Does freeradius support IAPP ?
Hello All , I have this doubt regarding IAPP ( Inter Access Point Protocol) support in FreeRadius 1.0.1 As first step, I had searched through entire directory for Service Type : IAPP-Register but it was found only in file /share/dictionary VALUE Service-TypeIAPP-Register 15 VALUE Service-TypeIAPP-AP-Check 16 Is IAPP (AP registration in ESS etc.) really suppported in Freeradius ? -- Best Regards, Madhu Dubey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
fedora core 3 "make" error
Hi, I need some help here. I m trying to install FreeRadius version 1.0.1 on fedora core 3. But everytime its give me this error when i try to use make command. Making static dynamic in rlm_krb5... gmake[6]: Entering directory `/root/freeradius-1.0.1/src/modules/rlm_krb5' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../../include -c rlm_krb5.c -o rlm_krb5.o rlm_krb5.c:40:21: com_err.h: No such file or directory rlm_krb5.c: In function `verify_krb5_tgt': rlm_krb5.c:105: warning: passing arg 2 of `krb5_kt_read_service_key' discards qualifiers from pointer target type rlm_krb5.c: In function `krb5_auth': rlm_krb5.c:219: warning: initialization discards qualifiers from pointer target type rlm_krb5.c:305: warning: implicit declaration of function `krb5_get_in_tkt_with_password' rlm_krb5.c:305: warning: nested extern declaration of `krb5_get_in_tkt_with_password' gmake[6]: *** [rlm_krb5.o] Error 1 gmake[6]: Leaving directory `/root/freeradius-1.0.1/src/modules/rlm_krb5' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-1.0.1/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/root/freeradius-1.0.1/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-1.0.1/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/root/freeradius-1.0.1' make: *** [all] Error 2 Thanx alot From, sunshung _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: badusers?
I think this is for Dialup Admin...not actually used by Freeradius? >>> [EMAIL PROTECTED] 31/01/2005 10:16:04 >>> Hi list, what is the badusers table in the radius db good for? Didn't find any usefull info bout it on the freeradius page or via google :( cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap backend and failover
alan walters wrote: >This is working fine but I would prefer if one of the ldap >directories failed the radius fell over onto another ldap. Is >this possible Sure is. Take a look at configurable_failover in the docs directory. You need to define two ldap instances in radiusd.conf (one for each of your ldap servers), and define a "redundant" group in the authorize section, (and authenticate too I suppose if you use ldap for authentication as well as authorization) Regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap backend and failover
I am concerned about failover on our freeradius servers. Presently we run two servers and our nas boxes have backups to each radius server. They both auth from two different ldap servers that are replicated. This is working fine but I would prefer if one of the ldap directories failed the radius fell over onto another ldap. Is this possible Regards Alan walters -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.2 - Release Date: 28/01/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup "GROUP"?
"Cris Boisvert" <[EMAIL PROTECTED]> wrote: > Is their a way to do that to keep users from authenticating from other nas's > Other than adding all the users to the appropriate huntgroup? userClient-IP-Address != 1.2.3.4, Auth-Type := Reject ... For multiple NASes, the huntgroups are the simplest way (for now). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Huntgroup "GROUP"?
Is their a way to do that to keep users from authenticating from other nas's Other than adding all the users to the appropriate huntgroup? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, January 31, 2005 3:45 PM To: freeradius-users@lists.freeradius.org Subject: Re: Huntgroup "GROUP"? "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > Does the place where is says "Group" refer to the same radgroupreply table > In the database? No. It refers to Unix groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup "GROUP"?
"Cris Boisvert" <[EMAIL PROTECTED]> wrote: > Does the place where is says "Group" refer to the same radgroupreply table > In the database? No. It refers to Unix groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroup "GROUP"?
IN the huntgroups File it has this example. ## business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7 User-Name = rogerl, User-Name = henks, Group = business, Group = staff ## Does the place where is says "Group" refer to the same radgroupreply table In the database? So when someone authenticated the user would have to have the correct user and pass and their group would have to be defined in the huntgroup or it would get a reject? Thanx Cris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Userpassword in LDAP
I need that my schema has a attribute userpassword, but is necessary that the attribute password is encrypt and FreeRADIUS understand. FreeRadius need to acess LDAP in attribute userpassword to authenticate. But userpassword need to be encrypt. How can I do this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Databases
Please send PLAIN TEXT mail! Look in /doc/configurable_failover -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: Junior Gillespie To: freeradius-users@lists.freeradius.org Sent: Monday, January 31, 2005 8:04 PM Subject: Multiple Databases Is there a way to setup freeradius to query multiple mysql databases for a username? Junior --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.806 / Virus Database: 548 - Release Date: 12/5/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: download from CVS and error to compile
my work around has been to replace all relative paths to libltdl with absolute paths. Another attempt was to replace the configure with the configure from 1.0.1 Not sure whether this is correct way. I hope current CVS compiles fine, trying soon. Matthias Rumitz TC Unix / Netzwerke ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72 / 48 61 - 0 Fax: +49(0) 61 72 / 48 61 - 700 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. - Originalnachricht - Von: Rohaizam Abu Bakar <[EMAIL PROTECTED]> Datum: Mittwoch, Januar 26, 2005 5:15 am Betreff: download from CVS and error to compile > FreeBSD: 4.10p4 > > Download the whole tree from CVS and try to compile.. > > # ./configure => OK > > # make > > Making all in libltdl... > gmake[1]: Entering directory `/var/src/TEST3/radiusd/libltdl' > gmake[1]: *** No rule to make target `all'. Stop. > gmake[1]: Leaving directory `/var/src/TEST3/radiusd/libltdl' > gmake: *** [common] Error 1 > > Googled and found that a lot of people experiencing this > problem... any work around? > > thanks.. > > --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup_Admin Additionl attributes
Is their a way for me to add other attributes through the Dialup admin that are not currently in the screens? I need to be able to set multiple ascend data filters for different users . Is their a way to have an “Other1” , “Other2”, “other3”…..etcc…etcc so I can add attributes and values that are not their? Thanx --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.806 / Virus Database: 548 - Release Date: 12/5/2004 -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.3 - Release Date: 1/31/2005
Multiple Databases
Is there a way to setup freeradius to query multiple mysql databases for a username? Junior --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.806 / Virus Database: 548 - Release Date: 12/5/2004
Re: no authentication method found
I'm sorry, I did have the username without dashes when I tried it. I
still get the same output though. I tried Auth-Type:= EAP also but
that did not work either.
