Problems with ttls using SecureW2
Hi again!
I've decided to try the now open source SecureW2 supplicant, because I don't
think the built-in supplicant in WinXP is any good, especially when logging
in to NT Domains.
Anyway, when I try that, I encounter a problem, the Freeradius debug gives
med this error:
I'm just pasting the lines with error, the complete debug is attached
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: Unable to tunnel TLS inside of TLS <---
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1.
Login incorrect: [AALESUND\\OG4/] (from client
UNKNOWN-CLIENT port 50003 cli 00-10-60-0A-1F-42)
TTLS: Got tunneled reply RADIUS code 3
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x04010004
Message-Authenticator = 0x
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
TTLS: Freeing handler for user AALESUND\OG4
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: group authenticate returns invalid for request 8
auth: Failed to validate the user.
Under Configure in SecureW2, under Authentication, the Authentication Method
EAP, is selected, and EAP type is PEAP.
I think Alan wrote that the job with getting ttls to work was to set up tls
properly... Freeradius works with the built-in 802.1x supplicant, so I guess
that tls is in fact set up properly?
In eap.conf i have unchecked these lines:
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = no
}
Anyone else having this problem, or at least knows what i'm doing wrong? :)
Thanks,
Øystein
freeradiusdebug
Description: Binary data
Web interface similar to Dialup Admin but for dialup users to change their login passwords.
Hi All, I am using freeradius with mysql and dialup admin. Is there any open source solution out there that can cater for dialup users to manually change their password using a similar web interface like dialup admin? Please help. Regards, Shannon
(no subject)
I can't store userpassword in format clean TXT. Is this possible? This is my system: ---[Server]-- CHAP --> [Radius]--clean TXT --> [LDAP Server] I need that the password of the users stay in format crypt or DES, ie. After I need that RADIUS use crypt or DES to have password in clean txt. How could I tell RADIUS use crypt or DES to have clean TXT? Remenber that CHAP HASH to send password from [server] to [RADIUS]. If RADIUS know like have original password is stored in LDAP the RADIUS could done the HASH. Then RADIUS could know if this hash is like of the hash that RADIUS receive of the [aplication]. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth and Redhat 9
Hi there, I have had this working perfectly on Redhat 7.3. We now have to move to 9 and was wondering if anyone else had had a problem. What I am experiencing is that the PAM module is invoked (using sshd) but never sends the request to the RADIUS server. Eventually I get a "Server timed out" but a TCPDUMP shows that nothing on port 1645 is ever sent. Any assistance or experiences appreciated. Andrew
Radius Authentication problem with SER
Hi List, I have downloaded freeradius 0.9.1 and SER-0.8.14 source and radiusclient library version 0.4.2. compiled all of them and my radius is working well as I have tested with Radtest. I have compiled SER with radius module and I have got auth_radius.so also. But when I am trying to run ser I am getting error called : init_mod() : Error while initializing module. Kindly help me in this regard. Its very urgent. Below I have provided the debug log. 0(3672) WARNING: could not rev. resolve 192.168.5.1 Listening on 127.0.0.1 [127.0.0.1]:5060 192.168.5.1 [192.168.5.1]:5060 Aliases: localhost:5060 localhost.localdomain:5060 WARNING: no fork mode and more than one listen address found (will use only the the first one) 0(3672) DEBUG: init_mod: sl_module stateless - initializing 0(3672) DEBUG: register_fifo_cmd: new command (sl_stats) registered 0(3672) DEBUG: MD5 calculated: b27e1a1d33761e85846fc98f5f3a7e58 0(3672) DEBUG: init_mod: tm 0(3672) TM - initializing... 0(3672) Call-ID initialization: '7fbeafda' 0(3672) DEBUG: register_fifo_cmd: new command (t_uac_dlg) registered 0(3672) DEBUG: register_fifo_cmd: new command (t_uac_cancel) registered 0(3672) DEBUG: register_fifo_cmd: new command (t_hash) registered 0(3672) DEBUG: lock_initialize: lock initialization started 0(3672) DEBUG: register_fifo_cmd: new command (t_stats) registered 0(3672) DEBUG: MD5 calculated: 533cb9e91f4b999cf76861cbb9ed54ed 0(3672) DEBUG: MD5 calculated: a6a1c5f60faecf035a1ae5b6e96e979a 0(3672) DEBUG: init_mod: rr 0(3672) rr - initializing 0(3672) DEBUG: init_mod: maxfwd_module Maxfwd module- initializing 0(3672) DEBUG: init_mod: usrloc 0(3672) usrloc - initializing 0(3672) DEBUG: register_fifo_cmd: new command (ul_stats) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_rm) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_rm_contact) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_dump) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_flush) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_add) registered 0(3672) DEBUG: register_fifo_cmd: new command (ul_show_contact) registered 0(3672) DEBUG: init_mod: registrar 0(3672) registrar - initializing 0(3672) find_export: found in module sl_module [/usr/local/lib/ser/modules/sl.