Configuring LDAP with EAP
Hi all someone know how to configure freeradius with LDAP for EAP/TLS authentication ? Any howto ? Thanks Jacques VUVANT
Rejecting localhost/Not responding to requests
I have previously posted this, but received no response. I am getting fairly desparate, and would really appreciate a response from someone, as I have no where else to turn. Thanks in advance. - Hello, I am having trouble configuring our RADIUS server for use as a 802.11b authenticator. The box is running Debian Sarge with the FreeRADIUS package from apt-get install sources (1.0.1 I believe). As such, I have tried to follow the examples on http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2693413,00.html and also from the FreeRADIUS FAQ. Ideally, I would like to have the server setup so that the username is derived from the radio's MAC (both CPE or AP radios), and the password be the secret key shared by both the APs and the server. This way no customer intervention would be necessary (i.e. internet access without entering a password each time). I thought everything was setup correctly, but when I try to run a radtest on localhost from the server itself, it immediately rejects it. I have added it to the clients file (and tried adding to the users file as well, but to no avail). If I try to radtest on its actual IP address, it endlessly resends requests, and never returns a reply. It also doesn't let any client CPEs authenticate with it either, even though they are listed correctly (according to examples) in the users file, and the APs are listed in both users and clients.conf. If anyone could provide any insight on this problem, I would greatly appreciate it. If you need more information, or I didnt include something, please let me know and I'll be happy to respond. Thank you. -- kalen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius for windows XP
Does anyone know where I can get freeradius that will run on XP. I have it loaded but it was passed on from a friend and I do not know where to go and get it. George Schoggins Email: [EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and postgress
On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote:
> I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it
> installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can
> authenticate to a users file. But when I try to use radcheck in
> postgres I get login incorrect. I am trying to upgrade from freeradius
> .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just
> fine. I have created the tables using provided sql script. I
> configured radiusd.conf to use sql authentication. I have compared
> radiusd on the new machine to the radiusd on the old machine. They are
> as identical as they can be considering changes in the conf file. Does
> anybody have any other ideas or know of any isue with current version
> of freeeradius and postgres
>
> Thanks
>
>
> Kevin Waters
Below is some sample data I use for testing PostgreSQL .
The password for troll is skunk {sh1 encrypted} you will
need to generate a redhat linux compatable {des or md5}
password for it to authenticate on an RH system.
NOTE: If you want to use the users file and sql, you
can not have any Auth-Type attributes in your DEFAULT
entries.
The data below is supposed to be tab delimited.
--Start of file--
COPY radcheck (username, attribute, op, value) FROM stdin;
fredf User-Password == wilma
barneyr User-Password == betty
troll Crypt-Password == $1$A8BotTi4$UTg2XL.fSStI2RFENUfnR.
frogUser-Password == kermit
\.
COPY radgroupcheck (groupname, attribute, op, value) FROM stdin;
ppp-unlimited Auth-Type := SQL
ppp-static Auth-Type := SQL
nas-prompt Auth-Type := SQL
\.
COPY radgroupreply (groupname, attribute, op, value) FROM stdin;
ppp-unlimited Framed-Compression := Van-Jacobsen-TCP-IP
ppp-unlimited Framed-Protocol := PPP
ppp-unlimited Service-Type:= Framed-User
ppp-unlimited Framed-MTU := 1500
ppp-static Framed-Compression := Van-Jacobsen-TCP-IP
ppp-static Framed-Protocol := PPP
ppp-static Service-Type:= Framed-User
ppp-static Framed-MTU := 1500
nas-prompt Framed-MTU := 1500
nas-prompt Framed-Compression := Van-Jacobson-TCP-IP
nas-prompt Service-Type:= NAS-Prompt
\.
COPY radreply (username, attribute, op, value) FROM stdin;
barneyr Framed-IP-Address := 10.19.65.38
barneyr Framed-IP-Netmask := 255.255.255.252
\.
COPY usergroup (username, groupname) FROM stdin;
fredf ppp-unlimited
barneyr ppp-static
troll ppp-unlimited
frognas-prompt
\.
--End of file--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: regarding internal processing - memory allocation
"Alfred H. Dahl" <[EMAIL PROTECTED]> wrote: > When I run a /etc/init.d/radiusd reload or restart, the first 20 minutes > I get a lot of > > Fri Jan 21 10:33:51 2005 : Info: The maximum number of threads (32) are > active, cannot spawn new thread to handle request It takes a bit of time to reload/restart the server, and during that time, the clients continue to send requests. As a result, the server may have a backlog of requests to process. Still, taking 20 minutes to process the backlog is a bit much. > I run a mysql in backend, but this server reports no significant load. Is FreeRADIUS getting *fast* responses to its queries? If not, then the delay is all in the DB. > I currently have 80 socks available between the RADIUS-server and > the mysql-server, and when viewing the process-list, sleep-time for > the oldest connection is never below 10 sec. I'm not sure what that means. I wouild bet that the SQL server is taking a long time to respond to the server. This isn't a problem in normal operation, as the number of RADIUS request packets is small. But when the number of requests goes up, the SQL delay becomes noticable, and kills FreeRADIUS. > Then I started to wonder about memory usage. I don't think memory usage has anything to do with this. > Are there maybe a design problem, which makes it difficult for RADIUSD > to reload when the amount of "Free Memory" is low - and does RADIUS get > to use freed "inactive" memory? You're looking at *system* memory usage. That may not say much about the RADIUS server. Look at what FreeRADIUS is doing, and where it's spending it's time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and postgress
I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can authenticate to a users file. But when I try to use radcheck in postgres I get login incorrect. I am trying to upgrade from freeradius .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just fine. I have created the tables using provided sql script. I configured radiusd.conf to use sql authentication. I have compared radiusd on the new machine to the radiusd on the old machine. They are as identical as they can be considering changes in the conf file. Does anybody have any other ideas or know of any isue with current version of freeeradius and postgres Thanks Kevin Waters - This email was sent using AIS WebMail. http://www.americanis.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MSSQL
http://www.frontios.com/freeradius.htmlnixinfo <[EMAIL PROTECTED]> wrote: I'm looking for some information regarding FreeRadius andMSSQL. I can find several documents talking about a mysql setup, but would like some particulers regarding a mssql setup. Any suggetions? Links, forums, irc channels?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlJulius IguguSouthWork Co. Ltd. Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'
FreeRadius and MSSQL
I'm looking for some information regarding FreeRadius and MSSQL. I can find several documents talking about a mysql setup, but would like some particulers regarding a mssql setup. Any suggetions? Links, forums, irc channels? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Access Challenge.