000e354bcf5d Auth-Type:=Local, User-Password == "000e354bcf5d"
>From what you posted there is no dash in the User-Name or password.
On Sun, 2005-01-30 at 13:40, Robert Ku wrote:
> Hello
>
> I have posted a topic with my problem with mac authentication before
> using a Cisco C3550 switch as its authenticator. I now tested the mac
> authentication with Cisco Aironet 1200 AP.
>
> in users:
> 000e35-4bcf5d Auth-Type:=Local, User-Password == "000e35-4bcf5d"
> also tried:
> 000e35-4bcf5d Auth-Type:=Local, User-Password == "secretpass"
>
> in the eap.conf :
> default_eap_type = leap
>
> clients.conf:
> clients 10.19.50.18 { //Aironet 1200 IP
> secret = secretpass
> shortname = ap
> nastype = cisco
>
> This is my output when I ran radiusd -Xy
>
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.19.50.18:1536, id=17, length=130
> User-Name = "000e354bcf5d"
> User-Password = "000e354bcf5d"
> NAS-IP-Address = 10.19.50.18
> Called-Station-Id = "000c853e2200"
> NAS-Port = 37
> NAS-Port-Type = Wireless-802.11
> Cisco-AVPair = "ssid=rccd"
> Calling-Station-Id = "000e354bcf5d"
> NAS-Identifier = "AP1200-3e2200"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "000e354bcf5d", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> modcall[authorize]: module "files" returns notfound for request 0
> modcall: group authorize returns ok for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP+MSCHAPv2+MPPE+LDAP
Hello, It's possible to make any protection to the password among the client and the VPN's server and using LDAP ? I know it's possible with a clear password's file, but we want to use our server of ldap. thanks! Alan DeKok wrote: jose luis faria <[EMAIL PROTECTED]> wrote: - if I set require-mschap-v2 and require-mppe-128 in options.pptp, with LDAP the authenctication fails. LDAP doesn't do MSCHAP. the freeradius 1.0.1 : rlm_mschap: No User-Password configured. Cannot create LM-Password rlm_mschap: No User-Password configured. Cannot create NT-Password rlm_mschap: Told to do MS-CHAP2 for jose with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect" The LDAP server didn't tell FreeRADIUS what the users password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- :) cumprimentos Jose Luis Faria Network Admin Departamento de Informatica Escola de Engenharia Universidade do Minho Obter ca.crt em http://mail.di.uminho.pt smime.p7s Description: S/MIME Cryptographic Signature
Re: PPTP+MSCHAPv2+MPPE+LDAP
jose luis faria <[EMAIL PROTECTED]> wrote: > - if I set require-mschap-v2 and require-mppe-128 in options.pptp, with > LDAP the authenctication fails. LDAP doesn't do MSCHAP. > the freeradius 1.0.1 : > > > rlm_mschap: No User-Password configured. Cannot create LM-Password > rlm_mschap: No User-Password configured. Cannot create NT-Password > rlm_mschap: Told to do MS-CHAP2 for jose with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect" The LDAP server didn't tell FreeRADIUS what the users password was. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'radwho -r' behavior does not match man page
Hey all, I have been running freeradius for some time now, and just now noticed an issue with radwho. The man page states: -r Outputs all data in raw format - no headers, no formatting, fields are comma-seperated. but everytime I try to run 'radwho -r', I get the header. The formatting is gone, the fields are comma separated, but I don't want the header. I have tried this with freeradius-1.0.0 and 1.0.1, both with the same results. Am I doing domething wrong? Or am I simply misinterpreting what "header" the man page is talking about? For example, with a 'radwho' I get: Login Name What TTY When From Location user1 user1PPP S0 Mon 11:31 127.0.0.1 64.XXX.XXX.XXX What I get from 'radwho -r' is: Login Name What TTY When From Location user1,user1,PPP,S0,Mon 11:31,127.0.0.1,64.XXX.XXX.XXX But I don't want the Login-Name-What, etc.. Is this the expected behavior? Have I read the man page wrong? Thanks! Morgan Nelson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and NAS clients
"Mitchell, Michael J" <[EMAIL PROTECTED]> wrote: > The other thing I'd *really* like, is to be able to incorporate reading > huntgroups out of ldap also. My configuration is heavily dependent on > the inclusion of each client into a huntgroup, so for me, having clients > read out of ldap only solves half the problem. This looks a little more > difficult however, as the huntgroups are configured in a module, rather > than in the server core, and therefore would take a reasonable amount of > rework. Why? Just create something similar in the LDAP module, and call it "LDAP-Huntgroup". There's nothing magic about the Huntgroup attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject not sent unless run with -X
Mike Lampson <[EMAIL PROTECTED]> wrote: > Either change you RADIUS client to have a 31+ second timeout or dramatically > reduce the setting for "max_request_time". I use 6 seconds. Or, set "reject_delay = 0" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiples values of Reply Message for a realm in attr_filter. is it possible ? has someone has an idea ? please
"delrieu.nans" <[EMAIL PROTECTED]> wrote: > Ok I have tested > > company.com > Reply-Message =~ (ValA|ValB) > it doens't work The Reply-Message attribute is a string. It requires double-quoted strings, not miscelleneous text. All of the examples in the files shipped with the server have it quoted. All of the examples in the documentation have it quoted. Please follow the existing examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XP MSchapV2 PEAP
Probrem authenticate? You try help file? Mine work fine. No trouble. You reed herp? _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with CalledStationId and CallingStationId
Please send PLAIN TEXT mails! Look at the allowed_characters configuration in sql.conf -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - Original Message - From: vicente barrientos To: freeradius-users@lists.freeradius.org Sent: Monday, January 31, 2005 4:25 PM Subject: Problems with CalledStationId and CallingStationId Hello. I have problems with CalledStationId and CallingStationId, The GW send 1234#51195252522 but Mysql receive 1234=2351195252522. Someone can help me. thanks a lot Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: Haz clic aquí... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS
Im my debug I see this message: Does someone know wuat is the problem? -- debug -X Cleaning up request 0 ID 41 with timestamp 41fc77b9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 146.x.y.x:10958, id=41, length=142 User-Name = "anderson" CHAP-Password = 0x264687ce992af9084804a7d3fe6d654eae NAS-IP-Address = 146.x.y.235 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41fbbfc3 Framed-IP-Address = 146.x.y.x Cisco-AVPair = "h323-ivr-out=terminal-alias:anderson,025980011;" rad_lowerpair: User-Name now 'anderson' rad_rmspace_pair: User-Name now 'anderson' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_realm: No '@' in User-Name = "anderson", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anderson" rlm_realm: Proxying request from user anderson to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 modcall[authorize]: module "digest" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anderson radius_xlat: '(&(uid=anderson)(objectclass=radiusprofile))' radius_xlat: 'ou=users,dc=br' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /home/brunoos/temp/certs/rootCA.crt rlm_ldap: setting TLS CACert File to /home/brunoos/temp/certs/ rlm_ldap: setting TLS Require Cert to demand rlm_ldap: setting TLS Cert File to /home/brunoos/temp/certs/server.crt rlm_ldap: setting TLS Key File to /home/brunoos/temp/certs/server.key rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 1 modcall: group authorize returns fail for request 1 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP AD 802.1x eap peap mschap v2=help
Thanks Mark, I had run across those discussions, and had also run across others that seemed to contradict them. I appreciate the response. ~Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 6:16 AM To: freeradius-users@lists.freeradius.org Subject: RE: LDAP AD 802.1x eap peap mschap v2=help Brandon, You will never be able to do LDAP auth against AD when using EAP. In the archives there are many discussions on the topic. The only way to do EAP against AD is to use ntlm_auth. Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about me - and a question
Sebastian Wild wrote: [EMAIL PROTECTED] wrote: Sebastian Wild wrote: Hello list, I've just joined in here. My name is Sebastian and I am from Germany. I work as adminstrator at an ISP and I also am a maintainer of a private wlan project called wlan-r. Now wlan-r uses chillispot to authenticate wireless users on hotspots via freeradius against mysql and it works fine. Recently I've seen that it is possible to get info about which users are currently online on wlan. Since that was not on a hotspot but on a website somewhere at the net I am thinking that it used a feature of the freeradius server. Now it would be very interesting to know how to get the info about which users are currently online out of free radius. Does anyone know how to do that? Some implementations rely on the accounting status: if there is a start record without a stop record you can assume that the user is still online. But this represents not always the reality. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you all for your help! I've now done it by using the data from the radacct table of the radius db and it works fine. I've even added a table listing our hotspots by their essid and mac and my script looks the hotspots up there via the CalledStationId which it gets from radacct. As far as we tested it it worked all fine :) My statistics script now gives current logged in users as well as prior logins back since freeradius is runnign on the server :) I only had to block the first entries of radacct from being listed because at those times something went badly wrong and so they have no AcctEndTime (-00-00-00:00) ;) That is exact what I meant: "-00-00-00:00" as the AcctEndTime indicates under normal conditions that the session is still alive and the mentioned user/system is online. But in the case something fails (NAS or RADIUS reboot; lost ACCT-Packets; ...) or your setup includes RADIUS load-balancing you have to clean such zombie records manually. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP+MSCHAPv2+MPPE+LDAP
Hello, I have a machine with PPTP and: - if I set require-pap in options.pptp and I'm using LDAP (in another server) authentication. I works very well. - if I set require-mschap-v2 and require-mppe-128 in options.pptp, with LDAP the authenctication fails. the freeradius 1.0.1 : rlm_mschap: No User-Password configured. Cannot create LM-Password rlm_mschap: No User-Password configured. Cannot create NT-Password rlm_mschap: Told to do MS-CHAP2 for jose with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect" ... I think I have all configurations well defined in ldap.conf can anyone give some help? :) thanks in advance Jose Luis Faria - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with CalledStationId and CallingStationId
Hello. I have problems with CalledStationId and CallingStationId, The GW send 1234#51195252522 but Mysql receive 1234=2351195252522. Someone can help me. thanks a lot Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN Compras: Haz clic aquí... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Reject not sent unless run with -X
> I am encountering some strange behaviour of freeradius > 1.01. May be a bug. > > A) If i launch the freeradius daemon with the radiusd > command i notice that Access-Reject packets are not > sent back. Access-Accept are sent. > > B) If now I launch freeradius using the interactive > "radiusd -X" command, for excatly the same context as > A) I now receive back my Access-Reject packets. This is a bug. See my previous post here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg08868.h tml Where I state "max_session_time", I should have said "max_request_time". Either change you RADIUS client to have a 31+ second timeout or dramatically reduce the setting for "max_request_time". I use 6 seconds. Alternatively, have you RADIUS client resend the authentication request fairly soon after the first. A second authentication request gets an immediate Access-Reject response. No 31 second delay. Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS with check_cert_cn enabled