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) find_export: found in module usrloc [/usr/local/lib/ser/modules/usrloc.so] 0(3672) DEBUG: init_mod: auth 0(3672) auth module - initializing 0(3672) find_export: found in module sl_module [/usr/local/lib/ser/modules/sl.so] 0(3672) DEBUG: init_mod: auth_radius 0(3672) auth_radius - Initializing 0(3672) auth_radius: Error opening configuration file 0(3672) init_mod(): Error while initializing module auth_radius ERROR: error while initializing modules 0(3672) DEBUG: tm_shutdown : start 0(3672) DEBUG: tm_shutdown : empting DELETE list 0(3672) DEBUG: tm_shutdown : empting hash table 0(3672) DEBUG: tm_shutdown: releasing timers 0(3672) DEBUG: tm_shutdown : removing semaphores 0(3672) DEBUG: tm_shutdown : done 0(3672) shm_mem_destroy 0(3672) destroying the shared memory lock and My ser.conf file is like : # --- global configuration parameters #debug=3 # debug level (cmd line: -dd) #fork=yes #log_stderror=no# (cmd line: -E) #Uncomment these lines to enter debugging mode debug=9 fork=no log_stderror=yes check_via=no# (cmd. line: -v) dns=no # (cmd. line: -r) rev_dns=no # (cmd. line: -R) #port=5060 #children=4 fifo="/tmp/ser_fifo" # -- module loading -- # Uncomment this if you want to use SQL database #loadmodule "/usr/local/lib/ser/modules/mysql.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/tm.so" loadmodule "/usr/local/lib/ser/modules/rr.so" loadmodule "/usr/local/lib/ser/modules/maxfwd.so" loadmodule "/usr/l
RE: MSCHAP V2 local
Thanks for the response Alan, and sorry. 802.1x authentication is working via PEAP/mschap v2 and ntlm_auth utilizing Active Directory as a backend. I'm still having problems adding local accounts into the mix. I've read the comments from the radiusd.conf file and I guess I still don't get it. I've tried this and a few other things in the users file. test Auth-Type = Local, Password = "testing" With this set up radtest works See output: houston:/etc/raddb # radtest test testing houston 43.191.112.164 SECRET Sending Access-Request of id 207 to 43.191.104.39:1812 User-Name = "test" User-Password = "testing" NAS-IP-Address = houston NAS-Port = 43 rad_recv: Access-Accept packet from host 43.191.104.39:1812, id=207, length=20 Authentication against the AD backend works from my clients with mschap v2. But my local users still don't work when sent through mschap. Any help would be appreciated, ~Brandon Here is debug output: Waking up in 6 seconds... rad_recv: Access-Request packet from host 43.191.112.162:2604, id=53, length=161 User-Name = "test" Cisco-AVPair = "ssid=sdb5-3" NAS-IP-Address = 43.191.112.162 Called-Station-Id = "00409641c15f" Calling-Station-Id = "000d28d00217" NAS-Identifier = "AP350-41c15f" NAS-Port = 41 Framed-MTU = 1400 State = 0xc1b4f1f6a1eb428d51588b5a150afaf2 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020d00061900 Message-Authenticator = 0xc75d85067706046c6b4cd5e9665f68eb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 users: Matched test at 90 modcall[authorize]: module "files" returns ok for request 10 rlm_realm: No '\' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 10 rlm_eap: EAP packet type response id 13 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 modcall: group authorize returns updated for request 10 rad_check_password: Found Auth-Type Local rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 10 modcall: group authenticate returns handled for request 10 Sending Access-Challenge of id 53 to 43.191.112.162:2604 EAP-Message = 0x010e002019001703010015476ada932e352a8179b36b2660a5302ffc14de6212 Message-Authenticator = 0x State = 0x04f23059be33b4ad387d1e4375c7fa73 Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 43.191.112.162:2605, id=54, length=187 User-Name = "test" Cisco-AVPair = "ssid=sdb5-3" NAS-IP-Address = 43.191.112.162 Called-Station-Id = "00409641c15f" Calling-Station-Id = "000d28d00217" NAS-Identifier = "AP350-41c15f" NAS-Port = 41 Framed-MTU = 1400 State = 0x04f23059be33b4ad387d1e4375c7fa73 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x020e00201900170301001541861b8157e8d5b41373cfcd48e7814f071adc6a5e Message-Authenticator = 0x9263ef3e7cd830fc464a1f6d14083894 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "chap" returns noop for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 users: Matched test at 90 modcall[authorize]: module "files" returns ok for request 11 rlm_realm: No '\' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 11 r
Re: Dialip_admin ?
