Problems with hints file when i use freeradius-1.0.1
Hello, I want to upgrade from freeradius-0.8.1 to freeradius-1.0.1. Begining of my hints file: sergk Strip-User-Name = No Hint := "admin" It matches only username "sergk" with freeradius-0.8.1. But it matches any username with freeradius-1.0.1. Is it bug or feature ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL db failover
Rohaizam Abu Bakar wrote: > How can we possible do to ensure only when sql1 down.. then the accounting > will be sent to sql2..?? You might try a different approach: - store accounting in "detail" files (man rlm_detail) - run radsqlrelay to send accounting in the database (get it from a CVS snapshot) Even if the SQL server is down for a day, radsqlrelay will buffer the accounting packets and send them later. The advantages: - all accounting go in a single database (it's easier to check simultaneous login) - even under high load radsqlrelay still sends accounting requests according to the SQL server's capabilities - you won't have a lot of outstanding requests on the RADIUS sever when the SQL server is slow -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap problems
Hi! I'm trying to configure freeradius with peap autentication. I use winxp for client. When starting autentication, I get following error. Can somebody help me and tell what is going wrong. I had made changes radius.conf, eap.conf, users and clients.conf files. Should I make changes huntsgroup file? T.ea Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, length=141 User-Name = "TWIRE12\\jaskajok" NAS-IP-Address = 10.50.50.13 Called-Station-Id = "00034715cbc3" Calling-Station-Id = "00022d1d5cb1" NAS-Identifier = "WARLORD1" NAS-Port = 29 Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "jaskajok", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched jaskajok at 97 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unexpected message in the radius.log
Hello, today figured out that on FR 1.0.1 the following Info message appears if the user enter an incorrect password: Info: rlm_sql (sql): No matching entry in the database for request from user [edgars] In the previous versions i think it was like usual - Login incorrect bla bla bla. Has this been changed? Thanks! Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius doesn't send cisco-avpairs
> > I have following entry in the users file: > bob User-Password == "bob" > Cisco-AVpair = "access-list 188 deny ip any any", > Fall-Through = YES > > Whats wrong? > try it like this: Cisco-AVPair = "ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63", Cisco-AVPair += "ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63" the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange, attr_rewrite doesn't work normally
hello all
I have a problem with attr_rewrite :
I have added an attribute in
/usr/share/freeradius/freeradius/dictionnary
Reply-Message-2 65string
I haven't added in /etc/freeradius/dictionnary because it doesn't work
!!
in radius.conf my configuration is:
attr_rewrite passparunproxy {
attribute = Reply-Message-2
searchin = reply
searchfor = ""
replacewith = "TEST 1 (Proxy)"
ignore_case = no
new_attribute = yes
max_matches = 10
append = no
}
attr_rewrite passparunproxy1 {
attribute = Reply-Message
searchin = reply
searchfor = ""
replacewith = Proxy
ignore_case = no
new_attribute = yes
max_matches = 10
append = no
}
and in post_proxy section {
passparunproxy
passparunproxy1
}
when a user is accepted, i have reply-message and reply-message 2.
when a user is reject, i have only reply-message.
I don't understand that ??
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange, attr_rewrite doesn't work normally
On Mon, 24 Jan 2005, Nans Delrieu wrote: hello all I have a problem with attr_rewrite : when a user is accepted, i have reply-message and reply-message 2. when a user is reject, i have only reply-message. I don't understand that ?? Only a few attributes are allowed in an access-reject. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attr_rewrite problem...
Hello
My configuration is : Proxy Radius ---> primary radius
---> secondary radius
---> remote radius for realm
company.com
--->
In Primary Radius, I want to add in reply message the text "LOCAL" (for
example (primary radius return : Reply-Message = " original text +
LOCAL"
is it possible ?
i have make that but it doens't work :
in primary radius,
radiusd.conf
attr_rewrite LOCAL {
attribute = Reply-Message
searchin = reply
searchfor = "[+ ]" # is it the good parameter ?, is there a man for
this parameter ??
replacewith = "LOCAL"
ignore_case = no
new_attribute = no
max_matches = 1
append = yes
}
authorize {
LOCAL#is it the good place to put LOCAL ?