freeradius 1.0.1/OSX 10.3.7 Works fine as long as user name and common name match. When they don't the server consistently crashes with a bus error. . . . . Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0f5a], Certificate chain-depth=1, error=0 --> User-Name = Larry X. Riffle --> BUF-Name = Larry J. Riffle --> subject = /C=US/ST=Pennsylvania/L=Lemont/O=Riffle Company/OU=Mnt Nittany Net/CN=Larry J. Riffle/[EMAIL PROTECTED] --> issuer = /C=US/ST=Pennsylvania/L=Lemont/O=Riffle Company/OU=Mnt Nittany Net/CN=Larry J. Riffle/[EMAIL PROTECTED] --> verify return:1 radius_xlat: 'Larry X. Riffle' rlm_eap_tls: checking certificate CN (Larry J. Riffle) with xlat'ed value (Larry X. Riffle) rlm_eap_tls: Certificate CN (Larry J. Riffle) does not match specified value (Larry X. Riffle)! chain-depth=0, error=0 --> User-Name = Larry X. Riffle --> BUF-Name = Larry J. Riffle --> subject = /ST=Pennsylvania/L=Lemont/O=Riffle Company/OU=home/C=US/CN=Larry J. Riffle --> issuer = /C=US/ST=Pennsylvania/L=Lemont/O=Riffle Company/OU=Mnt Nittany Net/CN=Larry J. Riffle/[EMAIL PROTECTED] --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert write:fatal:certificate unknown TLS_accept:error in SSLv3 read client certificate B 885:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2003: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase . . . . auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0f5a], Certificate chain-depth=1, error=0 /usr/local/freeradius-1.0.1/sbin/rc.radiusd: line 75: 885 Bus error $RADIUSD $ARGS radiusd --- I have the rest of the "-X" output if anybody wants it but its over 500 lines. -Larry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with time to finish
On Sun, 30 Jan 2005, [iso-8859-1] Arthur M?ssmer wrote: Hello to everybody!!! I wrote a script with which it is possible to import user files into the radius server. On this web interface I can set up a user, which should be able to connect for 48 hours after the first login to the internet. The radius server is working with a ISS interenet Subscriber 4000 from Handlink. I am looking for following setting in the radius server. Is it possible to configure the radius Server in that way, that exact after 48 hours after the first login of a specified user, this user would loose his validity (after 48 hours of the first login, the user should not be able to log on with his user data again). I couldn?t find a way yet There's no turn key solution for this. You can use a post-auth script which on the user's first logon will set an Expiration attribute in the radcheck table (if you 're using sql) for that user with a corresponding value. Thanks for your help!!! sincerely Arthur -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
XP SP2 PEAP MSCHAPv2
Thanks for the help. We tried the pre 1.0.2 CVS Solaris fixes but we are still hitting the same problem. The symptom has to do with password processing in module rlm_mschap. Has anyone successfully authenticated with XP SP2 using PEAP MSCHAPv2 using the Windows userid and passowrd, on Solaris 8? We are more interested in using the XP for our supplicant platform, but are less concerned about what OS to base the freeRADIUS server. What is an optimal OS and version alternative for freeRADIUS that will work with XP? We will also give 1.0.2 a run when it becomes available. A portion of the debug using the CVS download follows our previous exchange. Thanks,John Gauntt>[EMAIL PROTECTED] wrote:>> I have unsuccessfully attempted to authenticate an XP SP2>> supplicant using PEAP MSCHAPv2. I am using freeradius 1.0.1, Solaris 8,> There are known problems with 1.0.1 on Solaris.> 1.0.2 should be out in a week or two, or if you don't want to wait, do:>$ cvs -d :pserver:[EMAIL PROTECTED]:/source login>$ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0>radiusd> And that will get you 99.9% of what will be in 1.0.2, now. Most>importantly, it will get you the fixes for Solaris.> Alan DeKok.radiusd -XStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.confmain: prefix = "/usr/local"main: localstatedir = "/usr/local/var"main: logdir = "/usr/local/var/log/radius"main: libdir = "/usr/local/lib"main: radacctdir = "/usr/local/var/log/radius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = nomain: log_file = "/usr/local/var/log/radius/radius.log"main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"main: user = "(null)"main: group = "(null)"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/local/sbin/checkrad"main: proxy_requests = noproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAPpap: encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = nomschap: require_strong = nomschap: with_ntdomain_hack = nomschap: passwd = "(null)"mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap)Module: Loaded Systemunix: cache = nounix: passwd = "(null)"unix: shadow = "(null)"unix: group = "(null)"unix: radwtmp = "/usr/local/var/log/radius/radwtmp"unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix)Module: Loaded eapeap: default_eap_type = "peap"eap: timer_expire = 60eap: ignore_unknown_eap_types = noeap: cisco_accounting_username_bug = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leapgtc: challenge = "Password: "gtc: auth_type = "PAP"rlm_eap: Loaded and initialized type gtctls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 512tls: dh_key_length = 512tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"tls: private_key_password = "whatever"tls: dh_file = "/usr/local/etc/raddb/certs/dh"tls: random_file = "/usr/local/etc/raddb/certs/random"tls: fragment_size = 1024tls: include_length = yestls: check_crl = yestls: check_cert_cn = "%{User-Name}"rlm_eap: Loaded and initialized type tlspeap: default_eap_type = "mschapv2"peap: copy_request_to_tunnel = nopeap: use_tunneled_reply = nopeap: proxy_tunneled_request_as_eap = yesrlm_eap: Loaded
Re: badusers?
Kostas Kalevras wrote: On Mon, 31 Jan 2005, Sebastian Wild wrote: Hi list, what is the badusers table in the radius db good for? Didn't find any usefull info bout it on the freeradius page or via google :( It's used by dialupadmin, see dialup_admin/README cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html oh ok :) Thougt it could be used to deny access to radius users or something like that... cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help for Expiration attr
On Mon, 31 Jan 2005, rashad wrote: What date/time formats allowed for Expiration attribute? Is it possible to use UNIX timestamp format (number of seconds since UNIX epoch) or any date/time format supported by MySQL? For exampe 'January 28 2005 12:00:00' in radcheck table works fine but '2005-01-28 12:00:00' doesn't. So? Use the first format. It's rather easy to transform date types in MySQL (see DATE_FORMAT(date,format)) mysql> select * from radcheck; ++--+--++--+ | id | UserName | Attribute| op | Value| ++--+--++--+ | 15 | jhon| User-Password| := | tksprs | | 17 | jhon| Expiration | := |2005-01-28 10:00:00 | ++--+--++--+ Must FreeRADUIS calculate and sent proper SessionTimeout attribute to disconnect user at Expiration date when user connected before this date (as in case of LoginTime attribute)? Freeradius will calculate a proper Session-Timeout value. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: badusers?