<[EMAIL PROTECTED]> wrote: > This is not causing me a problem at all. I was just wondering what I > had wrong in my configuration to cause it to happen. Nothing. > 5.44. Table of Attributes ... Yes, I've read the RFC's. FreeRADIUS doesn't follow the RFC's exactly, for a whole host of reasons. If you really care about it, you can change the server to edit the replies, to filter out attributes which the RFC's say shouldn't be there. But the DEFINITIVE answer is that it's not causing a problem for you, so it's not a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(No subject header)
I'm looking for some information regarding FreeRadius and MSSQL. I can find several documents talking about a mysql setup, but would like some particulers regarding a mssql setup. Any suggetions? Links, forums, irc channels? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xlat sql trouble
On Mon, 17 Jan 2005 11:43:51 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Red Cayenne <[EMAIL PROTECTED]> wrote:
> I mean that your sql xlat function needs to call radius_xlat, too.
> How else will it expand the variables passed to your function?
>
> Print out the string that gets passed to your sql xlat function. It
> will be "%{config:modules.sql.test_query}".
>
> Please also READ the original sql_xlat function. It explains this
> in the comments!
>
> Alan DeKok.
>
I messed up sql_xlat and radius_xlat, sorry. Now I understand.
Thanks Alan.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add default Service-Type Framed-Protocol to all users
You could do it with the users file by adding a "DEFAULT" user re: DEFAULT Service-Type = Authenticate-Only, Framed-Protocol = PPP, Fall-through = yes I haven't tried a DEFAULT entry without any check-items. If it doesn't work you could use (any User-Name greater than one char): DEFAULT User-Name =~ "^.+$" On Fri, 2005-01-21 at 08:54, Daniel Eyholzer wrote: > Hi there > > > I'am using freeradius to authenticate and authorize users connecting to a > cisco router. In my configuration freeradius uses ldap as the backend > database. I have not defined Service-Type and Framed-Protocol in my ldap > schemas. Now I need to add this two attributes for all users. How can I do > that without modifying my ldap schemas and my ldap tree? Can I do that with > the "hints" file? > > > Thanks, Daniel > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
have you tried a non mschapv2 authentication? try a basic authentication with NTradping to make sure The password is read correctly when you are not doing mschapv2. I think you set the password incorrectly in the users file. Ron. http://www.positive-logic.net
Re: Add a reply message when a request has been proxied by a specific realm (attr_rewrite)
"Nans Delrieu" <[EMAIL PROTECTED]> wrote: > There is an error when i launch freeradius -x : > > radiusd.conf[1868] Unknown module rcode 'attribute'. You are putting the module configuration in an "authorize" section, not in the "modules" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MD5 Access Challenge.