}
it doesn't work. help me
___[ Pub ]
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
_
Envie de discuter gratuitement avec vos amis ?
Téléchargez Yahoo! Messenger http://yahoo.ifrance.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius doesn't send cisco-avpairs
Çäðàâñòâóéòå, Markus. Âû ïèñàëè 24 ÿíâàðÿ 2005 ã., 15:15:50: >> >> I have following entry in the users file: >> bob User-Password == "bob" >> Cisco-AVpair = "access-list 188 deny ip any any", >> Fall-Through = YES >> >> Whats wrong? >> > try it like this: > Cisco-AVPair = "ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63", > Cisco-AVPair += "ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63" > the first row needs no + after =, the second one and following needs it. > Markus > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Yeah found it already. Thanks to all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius doesn't send cisco-avpairs
> Hello, freeradius-users.
>
> I have following entry in the users file:
> bob User-Password == "bob"
> Cisco-AVpair = "access-list 188 deny ip any any",
> Fall-Through = YES
>
> radreply log saying that all ok:
> Packet-Type = Access-Accept
> Fri Jan 21 17:55:56 2005
> Service-Type = Framed-User
> Session-Timeout = 86400
> Cisco-AVPair = "access-list 188 deny ip any any"
> Framed-Protocol = PPP
> But user aren't getting into. Thats what tcpdump showing:
> rad-access-accept 80 [id 94] Attr[ Service_type{#539}
> Session_timeout{24:00:00 hours} [|radius]
[!radius] means that tcpdump is truncating the packet. Run tcpdump and
set the snaplen. On my system -s 0 will capture the whole packet. If you
don't have that option, try -s 1024. That should be plenty.
>
> freeradius doesn't sends attributes after Session_timeout. Here is what
> look like right rad-access-accept: rad-access-accept 35 [id 222] Attr[
> Service_type{#539} Session_timeout{05:27:24 hours} Proxy_state{0} ]
>
> freeradius act like a proxy to icradius.
>
> Whats wrong?
>
> mailto:[EMAIL PROTECTED]
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using Freeradius whith PEAP authentication
Hi, again. For resolve my the problem whidt freeradius, i update my system for the red hat 9.0, this version of linux have one version of openssl who supports the tls tunnels for the eap methods. Thanks again Paulo Ferreira. Alan DeKok wrote: >Paulo Alexandre Caceres Ferreira <[EMAIL PROTECTED]> wrote: > >>Hi,now i install the 0.9.7e version of openssl in my system (Red Hat >>Linux 7.3) without problems, but freeradius return the same error. >>What i'am doing rong? > > > The compile process is still using the older version. Fix that. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS and proxyRADIUS (with FreeRadius)
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0, length=162
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8440.bbb0"
Calling-Station-Id = "000d.54a1.6e8e"
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = "ap-maquette"
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli 000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing and/or monitoring freeradius with PEAP
I've got freeradius setup to authenticate wireless clients with PEAP/MSCHAP (to an Active Directory backend) and now I'm looking for a way to test/monitor the radius server. Ideally, I'd like to do something like radtest, but test either PEAP or at least the MSCHAP authentication portion. Does anyone here know of any programs or scripts out there to test radius with MSCHAP authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and proxyRADIUS (with FreeRadius)
*oups* sorry !
option 'nostrip' in proxy.conf missed...
it works now !
Regards,
David
David ROUMANET a écrit :
Hi there !
I've a problem with my proxyRADIUS server :
I've configured two freeradius server (each in v1.0.1, EAP-TTLS
activated). When I log on the first server (from a Cisco AP-1100), it's
OK. I change IP address of the radius server on the NAS : direct login
is ok.