On Mon, 31 Jan 2005, Sebastian Wild wrote: Hi list, what is the badusers table in the radius db good for? Didn't find any usefull info bout it on the freeradius page or via google :( It's used by dialupadmin, see dialup_admin/README cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no authentication method found
>From what you posted there is no dash in the User-Name or password.
On Sun, 2005-01-30 at 13:40, Robert Ku wrote:
> Hello
>
> I have posted a topic with my problem with mac authentication before
> using a Cisco C3550 switch as its authenticator. I now tested the mac
> authentication with Cisco Aironet 1200 AP.
>
> in users:
> 000e35-4bcf5d Auth-Type:=Local, User-Password == "000e35-4bcf5d"
> also tried:
> 000e35-4bcf5d Auth-Type:=Local, User-Password == "secretpass"
>
> in the eap.conf :
> default_eap_type = leap
>
> clients.conf:
> clients 10.19.50.18 { //Aironet 1200 IP
> secret = secretpass
> shortname = ap
> nastype = cisco
>
> This is my output when I ran radiusd -Xy
>
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.19.50.18:1536, id=17, length=130
> User-Name = "000e354bcf5d"
> User-Password = "000e354bcf5d"
> NAS-IP-Address = 10.19.50.18
> Called-Station-Id = "000c853e2200"
> NAS-Port = 37
> NAS-Port-Type = Wireless-802.11
> Cisco-AVPair = "ssid=rccd"
> Calling-Station-Id = "000e354bcf5d"
> NAS-Identifier = "AP1200-3e2200"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "000e354bcf5d", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> modcall[authorize]: module "files" returns notfound for request 0
> modcall: group authorize returns ok for request 0
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
>
> How come freeradius cannot find an authentication method
> configuration? I do have a default configuration type in the eap.conf
> file set and I check that the path to eap.conf file is included in
> radiusd.conf. Thanks for any responses.
>
> Robert
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP AD 802.1x eap peap mschap v2=help
Brandon, You will never be able to do LDAP auth against AD when using EAP. In the archives there are many discussions on the topic. The only way to do EAP against AD is to use ntlm_auth. Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting
Ahmad Cheikh Moussa wrote: > I have a question regarding to radius accounting. > Is it possible to account radius on a central radius server. > For example, I have 4 freeradius Server. Three radius Server > make the authentication/authorization and one radius Server > holds the accountig information: > > |radius1| |radius2| |radius3| > | | | > | | | > \|/ > \ | / >\ | / > \ | / > \|/ > \ | / >\ | / > |radius4-ACCT| > > Is this possible ? You might use radrelay, it comes with FreeRADIUS. See doc/radrelay in the source tarball. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS
With option debug "-X" I don´t see radius show anuthing about TLS.
I only put this config:
-- section LDAP {} ---
start_tls = yes
tls_mode = yes
tls_cacertfile = /certs/rootCA.crt
tls_cacertdir = /certs/
port=636
tls_certfile = /certs/server.crt
tls_keyfile = /certs/server.key
Are There other config?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: Re: XP SP2 PEAP MSCHAPv2
ahm, we used CVS one week ago, and it seems a path for "make" is broken (see earlier post). What we could accomplish: swap "configure" from 1.0.1 over to pre 1.0.2 and "make" worked. We also tried to replace relative path to libtld with absolute path and it seemd to compile. Does configure and make work now in pre 1.0.2? ... always asking with regard to Solaris (9) :-) Matthias Rumitz TC Unix / Netzwerke ADIVA Computertechnologie GmbH Norsk-Data-Str. 1 D-61352 Bad Homburg v.d.H. Fon: +49(0) 61 72 / 48 61 - 0 Fax: +49(0) 61 72 / 48 61 - 700 Web: http://www.adiva.de eMail: [EMAIL PROTECTED] Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. This e-mail message may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. - Originalnachricht - Von: Alan DeKok <[EMAIL PROTECTED]> Datum: Donnerstag, Januar 27, 2005 8:20 pm Betreff: Re: XP SP2 PEAP MSCHAPv2 > [EMAIL PROTECTED] wrote: > > I have unsuccessfully attempted to authenticate an XP SP2 > > supplicant using PEAP MSCHAPv2. I am using freeradius 1.0.1, > Solaris 8, > > There are known problems with 1.0.1 on Solaris. > > 1.0.2 should be out in a week or two, or if you don't want to > wait, do: > > $ cvs -d :pserver:[EMAIL PROTECTED]:/source login > > > $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r > release_1_0 radiusd > > And that will get you 99.9% of what will be in 1.0.2, now. Most > importantly, it will get you the fixes for Solaris. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WG: RE: LDAP AD 802.1x eap peap mschap v2=help
not answering all your questions, but some:
peap, mschapv2 and Cisco aironet works all fine with each other.
we used linux and solaris LDAP with this setup and (except for
a 64-bit bug for Solaris, according to Paul Hampson) the rest
works, build straight from scratch.
Windows XP should be SP2, though.
OR SP1 and the PEAP patch from MS.
Win2003 works only with commercial WLAN drivers, though.
About AD: it is LDAP, so only the password could
cause you problems, the LDAP part will just work.
Mit freundlichen Gruessen
Matthias Rumitz
TC Unix / Netzwerke
ADIVA Computertechnologie GmbH
Norsk-Data-Str. 1
D-61352 Bad Homburg v.d.H.
Fon: +49(0) 61 72 / 48 61 - 0
Fax: +49(0) 61 72 / 48 61 - 700
Web: http://www.adiva.de eMail: [EMAIL PROTECTED]
Diese E-Mail Nachricht enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
This e-mail message may contain confidential and/or privileged
information.