Alan, This is not causing me a problem at all. I was just wondering what I had wrong in my configuration to cause it to happen. Martin 5.44. Table of Attributes The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Request Accept Reject Challenge #Attribute 0-1 0-1 001 User-Name 0-1 0002 User-Password [Note 1] 0-1 0003 CHAP-Password [Note 1] 0-1 0004 NAS-IP-Address [Note 2] 0-1 0005 NAS-Port 0-1 0-1 006 Service-Type 0-1 0-1 007 Framed-Protocol 0-1 0-1 008 Framed-IP-Address 0-1 0-1 009 Framed-IP-Netmask 0 0-1 00 10 Framed-Routing 0 0+ 00 11 Filter-Id 0-1 0-1 00 12 Framed-MTU 0+0+ 00 13 Framed-Compression 0+0+ 00 14 Login-IP-Host 0 0-1 00 15 Login-Service 0 0-1 00 16 Login-TCP-Port 0 0+ 0+ 0+ 18 Reply-Message 0-1 0-1 00 19 Callback-Number 0 0-1 00 20 Callback-Id 0 0+ 00 22 Framed-Route 0 0-1 00 23 Framed-IPX-Network 0-1 0-1 00-1 24 State [Note 1] 0 0+ 00 25 Class 0+0+ 00+ 26 Vendor-Specific 0 0-1 00-1 27 Session-Timeout 0 0-1 00-1 28 Idle-Timeout 0 0-1 00 29 Termination-Action 0-1 000 30 Called-Station-Id 0-1 000 31 Calling-Station-Id 0-1 000 32 NAS-Identifier [Note 2] 0+0+ 0+ 0+ 33 Proxy-State 0-1 0-1 00 34 Login-LAT-Service 0-1 0-1 00 35 Login-LAT-Node Rigney, et al. Standards Track[Page 63] RFC 2865 RADIUSJune 2000 0-1 0-1 00 36 Login-LAT-Group 0 0-1 00 37 Framed-AppleTalk-Link 0 0+ 00 38 Framed-AppleTalk-Network 0 0-1 00 39 Framed-AppleTalk-Zone 0-1 000 60 CHAP-Challenge 0-1 000 61 NAS-Port-Type 0-1 0-1 00 62 Port-Limit 0-1 0-1 00 63 Login-LAT-Port Request Accept Reject Challenge #Attribute -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 21 January 2005 15:40 To: freeradius-users@lists.freeradius.org Subject: Re: EAP-MD5 Access Challenge. <[EMAIL PROTECTED]> wrote: > It is causing me a problem it is just not what is supposed to happen I > think. What in the documentation led you to think that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add default Service-Type Framed-Protocol to all users
Hi there I'am using freeradius to authenticate and authorize users connecting to a cisco router. In my configuration freeradius uses ldap as the backend database. I have not defined Service-Type and Framed-Protocol in my ldap schemas. Now I need to add this two attributes for all users. How can I do that without modifying my ldap schemas and my ldap tree? Can I do that with the "hints" file? Thanks, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS from db - add without restart
"Neil Craig" <[EMAIL PROTECTED]> wrote: > Is it worth considering adding a "periodic" section to radiusd.conf > and the radius server? Rather than retrofitting reload this, reload > that, functionality into existing functions that are called during > the processing of a request, modules could implement a "periodic > function" that could be called at a configurable period, and > possibly only when the number of requests that the server is > currently handling is below some threshold? It's a good idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: running external script in FreeRadius
Sorry The Radiud.conf says version 1.160 George Schoggins Enterasys Networks Phone: 407-268-9894 FAX: 407-268-9881 Cell: 407-808-6013 Email: [EMAIL PROTECTED] www: http://www.enterasys.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zoltan Ori Sent: Friday, January 21, 2005 10:45 AM To: freeradius-users@lists.freeradius.org Subject: Re: running external script in FreeRadius On Friday 21 January 2005 10:18, Schoggins, George wrote: > I am running version 2.23 FreeRadius on Windows XP Pro. I'm not aware of any version 2.23 of freeRADIUS. > The error I keep > getting is file or directory not found. I have run the script in the > exec-program-wait mode but the path is not working correctly. I have put > the script in every directory and subdirectory in Radius and it still > errors with file or directory not found. What is the command you are giving to run the script? What are the permissions on the script itself? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MD5 Access Challenge.
<[EMAIL PROTECTED]> wrote: > It is causing me a problem it is just not what is supposed to happen I > think. What in the documentation led you to think that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running external script in FreeRadius
On Friday 21 January 2005 10:18, Schoggins, George wrote: > I am running version 2.23 FreeRadius on Windows XP Pro. I'm not aware of any version 2.23 of freeRADIUS. > The error I keep > getting is file or directory not found. I have run the script in the > exec-program-wait mode but the path is not working correctly. I have put > the script in every directory and subdirectory in Radius and it still > errors with file or directory not found. What is the command you are giving to run the script? What are the permissions on the script itself? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping a single LDAP attribute to multiple radius attributes
Michael Griego <[EMAIL PROTECTED]> wrote: > Or, instead of using the Autz-Type attribute, use the new rlm_policy > module in CVS to selectively call instance ldap1 or ldap2 based on the > huntgroup. I don't think that works quite as yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: running external script in FreeRadius
I am running version 2.23 FreeRadius on Windows XP Pro. The error I keep
getting is file or directory not found. I have run the script in the
exec-program-wait mode but the path is not working correctly. I have put
the script in every directory and subdirectory in Radius and it still
errors with file or directory not found. I have tried putting the path
with standard windows syntax and UNIX syntax from the radius root such
as ${logdir}/script and I have had no luck in running a script. Any help
would be great!
George Schoggins
Enterasys Networks
Phone: 407-268-9894
FAX: 407-268-9881
Cell: 407-808-6013
Email: [EMAIL PROTECTED]
www: http://www.enterasys.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Zoltan
A. Ori
Sent: Friday, January 21, 2005 6:21 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: running external script in FreeRadius
On Friday 21 January 2005 05:52, Zoltan A. Ori wrote:
> On Thursday 20 January 2005 19:15, Schoggins, George wrote:
> > Could someone give me an example of the exec and how it is
configured to
> > run.
>
> See the 'exec-program-wait' script in your freeradius source. It has
> examples of use and quick explanation.