Now I use the syntax '[EMAIL PROTECTED]' (configured proxy.conf and
clients.conf on each servers of course) but I've this log on the second
server :
rad_recv: Access-Request packet from host 192.168.1.1:1814, id=0,
length=162
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8440.bbb0"
Calling-Station-Id = "000d.54a1.6e8e"
Service-Type = Login-User
Message-Authenticator = 0x7775308bbdc7e890a1b0b90518ef5da9
EAP-Message =
0x0202001f01616e6f6e796d6f75734072656d6f74652e6772656e65742e6672
NAS-Port-Type = Wireless-802.11
NAS-Port = 8731
NAS-IP-Address = 192.168.7.1
NAS-Identifier = "ap-maquette"
Proxy-State = 0x323035
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 2 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 158
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Login incorrect: [anonymous] (from client vega port 8731 cli
000d.54a1.6e8e)
Delaying request 5 for 1 seconds
Finished request 5
I don't understand where is my mistake but the message is clear :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
is this patch usefull ? or isn't possible to have EAP-TTLS proxified ?
http://lists.cistron.nl/pipermail/freeradius-devel/2003-November/006393.html
In the archive list, I've found a solution with the file hints but I'm
not able to understand the syntax (the guy says he has used this) :
%{Stripped-User-Name:-%{User-Name}}
Thanks to all,
David
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
-
David ROUMANET Tel : 04 76 51 46 08
Centre Interuniversitaire de Calcul Grenoblois Fax : 04 76 42 11 71
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is anyone running freeradius on a Windows server?
I am running it but having problems starting external scripts. Some type of path problem. Need info on where to get a build for windows. George Schoggins Enterasys Networks Phone: 407-268-9894 FAX: 407-268-9881 Cell: 407-808-6013 Email: [EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-md5 with ldap backend
Hello all, I am trying to setup a radius service for eap with an ldap backend. I have gotten the ldap backend working and I have gotten eap to work with a user defined in the users file. Next 2 lines from my users file. testuser Auth-Type := EAP, User-Password == "testpass" DEFAULT Auth-Type := LDAP But, how do I get EAP to work with ldap backend in this situation? Or am I missing something more fundamental? I have looked through the archives, but turned up only help on ldap or eap, not combining the two... any pointers? Thanks, Matt Moore __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-use and proxied clients
I am stumped on this one: I have used the Simultaneous-Use attrib and checkrad script for sometime now with great success. But recently we made some network changes and now some of our users are connecting from another network. All radius requests are proxied via the local radius server to our radius server. The auth'ing/acc'ting works fine. But for these proxied requests no simultaneous-use check is performed - checkrad script is not run (I have verified this by modifying checkrad) and user is denied access. I have added entries for each of the clients that are proxied as well as the remote radius server doing the proxying in clients.conf and configured them of type "other". But it does not work. >From what I can tell it appears that if a request is proxied then freeradius does not use checkrad and automatically denies request. Is this how it is designed? Or am I missing something? I'm out of ideas. Any input or thoughts? --- Ed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
I solved this problem using an other attribute : in /etc/freeradius/ldap.attrmap : checkItem User-Password radiusTunnelPassword and set up passwords in it ;-) I think it's only an access right problem on the LDAP 'userPassword' attribute... If that don't solve your problem, please send a copy of your config. files and give more informations : It'll be easier to help. Regards Matt Moore a écrit : >Hello all, > >I am trying to setup a radius service for eap with an >ldap backend. I have gotten the ldap backend working >and I have gotten eap to work with a user defined in >the users file. Next 2 lines from my users file. > >testuser Auth-Type := EAP, User-Password == >"testpass" >DEFAULT Auth-Type := LDAP > >But, how do I get EAP to work with ldap backend in >this situation? Or am I missing something more >fundamental? I have looked through the archives, but >turned up only help on ldap or eap, not combining the >two... any pointers? > >Thanks, >Matt Moore > > > > >__ >Do you Yahoo!? >The all-new My Yahoo! - Get yours free! >http://my.yahoo.com > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > -- NextGen$. ---> In a world without fences nor walls - who needs windows and gates ? On peut obéïr aux lois en souhaitant qu'elles changent, comme on sert à la guerre en souhaitant la paix. Merleau Ponty "L'éloge de la philosophie" signature.asc Description: OpenPGP digital signature