If you are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail.
- Originalnachricht -
Von: "DeYoung, Brandon" <[EMAIL PROTECTED]>
Datum: Montag, Januar 31, 2005 7:03 am
Betreff: RE: LDAP AD 802.1x eap peap mschap v2=help
> Update:
> I just downloaded Alfa & Ariss. I successfully logged into the
> wirelessnetwork using PAP. I could not get any type of EAP to work
> and have need of
> better security than that provided by PAP.
>
> Any help is GREATLY appreciated.
>
> ~Brandon
>
>
> -Original Message-
> From: DeYoung, Brandon
> Sent: Sunday, January 30, 2005 8:32 PM
> To: freeradius-users@lists.freeradius.org
> Subject: LDAP AD 802.1x eap peap mschap v2=help
>
> Hello all,
> I am attempting to use FreeRadius to authenticate wireless
Windows
> XP users, utilizing Active Directory username/passwords via LDAP
> connectionto AD. I am using a Cisco Aironet 1200 Access point.
>
> Is this setup even possible?
> Should I be going a different route?
>
> I have the LDAP portion of the setup working (verified with
> NTRadPing). However, I am getting "Windows was unable to log you
> to on to
> the network" messages on the client end.
>
> On the client I have only two options for "Authentication
Method",
> they are: "Smart card or other certificate" and "Secured password
> (EAP-MSCHAP v2). Since the first doesn't allow for a password I
> went with
> MSCHAP v2. Will this ever work with LDAP? If not, is there another
> clientout there that will? Should I be using some type of NT auth
> instead of LDAP?
>
>
> On the off chance that this setup could actually work here is some
> relevantstuff from my configs:
>
> Thanks in advance,
> ~Brandon
>
> Here is the "authenticate" section from my radiusd.conf
>
> authenticate {
>Auth-Type PAP {
>pap
>}
>
>Auth-Type MS-CHAP {
>mschap
>}
>
> Auth-Type LDAP {
> ldap
> }
>
># Allow EAP authentication.
>eap
> }
>
>
> And the "authorize" section:
>
> authorize {
>preprocess
>
>mschap
>
>eap
>
>files
>
>ldap
> }
>
> The "eap" section:
>
>eap {
>default_eap_type = peap
> #md5 {
> #}
>
>
> tls {
>private_key_password = "my pass phrase"
>private_key_file = /etc/1x/r/cert-srv.pem
>certificate_file = /etc/1x/r/cert-srv.pem
>CA_file = /etc/1x/r/demoCA/cacert.pem
>dh_file = /etc/1x/r/dh
>random_file = /dev/urandom
>fragment_size = 1750
>
> }
>
>ttls {
> # default_eap_type = md5
>}
>
>peap {
># default_eap_type = mschapv2
>}
>mschapv2 {
>}
> }
>
> And Finally, the debug output when I make an auth attempt:
>
> austin:/etc/raddb # radiusd -sfxxyz
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/raddb/proxy.conf
> Config: including file: /etc/raddb/clients.conf
> Config: including file: /etc/raddb/snmp.conf
> Config: including file: /etc/raddb/eap.conf
> Config: including file: /etc/raddb/sql.conf
> main: prefix = "/usr"
> main: localstatedir = "/var"
> main: logdir = "/var/log/radius"
> main: libdir = "/usr/lib/freeradius"
> main: radacctdir = "/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpa
freeradius accounting
Hi! I have a question regarding to radius accounting. Is it possible to account radius on a central radius server. For example, I have 4 freeradius Server. Three radius Server make the authentication/authorization and one radius Server holds the accountig information: |radius1| |radius2| |radius3| | | | | | | \|/ \ | / \ | / \ | / \|/ \ | / \ | / |radius4-ACCT| Is this possible ? Thanks in advance, Ahmad -- Ahmad Cheikh-Moussa NetUSE AG Dr.-Hell-Straße, 24107 Kiel, Germany Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499 Service: [EMAIL PROTECTED] -- http://NetUSE.DE/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
badusers?
Hi list, what is the badusers table in the radius db good for? Didn't find any usefull info bout it on the freeradius page or via google :( cheers Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about me - and a question
[EMAIL PROTECTED] wrote: Sebastian Wild wrote: Hello list, I've just joined in here. My name is Sebastian and I am from Germany. I work as adminstrator at an ISP and I also am a maintainer of a private wlan project called wlan-r. Now wlan-r uses chillispot to authenticate wireless users on hotspots via freeradius against mysql and it works fine. Recently I've seen that it is possible to get info about which users are currently online on wlan. Since that was not on a hotspot but on a website somewhere at the net I am thinking that it used a feature of the freeradius server. Now it would be very interesting to know how to get the info about which users are currently online out of free radius. Does anyone know how to do that? Some implementations rely on the accounting status: if there is a start record without a stop record you can assume that the user is still online. But this represents not always the reality. -- Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you all for your help! I've now done it by using the data from the radacct table of the radius db and it works fine. I've even added a table listing our hotspots by their essid and mac and my script looks the hotspots up there via the CalledStationId which it gets from radacct. As far as we tested it it worked all fine :) My statistics script now gives current logged in users as well as prior logins back since freeradius is runnign on the server :) I only had to block the first entries of radacct from being listed because at those times something went badly wrong and so they have no AcctEndTime (-00-00-00:00) ;) And there is plenty more info in radacct that could be used :) Maybe I will expand the statistics... greets from snowy Regensburg, GER Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + Oracle + FreeBSD
Hello ! We are using FreeRADIUS 1.0.0, Oracle server 9.2.0.4 and all of this working on FreeBSD 5.2.1. I can't make FreeRADIUS work with Oracle server. After I enable auth or acct via SQL (oracle) module, FreeRADIUS died after starting up. Last lines in the debug output : ... Mon Jan 31 15:53:18 2005 : Debug: sql: postauth_table = "radpostauth" Mon Jan 31 15:53:18 2005 : Debug: sql: postauth_query = "" Mon Jan 31 15:53:18 2005 : Debug: sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" Bus error And the ktrace.dump last lines are: 40697 radiusd RET munmap 0 40697 radiusd CALL mmap(0,0x360,0x3,0x1000,0x,0,0,0) 40697 radiusd RET mmap -1998000128/0x88e8f000 40697 radiusd CALL munmap(0x88e8f000,0x360) 40697 radiusd RET munmap 0 40697 radiusd CALL sigprocmask(0x3,0x88080110,0) 40697 radiusd RET sigprocmask 0 40697 radiusd PSIG SIGBUS SIG_DFL Commenting out all enters of "sql" module calls produce working radius-server. What I doing wrong? My friends also can't FreeRadius + Oracle + FreeBSD bundle work :-( Thanks a lot, Ruslan A Dautkhanov [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy PEAP+MSCHAPV2
Hi,
Is the FreeRadius Server.