>
> Zoltan
>
Sorry! That is not what you asked but what I inferred that you wanted
based on
your previous posts.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS from db - add without restart
When you're using EAP, it's not always that simple. HUPping a server or taking it offline is something you'd rather avoid if possible as it becomes noticible to the end users when you do it. We do indeed have redundant servers. If one fails, then yes, the other picks up the load, but it's not good to just arbitrarily take them down if you can avoid it. --Mike Dustin Doris wrote: Why doesn't everyone just setup redundant radius servers so you can afford to HUP a server or even take one offline for a bit? It seems that would be best practice anyway. Freeradius is very stable from my experiences, but I can't say the same for some of the hard drives I've had in our machines. On Fri, 21 Jan 2005, Mitchell, Michael J wrote: Just floating an idea... Is it worth considering adding a "periodic" section to radiusd.conf and the radius server? Rather than retrofitting reload this, reload that, functionality into existing functions that are called during the processing of a request, modules could implement a "periodic function" that could be called at a configurable period, and possibly only when the number of requests that the server is currently handling is below some threshold? This way client lists, proxy lists, etc, could be updated automatically, without adversely affecting the response times of single authentication or accounting requests. I haven't looked at the server code to see how feasible/difficult this would be, and maybe it doesn't make sense at all... Just an idea! If the idea floats, I'd be happy to spend some time looking more closely at the problem, though I couldn't guarantee a delivery date... Regards, Mike Or, if you're willing to edit the source, have it periodically re-read the NAS list form SQL. Reading the NAS data from SQL for every request is a bad idea. Alan DeKok. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add a reply message when a request has been proxied by a specific realm (attr_rewrite)
my configuration is that :
attr_rewrite cross_a_realm_company {
attribute = Reply-Message
searchin = proxy_reply
searchfor = "[+ ]"
replacewith = "through company.com"
#ignore_case = no
#new_attribute = yes # i don't know ???
max_matches = 1
append= no
}
There is an error when i launch freeradius -x :
radiusd.conf[1868] Unknown module rcode 'attribute'.
does "Reply-message" is good name for this attribute ?
thanks
ps: un grand merci a stefan pour son aide
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extreme, 802.1x, PEAP, and FreeRADIUS
Wow. The EAP messages does indeed decode to an EAP Response/Identity with a value of "AMS\mcapelle". I've never seen a EAP-aware NAS rewrite the User-Name. That violates RFC2869, which states that the NAS must *copy* the contents of the identity into the User-Name. The only thing I can suggest is getting in touch with the manufacturer or looking through the documentation to find out if that is a configurable "feature" which can be disabled. --Mike [EMAIL PROTECTED] wrote: Here is the radiusd -Xxxx output from when the Extreme Networks switch tries to auth the port: Thu Jan 20 04:21:12 2005 : Debug: Listening on authentication *:1812 Thu Jan 20 04:21:12 2005 : Debug: Listening on accounting *:1813 Thu Jan 20 04:21:12 2005 : Debug: Listening on proxy *:1814 Thu Jan 20 04:21:12 2005 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.3:2082, id=176, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x0201001101414d535c6d636170656c6c65 NAS-IP-Address = 10.0.4.3 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x79e9c575d1b7ebe5618c65d8034791e4 Thu Jan 20 04:21:36 2005 : Debug: Processing the authorize section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authorize for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: Looking up realm "AMS" for User-Name = "[EMAIL PROTECTED]" Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "AMS" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No '\' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "NULL" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "ntdomain" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: EAP packet type response id 1 length 17 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "eap" returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: users: Matched DEFAULT at 152 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall: group authorize returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Thu Jan 20 04:21:36 2005 : Debug: auth: type "EAP" Thu Jan 20 04:21:36 2005 : Debug: Processing the authenticate section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authenticate for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: Failed in handler Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authenticate]: module "eap" returns invalid
RE: NAS from db - add without restart
Why doesn't everyone just setup redundant radius servers so you can afford to HUP a server or even take one offline for a bit? It seems that would be best practice anyway. Freeradius is very stable from my experiences, but I can't say the same for some of the hard drives I've had in our machines. On Fri, 21 Jan 2005, Mitchell, Michael J wrote: > Just floating an idea... > > Is it worth considering adding a "periodic" section to radiusd.conf and > the radius server? Rather than retrofitting reload this, reload that, > functionality into existing functions that are called during the > processing of a request, modules could implement a "periodic function" > that could be called at a configurable period, and possibly only when > the number of requests that the server is currently handling is below > some threshold? This way client lists, proxy lists, etc, could be > updated automatically, without adversely affecting the response times of > single authentication or accounting requests. > > I haven't looked at the server code to see how feasible/difficult this > would be, and maybe it doesn't make sense at all... Just an idea! If the > idea floats, I'd be happy to spend some time looking more closely at the > problem, though I couldn't guarantee a delivery date... > > Regards, > Mike > > > > > > Or, if you're willing to edit the source, have it > >periodically re-read the NAS list form SQL. > > > > Reading the NAS data from SQL for every request is a bad idea. > > > > Alan DeKok. > > > >- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous Use ... Running in to problems ... Help ..
On Thu, 20 Jan 2005, Rad Adm wrote:
> I want to limit the users so that multiple logins are not allowed
> using a single account.
>
> At our company we have ( proprietary ) server which forwards
> authentication requests to radius which is configured to query Mysql
> and confirm the user credentials.
>
> I have done the following
>
> radcheck table
> ++-+---++---+
> | id | UserName| Attribute | op | Value |
> ++-+---++---+
> | 7 | [EMAIL PROTECTED] | Password | == | baen1 |
> | 6 | [EMAIL PROTECTED] | Auth-Type | := | Local |
> ++-+---++---+
Why did you add Auth-Type := Local? Just curious.