Re: Simultaneous-use and proxied clients
"Ed Henderson" <[EMAIL PROTECTED]> wrote: > From what I can tell it appears that if a request is proxied then > freeradius does not use checkrad and automatically denies request. Is > this how it is designed? Or am I missing something? The software is designed that way because the network is designed that way. checkrad checks NASes. It can't check RADIUS servers, because there is no way to ask a RADIUS server if a user is still online. Checkrad can't check the NASes of the other RADIUS servers, as those NASes don't know who you are, they only know the RADIUS servers they talk to. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 3550 switch VLAN assignment by RADIUS doesn't work
Hi, I have a little problem. A configured my linux xsupplicant for 802.1X authentication on a port of a Cisco 3550 switch. Authentication works through radius, if port is assigned statically to a VLAN I can ping other boxes on the segment but if I assign VLAN to the port from the RADIUS I got a RADIUS: EAP-login: radius didn't send any vlan messge when debugging on the cisco switch. I have the aaa authorization network default none, too. What can be the problem? Levente | Levente Janovszki | Bekes County Library JUST 4 lines 4 U | | e-mail:[EMAIL PROTECTED] | Bekescsaba, Derkovits sor 1. HUNGARY Zip: 5600 | | Linux. Just use it | *The operating system collapsed* | | w/o fear of panic: | *OKCancel * | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-use and proxied clients
> "Ed Henderson" <[EMAIL PROTECTED]> wrote: > > From what I can tell it appears that if a request is proxied then > > freeradius does not use checkrad and automatically denies > request. Is > > this how it is designed? Or am I missing something? > > The software is designed that way because the network is > designed that way. > > checkrad checks NASes. It can't check RADIUS servers, because there > is no way to ask a RADIUS server if a user is still online. Checkrad > can't check the NASes of the other RADIUS servers, as those NASes > don't know who you are, they only know the RADIUS servers > they talk to. > > Alan DeKok. > I understand that it can't ask a radius server but is it possible to have it check the original nas instead? I do have the client info for the NASes of the other server so that they can know who our radius server is. I did see an option in an older(?) clients.conf file comments but do not see this in the latest file: # If this is defined as "client foo" then the hostname/ipaddr "foo" # will be looked up according to the source IP address of the radius # rqeuest packet, and the secret here will be used to check the # integrety of the request. # # If this is defined as "nas foo" then foo will be looked up first # as the NAS-IP-Address in the radius request, then as the NAS-Ident # in the radius request. # # Normally you'd use "client" unless the request came in through a # proxy server and you want to define a short name for the NAS # for logging purposes, or you want to do a "checkrad" back to the # original NAS and not to the proxy radius server! I assume the "nas" feature is no longer valid? If so this would solve my issue. -- Ed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing and/or monitoring freeradius with PEAP
There is a test tool to send an eap request to the radius Server with a test user. You could send a test authentication Off every so often with a script to monitor it's status. Ron. http://www.positive-logic.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Monday, January 24, 2005 9:34 AM To: freeradius-users@lists.freeradius.org Subject: Testing and/or monitoring freeradius with PEAP I've got freeradius setup to authenticate wireless clients with PEAP/MSCHAP (to an Active Directory backend) and now I'm looking for a way to test/monitor the radius server. Ideally, I'd like to do something like radtest, but test either PEAP or at least the MSCHAP authentication portion. Does anyone here know of any programs or scripts out there to test radius with MSCHAP authentication? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:peap problems
Hello T It seems that the user doens't exist on users.conf Jacques
Re: Simultaneous-use and proxied clients