Ron Wahler wrote:
Is the FreeRadius Server a client of IAS ?
Ron.
http://www.positive-logic.net
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Alves
Sent: Sunday, January 30, 2005 11:44 AM
To: freeradius-users@lists.freeradius.org
Subject: Proxy PEAP+MSCHAPV2
Hi,
I want to do proxy of users authentication [EMAIL PROTECTED], this is generated
with
domain login of Windows XP.
I configured the freeradius server that receive the request for do proxy to
a
second server.
When I try a connection with Windows XP, I receive the error bellow on the
first server, then more bellow, I put the result of second freeradius
server:
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254,
length=98
User-Name = "[EMAIL PROTECTED]"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x4b7d7eb7f7c7d152f7781ccef4d74eb2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%
d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.2.32/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "TESTE" for User-Name = "israel TESTE"
rlm_realm: Found realm "TESTE"
rlm_realm: Adding Stripped-User-Name = "israel"
rlm_realm: Proxying request from user israel to realm TESTE
rlm_realm: Adding Realm = "TESTE"
rlm_realm: Preparing to proxy authentication request to realm "TESTE"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm TESTE. Not doing
EAP.
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
Sending Access-Request of id 0 to 172.22.3.69:1812
User-Name = "israel"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x
Proxy-State = 0x323534
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 172.22.3.69:1812, id=0, length=108
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
Proxy-State = 0x323534
Login incorrect (Home Server says so): [israel/] (from client extreme port 0 cli 0.0.0.0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1746, id=254,
length=98
Sending Access-Reject of id 254 to 172.22.2.32:1746
Extreme-Netlogin-Url = "http://172.22.2.180";
Extreme-Netlogin-Url-Desc = "Extreme Networks Home"
Extreme-Netlogin-Only = Enabled
Extreme-Netlogin-Vlan = "servers"
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.0.47:1814, id=0, length=97
User-Name = "israel"
EAP-Message = 0x020100110154455354455c69737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x0195a000df15f453a0effe23b403fb50
Proxy-State = 0x323534
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%
d
expands to
/usr/local/radius/var/log/radius/radacct/172.22.0.47/auth-detail-20050128
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_realm: No ' ' in User-Name = "israel", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched israel at 18
modcall[authorize]: module "files" returns o
Need help for Expiration attr
What date/time formats allowed for Expiration attribute? Is it possible to use UNIX timestamp format (number of seconds since UNIX epoch) or any date/time format supported by MySQL? For exampe 'January 28 2005 12:00:00' in radcheck table works fine but '2005-01-28 12:00:00' doesn't. mysql> select * from radcheck; ++--+--++--+ | id | UserName | Attribute| op | Value| ++--+--++--+ | 15 | jhon| User-Password| := | tksprs | | 17 | jhon| Expiration | := |2005-01-28 10:00:00 | ++--+--++--+ Must FreeRADUIS calculate and sent proper SessionTimeout attribute to disconnect user at Expiration date when user connected before this date (as in case of LoginTime attribute)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: little bug in freeradius?
> DEFAULT Suffix == ".de", Strip-User-Name = No > Hint = "DE", > Service-Type = Framed-User, > Framed-Protocol = PPP Your hints entry would only match if the user's realm is _exactly_ .de, i.e.: [EMAIL PROTECTED] This is not the case, so the Hint attribute is not set. > DEFAULT Hint == "DE" and by that, the users file will not go through this entry. >Service-Type = Framed-User, > Framed-Protocol = PPP, > Idle-Timeout = 3456, > MS-Primary-DNS-Server = 1.2.3.4, > MS-Secondary-DNS-Server = 1.2.3.4, > MS-Primary-NBNS-Server = 1.2.3.4, > MS-Secondary-NBNS-Server = 1.2.3.4, > Framed-Compression = Van-Jacobsen-TCP-IP, > Fall-Through = No > Problem is, that the suffix is stripped, although the hints file > says:Strip-User-Name = No No, the problem is that the Hint isn't applied. :-) The solution could be not to use the == operator but the regex matching operator =~ to catch something like *.de (you just need to encode that in POSIX regex style) I really love that operator as it makes your life a lot easier (you need to have regex enabled during compile time to get it, though). Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
little bug in freeradius?