>
> usergroup table
>
> ++-+---+
> | id | UserName| GroupName |
> ++-+---+
> | 1 | [EMAIL PROTECTED] | demo |
> ++-+---+
>
> radgroupcheck table
> ++---+--++---+
> | id | GroupName | Attribute| op | Value |
> ++---+--++---+
> | 1 | demo | Simultaneous-Use | := | 1 |
> ++---+--++---+
>
> The queries in sql.conf are :
>
> authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM
> ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
>
> authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
> ${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
>
> authorize_group_check_query = "SELECT
> ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
> FROM ${groupcheck_table},${usergroup_table} WHERE
> ${usergroup_table}.Username = '%{SQL-User-Name}' AND
> ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
> ${groupcheck_table}.id"
>
> authorize_group_reply_query = "SELECT
> ${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
> FROM ${groupreply_table},${usergroup_table} WHERE
> ${usergroup_table}.Username = '%{SQL-User-Name}' AND
> ${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY
> ${groupreply_table}.id"
>
> simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
> UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
>
> simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
> NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
> FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}'
> AND AcctStopTime = 0"
>
> I tried to follow the instructions in the documentation page
> "Simultaneous-Use" which comes with free radius package but obviously
> i am doing some thing wrong .
>
> Incase Anyone knows the answer or can put me in the right direction ,
> please help me with that .
>
So what does debug show when you try to log in a user that is already
logged in?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extreme, 802.1x, PEAP, and FreeRADIUS
Here is the radiusd -Xxxx output from when the Extreme Networks switch tries to auth the port: Thu Jan 20 04:21:12 2005 : Debug: Listening on authentication *:1812 Thu Jan 20 04:21:12 2005 : Debug: Listening on accounting *:1813 Thu Jan 20 04:21:12 2005 : Debug: Listening on proxy *:1814 Thu Jan 20 04:21:12 2005 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.3:2082, id=176, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x0201001101414d535c6d636170656c6c65 NAS-IP-Address = 10.0.4.3 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x79e9c575d1b7ebe5618c65d8034791e4 Thu Jan 20 04:21:36 2005 : Debug: Processing the authorize section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authorize for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: Looking up realm "AMS" for User-Name = "[EMAIL PROTECTED]" Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "AMS" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No '\' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "NULL" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "ntdomain" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: EAP packet type response id 1 length 17 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "eap" returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: users: Matched DEFAULT at 152 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall: group authorize returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Thu Jan 20 04:21:36 2005 : Debug: auth: type "EAP" Thu Jan 20 04:21:36 2005 : Debug: Processing the authenticate section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authenticate for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: Failed in handler Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authenticate]: module "eap" returns invalid for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall: group authenticate returns invalid for request 0 Thu Jan 20 04:21:36 2005 : Debug: auth: Failed to validate the user. Thu Jan 20 04:21:36 2005 : Auth: Login incorrect: [EMAIL PROTECTED] (from client Alpine port 0 cli 0.0.0.0) Thu Jan 20 04:21:36 2005 : Debug: Delaying request 0 for 1 seconds Thu Jan 20 04:21:36 2005 : Debug: Finished request 0 Thu Jan 20 04:21:36 2005 : Debug: Going to the next request Thu Jan 20 04:21:36 200
RE: pix and radius authentication
I believe the virtual IP DHCP would be addressed by the Cisco PIX, not the RADIUS server. http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a00800898ed_4container_ccmigration_09186a00801e893a.html Try this link. I would also search for Cisco PIX How To VPN virtual IP. From: Volker Lieder <[EMAIL PROTECTED]> Reply-To: freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: pix and radius authentication Date: Tue, 18 Jan 2005 11:41:39 +0100 Hello list, i want to set up a pix 525 with Cisco PIX Firewall Version 6.3(4) to authenticate vpn-users against a freebsd-radius. This step already works fine, the users get authenticated. Now we want to give the user via radius an ip-address, but this doesnt work. At this moment i only can login via vpn-client if i have a local ip pool configured on the pix. The Framed-IP-Address = "10.106.4.5" entry in the radius-users file doesnt work. Has somebody a solution for this problem or isn't it possible? Also we want to send an access-list to the user via radius... But in this case i dont have any idea to solve the problem. Thank you very much Volker Lieder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mod_auth_radius with apache and Tomcat
Hmm, Tomcat presents a different issue for authentication. I have RADIUS working with Apache 2.0, but I have not setup Tomcat. I think you will need to address Tomcat authentication separately since it runs as a separate service. From: Liz Osborne <[EMAIL PROTECTED]> Reply-To: freeradius-users@lists.freeradius.org To: "'freeradius-users@lists.freeradius.org'" Subject: mod_auth_radius with apache and Tomcat Date: Thu, 20 Jan 2005 14:54:33 - Has anybody succeeded in using mod_auth_radius with apache and Tomcat? We are having problems authenticating URLs which are forwarded from apache to Tomcat. The authentication seems to work sometimes, but the web server returns a 404 error, saying the URL is not present on the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running external script in FreeRadius
On Friday 21 January 2005 05:52, Zoltan A. Ori wrote: > On Thursday 20 January 2005 19:15, Schoggins, George wrote: > > Could someone give me an example of the exec and how it is configured to > > run. > > See the 'exec-program-wait' script in your freeradius source. It has > examples of use and quick explanation. > > Zoltan > Sorry! That is not what you asked but what I inferred that you wanted based on your previous posts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + domain windows NT4
Hi, I want to works Freeradius + NT4 domain and i don't know how to do? Can you share you experience about this subjet. I'm looking for freeradius.org and i found nothing about this. Regards,
Re: running external script in FreeRadius