"Ed Henderson" <[EMAIL PROTECTED]> wrote: > I understand that it can't ask a radius server but is it possible to > have it check the original nas instead? As I said once before: > > Checkrad can't check the NASes of the other RADIUS servers, as > > those NASes don't know who you are, they only know the RADIUS > > servers they talk to. To expand a little: It's a bad idea to go poking at NASes you don't own. > I do have the client info for the NASes of the other server so that > they can know who our radius server is. That makes no sense to me. Listing NASes from another RADIUS server in your "clients.conf" file is a waste of time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous-use and proxied clients
> That makes no sense to me. Listing NASes from another RADIUS server > in your "clients.conf" file is a waste of time. > > Alan DeKok. Its not a waste of time if one has permission to "poke" the remote NASes and wants to check them for multiple login attempts. But I guess freeradius can't do this. Thanks, Ed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-use and proxied clients
"Ed Henderson" <[EMAIL PROTECTED]> wrote: > Its not a waste of time if one has permission to "poke" the remote NASes > and wants to check them for multiple login attempts. But I guess > freeradius can't do this. As always, you have source. You can make it do whatever you want. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Freeradius and postgres
On Sat, 2005-22-01 at 01:55 -0800, [EMAIL PROTECTED] wrote:
> Thanks for the information. What I was missing was the Auth-Type in
> Radgroupcheck. That is new to me. I did not have do that with the older
> version of Freeradius. When did that change? I did not see any references
> to that Auth-Type in any of the docs nor in the archive of the mailing
> list.
>
> Again I appreciate the quick response.
>
If I remember correctly the entries I have are not required, but I
was using them as place holders from when "Auth-Type := Local" was
either required or worked. I am fairly sure that "Auth-Type := SQL"
is not even a valid entry, I just used it to show how data is used
in radgroupcheck.
>
> Thanks
>
> Kevin
>
>
>
> At 05:12 PM 1/21/2005, you wrote:
>
> On Fri, 2005-21-01 at 13:52 -0800, [EMAIL PROTECTED] wrote:
> > I am using Freeradius 1.0.0 on Redhat Enterprise 3 I also have it
> > installed on Suse 9.2. I am connecting to Postgres 7.4.6. I can
> > authenticate to a users file. But when I try to use radcheck in
> > postgres I get login incorrect. I am trying to upgrade from freeradius
> > .7.3 running on Solaris 2.8 and postgres 7.3.2. That is working just
> > fine. I have created the tables using provided sql script. I
> > configured radiusd.conf to use sql authentication. I have compared
> > radiusd on the new machine to the radiusd on the old machine. They are
> > as identical as they can be considering changes in the conf file. Does
> > anybody have any other ideas or know of any isue with current version
> > of freeeradius and postgres
> >
> > Thanks
> >
> >
> > Kevin Waters
>
> Below is some sample data I use for testing PostgreSQL .
>
> The password for troll is skunk {sh1 encrypted} you will
> need to generate a redhat linux compatable {des or md5}
> password for it to authenticate on an RH system.
>
> NOTE: If you want to use the users file and sql, you
> can not have any Auth-Type attributes in your DEFAULT
> entries.
>
> The data below is supposed to be tab delimited.
>
> --Start of file--
...snip...
> COPY radgroupcheck (groupname, attribute, op, value) FROM stdin;
> ppp-unlimited Auth-Type := SQL
> ppp-static Auth-Type := SQL
> nas-prompt Auth-Type := SQL
> \.
>
...snip...
> --End of file--
>
...snip...
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and MD5 using /etc/passwd
I am attempting to set up FreeRadius to handle dot1x from some Cisco 2950 Series Switches. I am using the supplicant that is supplied as part of Windows XP. Currently, using a basic configuration of FR1.0.1 I can use radtest to verify that basic radius functions are working correctly. (I get an access-accept). When I attempt to use MD5 from Windows XP, the authentication fails and the following is written to the log: modcall[authorize]: module "eap" returns updated for request 1 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 1 modcall: group authenticate returns invalid for request 1 auth: Failed to validate the user Any ideas? I'm just wanting a basic setup that will allow me to do port authentication using the included WinXP supplicant using my unix /etc/passwd file. Maybe there is a better way? BB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Hey, Thanks for the help...
Still having difficulty, although I think you are
right on target.
LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing. Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?
Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.
Thanks,
Matt
ldap.attrmap:
checkItem User-Password userPassword
radiusd.conf:
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
mschap {
authtype = MS-CHAP
}
ldap {
server = "localhost"
identity = "cn=Manager,dc=yoyo,dc=com"
password = secret
basedn = "dc=yoyo,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
preprocess
eap
files
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
*Users File:
testuser Auth-Type := EAP, User-Password ==
"testpass"
raduser Auth-Type := Local, User-Password ==
"testpass"
DEFAULT Auth-Type := LDAP
Fall-Through = 1
*radiusd -X output to failed eap request for
ldap user
rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
NAS-IP-Address = 192.168.1.238
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
NAS-Port = 20
Framed-MTU = 1490
User-Name = "matt_moore"
Calling-Station-Id = "00-B0-D0-74-C3-5A"
EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_eap: EAP packet type notification id 1 length 15
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat: '(uid=matt_moore)'
radius_xlat: 'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for
authentication.
modcall[authenticate]: module "ldap" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do. Sleeping until we see a request.
--- NextGen$'s ShaDow <[EMAIL PROTECTED]> wrote:
> I solved this problem using an other attribute :
> in /etc/freeradius/ldap.attrmap :
>
> checkItem User-Password
> radiusTunnelPassword
>
> and set up passwords in it ;-)
>
> I think it's only an access right problem on the
> LDAP 'userPassword'
> attribute...
>
> If that don't solve your problem, please send a copy
> of your config.
> files and give more informations : It'll be easier
> to help.
>
> Regards
>
> Matt Moore a écrit :
>
> >Hello all,
> >
> >I am trying to setup a radius service for eap with
> an
> >ldap backend. I have gotten the ldap backend
> working
> >and I have gotten eap to work with a user defined
> in
> >the users file. Next 2 lines from my users file.
> >
> >testuser Auth-Type := EAP, User-Password ==
> >"
Radius for 802.1X and TKIP
I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius for 802.1X and TKIP
hi TKIP is the encryption method used on the wireless link. radius is designed to be independent of the access technology used by the NAS. in other words, TKIP is something which is not known to the radius server - by design. the radius server will - if available - provide the NAS (802.11 access point in that case) with the "raw" key material. however it is up to the NAS to derive the necessary keys from it. you configure the NAS to use TKIP on the link. freeradius is automatically configured in a way that will derive and attach key material to the access-accept message sent to the solicited NAS. you can see the MPPE-*** attributes in the access-accept message in the full log (radiusd -s -X) ciao artur Dani Camps wrote: I want to set up a secure wlan using EAP-PEAP as authentication method and Radius as a authentication server, in the AP I choose TKIP encryption, but I think TKIP needs to renew the keys used, and I think is the Radius server the one that has to create the keys and pass them to the AP, is this true ? In that case how to configure Radius to use TKIP ? Any of you have experience in this set up, wlan with EAP-PEAP authentication in a Radius server and using TKIP for encryption ? Thanks ! __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use pyrad 0.8 client to test freeradius server
Suresh: > > Hi, > I am new to freeradius server.I have installed freeradius server > 1.0.1 version in my gobolinux machine. I have also installed > the pyrad client 0.8 version in my machine. I have made the radtest > for server testing.It is working fine.How can I test the pyrad client > with the radius server . Somebody kindly assist me in how to > connect the radius server with the radius client (pyrad 0.8) or how > to check whether the server & client are working fine or not http://www.stud.ntnu.no/~bgrotan/radtest.py together with running radiusd in verbose/debug-mode got me help a long way. -- Regards Bjørn Ove Grøtan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MD5 using /etc/passwd
Brandon Blank <[EMAIL PROTECTED]> wrote: > I'm just wanting a basic setup that will allow me to do port > authentication using the included WinXP supplicant using my unix > /etc/passwd file. Maybe there is a better way? It's possible ONLY for EAP-TTLS with tunneled PAP. For all other EAP authentication methods, it's impossible for any RADIUS implementation to do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-md5 with ldap backend