I am using freeradius 1.0.1. eap/tls authentication works fine with the following users file: # [EMAIL PROTECTED] Fall-Through = Yes DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 3456, MS-Primary-DNS-Server = 149.246.222.36, MS-Secondary-DNS-Server = 149.246.239.10, MS-Primary-NBNS-Server = 149.246.132.166, MS-Secondary-NBNS-Server = 149.246.222.225, Framed-Compression = Van-Jacobsen-TCP-IP, Fall-Through = No DEFAULT Auth-Type := Reject ## but fails, when I want to use it in conjuction with a hints file: DEFAULT Suffix == ".de", Strip-User-Name = No Hint = "DE", Service-Type = Framed-User, Framed-Protocol = PPP and the modified users: [EMAIL PROTECTED] Fall-Through = Yes DEFAULT Hint == "DE" Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 3456, MS-Primary-DNS-Server = 1.2.3.4, MS-Secondary-DNS-Server = 1.2.3.4, MS-Primary-NBNS-Server = 1.2.3.4, MS-Secondary-NBNS-Server = 1.2.3.4, Framed-Compression = Van-Jacobsen-TCP-IP, Fall-Through = No DEFAULT Auth-Type := Reject ### Problem is, that the suffix is stripped, although the hints file says:Strip-User-Name = No Ready to process requests.^M rad_recv: Access-Request packet from host 127.0.0.1:32784, id=132, length=77^M User-Name = "[EMAIL PROTECTED]"^M --^ ok EAP-Message = 0x022f000e016e77407362732e6465^M NAS-IP-Address = 149.246.222.107^M NAS-Port = 0^M Message-Authenticator = 0xd9f94fa0fad75886f7feb4be3a214697^M Processing the authorize section of radiusd.conf^M modcall: entering group authorize for request 0^M hints: Matched DEFAULT at 2^M modcall[authorize]: module "preprocess" returns ok for request 0^M modcall[authorize]: module "chap" returns noop for request 0^M rlm_eap: EAP packet type response id 47 length 14^M rlm_eap: No EAP Start, assuming it's an on-going EAP conversation^M modcall[authorize]: module "eap" returns updated for request 0^M rlm_realm: Looking up realm "sbs" for User-Name = "[EMAIL PROTECTED]"^M rlm_realm: No such realm "sbs"^M modcall[authorize]: module "suffix" returns noop for request 0^M users: Matched DEFAULT at 8^M modcall[authorize]: module "files" returns ok for request 0^M modcall[authorize]: module "mschap" returns noop for request 0^M modcall[authorize]: module "chap" returns noop for request 0^M modcall: group authorize returns updated for request 0^M rad_check_password: Found Auth-Type EAP^M auth: type "EAP"^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 0^M rlm_eap: Identity does not match User-Name, setting from EAP Identity.^M rlm_eap: Failed in handler^M modcall[authenticate]: module "eap" returns invalid for request 0^M modcall: group authenticate returns invalid for request 0^M auth: Failed to validate the user.^M Login incorrect: [EMAIL PROTECTED]/] (from client localhost port 0)^M ---^^^ the suffix is gone. Delaying request 0 for 1 seconds^M Finished request 0^M Going to the next request^M --- Walking the entire request list ---^M Waking up in 1 seconds...^M --- Walking the entire request list ---^M Waking up in 1 seconds...^M --- Walking the entire request list ---^M Sending Access-Reject of id 132 to 127.0.0.1:32784^M MS-Primary-DNS-Server = 1.2.3.4^M MS-Secondary-DNS-Server = 1.2.3.4^M MS-Primary-NBNS-Server = 1.2.3.4^M MS-Secondary-NBNS-Server = 1.2.3.4^M Waking up in 4 seconds...^M Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with time to finish
Hi, > I wrote a script with which it is possible to import user files into the > radius server. > Is it possible to configure the radius Server in that way, that exact > after 48 hours after the first login of a specified user, this user > would loose his validity (after 48 hours of the first login, the user > should not be able to log on with his user data again). Modify your script so that it also sets the attribute "Expiration" for the user you generate. See also the thread "Expire attribute" from only a few days ago. Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP AD 802.1x eap peap mschap v2=help
Update:
I just downloaded Alfa & Ariss. I successfully logged into the wireless
network using PAP. I could not get any type of EAP to work and have need of
better security than that provided by PAP.
Any help is GREATLY appreciated.
~Brandon
-Original Message-
From: DeYoung, Brandon
Sent: Sunday, January 30, 2005 8:32 PM
To: freeradius-users@lists.freeradius.org
Subject: LDAP AD 802.1x eap peap mschap v2=help
Hello all,
I am attempting to use FreeRadius to authenticate wireless Windows
XP users, utilizing Active Directory username/passwords via LDAP connection
to AD. I am using a Cisco Aironet 1200 Access point.
Is this setup even possible?
Should I be going a different route?
I have the LDAP portion of the setup working (verified with
NTRadPing). However, I am getting "Windows was unable to log you to on to
the network" messages on the client end.
On the client I have only two options for "Authentication Method",
they are: "Smart card or other certificate" and "Secured password
(EAP-MSCHAP v2). Since the first doesn't allow for a password I went with
MSCHAP v2. Will this ever work with LDAP? If not, is there another client
out there that will? Should I be using some type of NT auth instead of LDAP?
On the off chance that this setup could actually work here is some relevant
stuff from my configs:
Thanks in advance,
~Brandon
Here is the "authenticate" section from my radiusd.conf
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
# Allow EAP authentication.
eap
}
And the "authorize" section:
authorize {
preprocess
mschap
eap
files
ldap
}
The "eap" section:
eap {
default_eap_type = peap
#md5 {
#}
tls {
private_key_password = "my pass phrase"
private_key_file = /etc/1x/r/cert-srv.pem
certificate_file = /etc/1x/r/cert-srv.pem
CA_file = /etc/1x/r/demoCA/cacert.pem
dh_file = /etc/1x/r/dh
random_file = /dev/urandom
fragment_size = 1750
}
ttls {
# default_eap_type = md5
}
peap {
# default_eap_type = mschapv2
}
mschapv2 {
}
}
And Finally, the debug output when I make an auth attempt:
austin:/etc/raddb # radiusd -sfxxyz
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Lo
Multiples values of Reply Message for a realm in attr_filter. is it possible ? has someone has an idea ? please
Ok I have tested company.com Reply-Message =~ (ValA|ValB) it doens't work (freeradius crash ans say : Parse error (reply) for entry company.com: Expected end of line or comma Errors reading /etc/freeradius/attrs radiusd.conf[1253]: attr_filter: Module instantiation failed.) then i have tested company.com Reply-Message =~ ValA|ValB I can launch freeradius but I have no reply message at the end. How to know if regular expressions are enabled ? (I read on rlm_attr_filter "if you have regular expression enabled you also.. thanks Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