On Thursday 20 January 2005 19:15, Schoggins, George wrote: > Could someone give me an example of the exec and how it is configured to > run. > See the 'exec-program-wait' script in your freeradius source. It has examples of use and quick explanation. Zoltan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Use apt to install freeradius-sql.. >>> [EMAIL PROTECTED] 21/01/2005 11:27:06 >>> Tnx for your reply! My kernel is 2.6.8-1-686. OS is Debian testing. I install: "apt-get install freeradius" and "apt-get install freeradius-dialupadmin". Installation is successfully finished. So i cannot config freeradius and cannot use dialup-admin. My installed dialupadmin hasn't sql, and more folders. Neil Craig writes: > What platform are you running it on? Easiest way is to use rpm or > yum/apt etc to install (on Linux). > Have a look at http://www.frontios.com/freeradius.html and also search > the list archives - the notes are also included in all the conf files > which are pretty handy > > [EMAIL PROTECTED] 21/01/2005 10:59:59 >>> > Hi all! > > I am new in freeradius. I use debian testing. How i install and config > > freeradius, freeradius-dialupadmin? > > Please help me guys > > Sincerely, > Tulga.G > Lead Programist of Netsoft LLC > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sincerely, Tulga.G Lead Programist of Netsoft LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message when a user is proxied to a realm. is it possible ?
Hi!
> i would like to have a notification when a client is proxied to a
> realm. is it possible ?
It sure is. You can use the pre-proxy {} section and do whatever you like
there. For example an exec instance that executes a script of your choice. It
all depends on what you mean with notification. If you just want to have it
logged, simply use a detail instance (there is an example for that in the
sample config file, I believe). If you want to have a dialog box pop up every
time, well, write a script and put it into an exec instance. If you want an
alarm bell to go off, attach an alarm bell to the server, write a script that
triggers it and put that into exec.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur réseau et système
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tél.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Tnx for your reply! My kernel is 2.6.8-1-686. OS is Debian testing. I install: "apt-get install freeradius" and "apt-get install freeradius-dialupadmin". Installation is successfully finished. So i cannot config freeradius and cannot use dialup-admin. My installed dialupadmin hasn't sql, and more folders. Neil Craig writes: What platform are you running it on? Easiest way is to use rpm or yum/apt etc to install (on Linux). Have a look at http://www.frontios.com/freeradius.html and also search the list archives - the notes are also included in all the conf files which are pretty handy [EMAIL PROTECTED] 21/01/2005 10:59:59 >>> Hi all! I am new in freeradius. I use debian testing. How i install and config freeradius, freeradius-dialupadmin? Please help me guys Sincerely, Tulga.G Lead Programist of Netsoft LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sincerely, Tulga.G Lead Programist of Netsoft LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply message when a user is proxied to a realm. is it possible ?
Hello i would like to have a notification when a client is proxied to a realm. is it possible ? For example, if [EMAIL PROTECTED] connects to freeradius and freeradius contacts the realm company.com i'd like to have a reply message which tell me [EMAIL PROTECTED] has been proxied to company.com ?? is it possible with freeradius with Attribute solution ? i don't really understand the methods of attributes Thanks. ___[ Pub ] Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com _ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MD5 Access Challenge.
Oops. I meant to say It is NOT causing me a problem it is just not what is supposed to happen I think. Sorry Martin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 January 2005 10:12 To: freeradius-users@lists.freeradius.org Subject: RE: EAP-MD5 Access Challenge. Alan, I'm not using an NAS to send the Access-Request. I'm using radeapclient. It is causing me a problem it is just not what is supposed to happen I think. freeradius version 1.0.1 I had tried to attach some configuration files but they bounced off the mail server saying " Message is bigger than 65536 bytes - refused." Martin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 20 January 2005 19:52 To: freeradius-users@lists.freeradius.org Subject: Re: EAP-MD5 Access Challenge. <[EMAIL PROTECTED]> wrote: > Thanks for the suggestion. I tried it but I'm still getting attributes > in the Access-Challenge packet. The output is shown below. Is it causing a problem on the NAS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
regarding internal processing - memory allocation
Hello all, a question about internal processing and memory allocation: When I run a /etc/init.d/radiusd reload or restart, the first 20 minutes I get a lot of Fri Jan 21 10:33:51 2005 : Info: The maximum number of threads (32) are active, cannot spawn new thread to handle request and Fri Jan 21 10:33:52 2005 : Error: Dropping conflicting packet from client :49367 - ID: 103 due to unfinished request 19613 66 I have always thought of these errors as an indication on long response-time from the radius-server due to the processing overhead when processing a large amount of packets. I have tried to increase the number of threads, but this does not help. I run a mysql in backend, but this server reports no significant load. I currently have 80 socks available between the RADIUS-server and the mysql-server, and when viewing the process-list, sleep-time for the oldest connection is never below 10 sec. Then I started to wonder about memory usage. my cat /proc/meminfo looks like this: MemTotal: 2055440 kB MemFree: 13572 kB Buffers: 54380 kB Cached:1767756 kB SwapCached: 1012 kB Active:1517788 kB Inactive: 424172 kB HighTotal: 0 kB HighFree:0 kB LowTotal: 2055440 kB LowFree: 13572 kB SwapTotal: 1052216 kB SwapFree: 1047240 kB Dirty: 19064 kB Writeback: 0 kB Mapped: 130056 kB Slab:85144 kB Committed_AS: 269912 kB PageTables: 2320 kB VmallocTotal: 536870911 kB VmallocUsed:268072 kB VmallocChunk: 536602311 kB HugePages_Total: 0 HugePages_Free: 0 Hugepagesize: 2048 kB Even though "MemFree" is low, the "inactive" memory is high - which in turn I interpret as if there are plenty of available memory to be used. Is this correct? Are there maybe a design problem, which makes it difficult for RADIUSD to reload when the amount of "Free Memory" is low - and does RADIUS get to use freed "inactive" memory? -- Med vennlig hilsen/Sincerely Alfred H. Dahl Hostmaster Élla Kommunikasjon Tlf: +47 3860 8575 Fax: +47 3860 8501 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MD5 Access Challenge.