Matt Moore <[EMAIL PROTECTED]> wrote: > DEFAULT Auth-Type := LDAP > Fall-Through = 1 ... > rad_recv: Access-Request packet from host > 143.116.5.238:2048, id=98, length=117 ... > User-Name = "matt_moore" > EAP-Message = 0x0201000f016d6174745f6d6f6f7265 LDAP doesn't do EAP, as you may have discovered. The solution is to not set Auth-Type. Please READ "radiusd.conf". The text before the "authenticate" section explains this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pbroblem with CRL check
Hi all I've installed and use freeradius 1.0.1 for EAP/TLS auntentication. It work well without CRL. But each time I want to active check_crl = yes on eap.conf file , authentication fail with following message : *** unable to get certificate CRL*** Someone can help me on following questions : what looks like crl file ? where (dorectory) do the be ? some modifications to do on .conf file ? Thanks for any answer Jacques VUVANT
Re: peap problems
> > Hi! > > I'm trying to configure freeradius with peap autentication. I use winxp for > client. When starting autentication, I get following error. Can somebody > help > me and tell what is going wrong. I had made changes radius.conf, eap.conf, > users and clients.conf files. Should I make changes huntsgroup file? (freeradius 1.0.0 & Suse 9.2) > > T.ea > > > Ready to process requests. > rad_recv: Access-Request packet from host 10.50.50.13:1046, id=21, > length=141 > User-Name = "TWIRE12\\jaskajok" > NAS-IP-Address = 10.50.50.13 > Called-Station-Id = "00034715cbc3" > Calling-Station-Id = "00022d1d5cb1" > NAS-Identifier = "WARLORD1" > NAS-Port = 29 > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > EAP-Message = 0x0201001501545749524531325c6a61736b616a6f6b > Message-Authenticator = 0x1a2a529631d65180ea30bcba1b581e14 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "jaskajok", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: EAP packet type response id 1 length 21 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > users: Matched jaskajok at 97 > modcall[authorize]: module "files" returns ok for request 0 > modcall: group authorize returns updated for request 0 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > rlm_eap: Identity does not match User-Name, setting from EAP Identity. > rlm_eap: Failed in handler > modcall[authenticate]: module "eap" returns invalid for request 0 > modcall: group authenticate returns invalid for request 0 > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > (freeradius 1.0.0 & Suse 9.2) I have a following line in users file. (I don't have users.conf file..?) #"John Doe" Auth-Type := Local, User-Password == "hello" # Reply-Message = "Hello, %u" jaskajokUser-Password == "Reititys3" # # Dial user back and telnet to the default host for that port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user account expiration question
is there something easier to use than the Expire check item to expire users on or afer a certain date to trigger a deny response? No one in his right mind is going to sit there and even use a calculator for the number of seconds since some date in 1970! Isn't there some check item where I can just enter a normal date format? -- Chuck "Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that..." -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius & postgreSQL - stored procedures
Hello... I am trying to make freeradius authenticate some access packets using the output of SQL stored procedures (that eventually would do the billing as well). Can it be done? And if yes, how? thank you -- Siderite <[EMAIL PROTECTED]> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius hangs after a HUP
I updated all the server to freebsd 4.10 with the latest patch release, rebuilt world and kernel and I am still having the same issue when I attempt to restart or HUP the radiusd process. It seems to be looping as Alan said. I did do the gdb and when it I issue the radiusd.sh restart command, it prints this to the screen and stops. Program received signal SIGTERM, Terminated. 0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4 I'm not sure how helpful that will be to anyone but it's all the information it showed. Let me know if this rings any bells. Joe H. On Wed, 19 Jan 2005, Alan DeKok wrote: > Joe H <[EMAIL PROTECTED]> wrote: > > With my situation, doing the restart of the process causes radius to stop > > working and the radius process climbs to about 90% CPU usage. > > It sounds like it's in a busy loop. > > My suggestion is to use gdb to attach to the running process, and > see where in the source it's busy-looping. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
