i
Hi, Does FreeRADIUS support 802.11i? On a more general level; in the wireless environment, does the RADIUS Server (any RADIUS Server) need to support 802.11i or just the intervening Access Point with this support is required? Thanks, Bilal _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation rlm_attr_filter
Alan DeKok wrote: Thor Spruyt [EMAIL PROTECTED] wrote: I have noticed that the preproxy_users file is not used anywhere in radiusd.conf It's part of the files module. Oh ok :) I'd like to replace much of this in 1.1.x and following with the new policy module. It's a *lot* more powerful, and can be much easier to use. Yeah... like the rlm_exec which *should* replace the Exec-Program(-Wait) sometime (hopefully before the year 2020). Also, I'd add a commented out example for preproxy_users in radiusd.conf is you want me to. Sure. I have submitted bug #178 for configuration samples for attr_filter to be used in the pre-proxy section. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation rlm_attr_filter
Alan DeKok wrote: Thor Spruyt [EMAIL PROTECTED] wrote: I have noticed that the preproxy_users file is not used anywhere in radiusd.conf It's part of the files module. If I understand correctly, that means one would create a module instance like so? files files_preproxy { usersfile = ${confdir}/preproxy_users } And then use that in the pre-proxy section like so? pre-proxy { files_preproxy #attr_rewrite #pre_proxy_log } -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Bestel nu uw exemplaar van Operationele verkoop (Walter Spruyt - Liesbeth Huysmans) via www.salesguide.be Ontdek de Telenet Hotspot service op www.telenet.be/hotspots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple framed-route replies
Hi, I am using FR-0.9 and MySQL as backend. how can i add single framed-route for a user ? e.g. i just want to forward /30 to a user. what is the exact format for framed-route attribute ? what i tried is 192.192.168.1 is the static ip user and route would be added for 192.192.168.2 gw would be 192.192.168.1 metric 1 In RadReply Table: Id Attribute Op Value == 259 Framed-Route := 192.192.168.2/32 192.192.168.1 1 above is not working in my case. is it possible my PPP is configured properly ? Please do needful Nirmal --- Nikolas Geyer [EMAIL PROTECTED] wrote: Hi all, Just wondering if anyone is able to tell me how to do multiple Framed-Route replies for a single user? We have a single user that needs a /24 and a /30. We are using MySQL as the backend and having two entries for the user in radreply doesnt work. Any ideas/suggestions would be appreciated. Regards - Nikolas Geyer Systems Network Administration Infinite Networks Ph: 1300 790 337 Fax: 02 6280 1155 13 Wiluna Street Fyshwick ACT 2609 http://www.infinite.net.au/ IMPORTANT NOTICE: This message may contain privileged and confidential information intended only for the above named addressee. If you are not the intended recipient of this message, you are hereby notified that any use, distribution or reproduction of this message or any part thereof is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Infinite Networks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP/TLS Problem
Am Mo, den 13.12.2004 schrieb Guy Davies um 17:27: Hi Mathias, Hi Guy Yep, build from source and configure with the --disable-shared option. oki, thx. But in my mind, is this the only option I need ? Nothing more to do ? eg linking the openssl lib regards [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html