Alan, I'm not using an NAS to send the Access-Request. I'm using radeapclient. It is causing me a problem it is just not what is supposed to happen I think. freeradius version 1.0.1 I had tried to attach some configuration files but they bounced off the mail server saying " Message is bigger than 65536 bytes - refused." Martin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 20 January 2005 19:52 To: freeradius-users@lists.freeradius.org Subject: Re: EAP-MD5 Access Challenge. <[EMAIL PROTECTED]> wrote: > Thanks for the suggestion. I tried it but I'm still getting attributes > in the Access-Challenge packet. The output is shown below. Is it causing a problem on the NAS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
What platform are you running it on? Easiest way is to use rpm or yum/apt etc to install (on Linux). Have a look at http://www.frontios.com/freeradius.html and also search the list archives - the notes are also included in all the conf files which are pretty handy >>> [EMAIL PROTECTED] 21/01/2005 10:59:59 >>> Hi all! I am new in freeradius. I use debian testing. How i install and config freeradius, freeradius-dialupadmin? Please help me guys Sincerely, Tulga.G Lead Programist of Netsoft LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi all! I am new in freeradius. I use debian testing. How i install and config freeradius, freeradius-dialupadmin? Please help me guys Sincerely, Tulga.G Lead Programist of Netsoft LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 proxy problem (repost)
Hi! > rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0, > length=198 Reply-Message = "Login successful." > MS-CHAP2-Success = > 0x02533d4645343046424332434131364136373045313546303944343831414542383036433 >1463031423943 MS-MPPE-Encryption-Policy = 0x0001 > MS-MPPE-Encryption-Types = 0x0006 > MS-MPPE-Send-Key = 0xe4b73fbf37c00ff323fe50b697961dd0 > MS-MPPE-Recv-Key = 0x02fc5aa8347af34df114fc9072e70240 [...] > attr_filter: Matched entry company.realm at line 87 > modcall[authorize]: module "attr_filter" returns updated for request 0 attr_filter updated the list of attributes you are sending to the client. I bet it strips all important attributes and merely sends a bare Access-Accept without any attributes. Then the client does not know to which request the Accept belongs. Have a look into your attrs file, maybe that explains things. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users comming from different Huntgroups
Dustin Doris wrote: Dustin Doris wrote: Hi, how can i manage to accept two kind of users: the first: premium, may login from serverA and serverB the second: normal, may only login from serverB I thought to manage this by huntgroup-file: huntgroup-file: premiumNAS-IP-Address == serverA premiumNAS-IP-Address == serverB * *normal NAS-IP-Address == serverB But with this configuration only the premium user can login from serverB, the normal users are denied!! Good start, but what's in your users file? There is more to it, the huntgroup file only defines what is a huntgroup. Something else (such as the users file) will define what to do if someone is in that huntgroup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The users file looks like that: user1 Auth-Type := PAP, Crypt-Password == "XXX", Huntgroup-Name == premium Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-IP-Address = 10.10.11.11 user2 Auth-Type := PAP, Crypt-Password == "YYY", Huntgroup-Name == normal Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-IP-Address = 10.10.10.11 and user1 is allowed to login, but user2 is denied, also both login from serverB. I am using Freeradius 1.0.1. You have serverB in both huntgroups. The first one that matches will be used. Therefore, serverB will only be in the premium huntgroup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes I know, because I want the premium people to be able to login at every server, (serverA and serverB). Looking into the huntfile comming with the sourcecode, the server 192.168.2.5 is in both huntgroups (alphen and business) as well! I thought the procedure is like that: The request is arriving, first the username is looked up, then (if) the huntgroup is searched inthe huntgroupe file. If the huntgroup is found, the IP-Address must match!! But this looks like if a huntgroup is set, radius is looking for the NAS-IP-Address in the huntgroup file and the first matching IP-Address is taken, and therefore the depending huntgroup!!! So how can I then manage to have two groups, where the normal users may login from some NAS and the premium users may login from the same and some more!! thanks florian -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Propel with Multiple logins Freeradius/Mysql
want to limit the users so that multiple logins are not allowed
using a single account.
At our company we have ( proprietary ) server which forwards
authentication requests to radius which is configured to query Mysql
and confirm the user credentials.
I have done the following
radcheck table
++-+---++---+
| id | UserName| Attribute | op | Value |
++-+---++---+
| 7 | [EMAIL PROTECTED] | Password | == | baen1 |
| 6 | [EMAIL PROTECTED] | Auth-Type | := | Local |
++-+---++---+
usergroup table
++-+---+
| id | UserName| GroupName |
++-+---+
| 1 | [EMAIL PROTECTED] | demo |
++-+---+
radgroupcheck table
++---+--++---+
| id | GroupName | Attribute| op | Value |
++---+--++---+
| 1 | demo | Simultaneous-Use | := | 1 |
++---+--++---+
The queries in sql.conf are :
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM
${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM
${authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT
${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.op
FROM ${groupcheck_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY
${groupcheck_table}.id"
authorize_group_reply_query = "SELECT
${groupreply_table}.id,${groupreply_table}.GroupName,${groupreply_table}.Attribute,${groupreply_table}.Value,${groupreply_table}.op
FROM ${groupreply_table},${usergroup_table} WHERE
${usergroup_table}.Username = '%{SQL-User-Name}' AND
${usergroup_table}.GroupName = ${groupreply_table}.GroupName ORDER BY
${groupreply_table}.id"
simul_count_query = "SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
FramedProtocol FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}'
AND AcctStopTime = 0"
I tried to follow the instructions in the documentation page
"Simultaneous-Use" which comes with free radius package but obviously
i am doing some thing wrong .
Incase Anyone knows the answer or can put me in the right direction ,
please help me with that .
Thank you ..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP2 proxy problem (repost)
(I'm reposting this message because previous message was sent with wrong e-mail
account, moderator has not yet approved message. Please forgive me for possible
double entry)
Hi all,
I have a NAS, a Nortel Contivity VPN-Concentrator (in this case used for PPTP
tunnels) which I have configured to use freeradius as a proxy for a VASCO
radius-server (with response-only tokens). The reason for using freeradius as a
proxy is that Vasco does not support custom attributes which are very helpful
for the Contivity: freeradius is configured to add an attribute Class which
varies depending on the Realm.
If I configure the Contivity to authenticate directly to the Vasco all works
fine. This is also the case if I configure the Contivity to authenticate
directly on the freeradius (not proxy-ing the request to the vasco).
However if freeradius acts as a proxy, when setting up a PPTP WinXP reports:
"Error 778: It was not possible to verify the identity of the server".
Both Vasco and freeradius reply with: Login Ok
Below is the output if radiusd is started with -X -A
Ready to process requests.
rad_recv: Access-Request packet from host IPnumber-contivity:3460, id=16,
length=154
User-Name = "[EMAIL PROTECTED]"
MS-CHAP2-Response =
0x0200756c0c8f74d1a3ac8b9f0d2b233699d66719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8
MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = IPnumber-contivity
NAS-Port = 566439
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119
modcall[authorize]: module "reply_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "company.realm " for User-Name = "rene@
company.realm "
rlm_realm: Found realm "company.realm"
rlm_realm: Proxying request from user rene to realm company.realm
rlm_realm: Adding Realm = "company.realm "
rlm_realm: Preparing to proxy authentication request to realm
"company.realm"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
modcall: group authorize returns updated for request 0 Sending Access-Request
of id 0 to IPnumber-Vasco:1645
User-Name = "[EMAIL PROTECTED] "
MS-CHAP2-Response =
0x0200756c0c8f74d1a3ac8b9f0d2b233699d66719ecb56d9d1fafe1e253c494bb92992ca7c58b3bdf39f8
MS-CHAP-Challenge = 0x5786567db9c1949a8cad50d612547094
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-IP-Address = IPnumber-contivity
NAS-Port = 566439
NAS-Port-Type = Virtual
Proxy-State = 0x3136
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host IPnumber-Vasco:1645, id=0, length=198
Reply-Message = "Login successful."
MS-CHAP2-Success =
0x02533d46453430464243324341313641363730453135463039443438314145423830364331463031423943
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
MS-MPPE-Send-Key = 0xe4b73fbf37c00ff323fe50b697961dd0
MS-MPPE-Recv-Key = 0x02fc5aa8347af34df114fc9072e70240
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/IPnumber-contivity/reply-detail-20050119
modcall[authorize]: module "reply_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
attr_filter: Matched entry company.realm at line 87
modcall[authorize]: module "attr_filter" returns updated for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. S
RE: NAS from db - add without restart
Could use cron to HUP server every so often >>> [EMAIL PROTECTED] 21/01/2005 00:05:09 >>> Just floating an idea... Is it worth considering adding a "periodic" section to radiusd.conf and the radius server? Rather than retrofitting reload this, reload that, functionality into existing functions that are called during the processing of a request, modules could implement a "periodic function" that could be called at a configurable period, and possibly only when the number of requests that the server is currently handling is below some threshold? This way client lists, proxy lists, etc, could be updated automatically, without adversely affecting the response times of single authentication or accounting requests. I haven't looked at the server code to see how feasible/difficult this would be, and maybe it doesn't make sense at all... Just an idea! If the idea floats, I'd be happy to spend some time looking more closely at the problem, though I couldn't guarantee a delivery date... Regards, Mike > > Or, if you're willing to edit the source, have it >periodically re-read the NAS list form SQL. > > Reading the NAS data from SQL for every request is a bad idea. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