FYI, for anyone else running Apache 2.0, MySql 3.23.58-9.1 with modules for php4 and the left column in dialup_admin is nothing but text, here is the fix that I had to do. cd to the /etc/httpd/conf.d and with your favorite text editor open the file php.conf and add this line under AddType AddType application/x-httpd-php .php AddType application/x-httpd-php .php3 New line Save the file and restart apache. You should now see the left column. I hope this helps someone. Joel - Original Message - From: " Joel Eddy" <[EMAIL PROTECTED]> To: Sent: Thursday, February 03, 2005 12:23 PM Subject: Re: Dialip_admin ? Thanks for the tip. I think that is it. I can see the info with test.php. But see nothing but text if I use php3. I'll look into apache then. Again thanks for the info. ;-) Joel - Original Message - From: "Morgan Nelson" <[EMAIL PROTECTED]> To: Sent: Thursday, February 03, 2005 10:16 AM Subject: Re: Dialip_admin ? Joel Eddy wrote: Could someone give me a link to a howto and faq on dialup_admin? Having issues with the page displaying correctly on apache 2.0 with MySql 3.23.58-9.1 left column is html markup only. No buttons or anything. I've installed by the howto in dialup_admin. But need help finishing up. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The problem you are seeing is most likely not a dialup admin problem, but an apache/php config problem. Make sure you have mod_php installed and working in your apache install. To test php, make a file named "test.php" with only this in it: <---cut---> <---cut---> put that in your webserver html dir, and try to view it from a web browser. You should see a bunch of tables describing your php install. If you see only the text, something is very wrong with your mod_php install, or apache config. Check with the php website to fix this. (http://www.php.net) If that works, try renaming the file to "test.php3" and see if it still works. Dialup admin still uses (for historical reasons, according to the dialup admin README file) the .php3 extension, which may or may not be mapped to php in your installation. Again, refer to the php website to add a handler in apache for .php3 files. hope this helps... Morgan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP V2 local
"DeYoung, Brandon" <[EMAIL PROTECTED]> wrote: > I'm now trying to add a hand full of local accounts, for people/devices who > do not have AD accounts. I've tried adding things like this to the > /etc/raddb/users file: > > test Auth-Type := MS-CHAP, User-Password == "testing" And that will cause problems. > I've tried a few different derivatives of this but so far couldn't get > anything to work. First, see the FAQ about statements like "it doesn't work". Second, read radiusd.conf, the comments above the "authenticate" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP V2 local
Hello all, Thanks to a little help from the list, I have the following working: 802.1x authentication via PEAP/mschap v2 and ntlm_auth utilizing Active Directory as a backend. I’m now trying to add a hand full of local accounts, for people/devices who do not have AD accounts. I’ve tried adding things like this to the /etc/raddb/users file: test Auth-Type := MS-CHAP, User-Password == "testing" Service-Type = Framed-User I’ve tried a few different derivatives of this but so far couldn’t get anything to work. Thanks in advance for any help. And thanks again for past help, ~Brandon
simultaneous use
Hello All,I have configured the user"test1" Auth-Type := Local, User-Password == "test1", Simultaneous Use = 1 Session-Timeout = 1200, Fall-Through = YesUnable to loginListening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.Ready to process requests.rad_recv: Access-Request packet from host 67.130.149.170:1024, id=0, length=181 User-Name = "test1" User-Password = "test1" NAS-IP-Address = 65.x.x.170 NAS-Port = 0 Service-Type = Login-User Acct-Session-Id = "0801" Called-Station-Id = "00-90-FB-04-17-8B" Calling-Station-Id = "08-00-46-05-65-26" Nomadix-Logoff-URL = ""http://1.1.1.1">http://1.1.1.1" WISPr-Location-ID = "isocc=,cc=,ac=,network=" NAS-Identifier = "HSG" NAS-Port-Type = Async Framed-IP-Address = 10.0.0.13rlm_eap: EAP-Message not foundSending Access-Reject of id 0 to 67.130.149.170:1024 If I remove the Simultaneous Use = 1 which does not give me any errors during the service start then it is working ANY help would be appreciated Max
Re: Dialip_admin ?
Thanks for the tip. I think that is it. I can see the info with test.php. But see nothing but text if I use php3. I'll look into apache then. Again thanks for the info. ;-) Joel - Original Message - From: "Morgan Nelson" <[EMAIL PROTECTED]> To: Sent: Thursday, February 03, 2005 10:16 AM Subject: Re: Dialip_admin ? Joel Eddy wrote: Could someone give me a link to a howto and faq on dialup_admin? Having issues with the page displaying correctly on apache 2.0 with MySql 3.23.58-9.1 left column is html markup only. No buttons or anything. I've installed by the howto in dialup_admin. But need help finishing up. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The problem you are seeing is most likely not a dialup admin problem, but an apache/php config problem. Make sure you have mod_php installed and working in your apache install. To test php, make a file named "test.php" with only this in it: <---cut---> <---cut---> put that in your webserver html dir, and try to view it from a web browser. You should see a bunch of tables describing your php install. If you see only the text, something is very wrong with your mod_php install, or apache config. Check with the php website to fix this. (http://www.php.net) If that works, try renaming the file to "test.php3" and see if it still works. Dialup admin still uses (for historical reasons, according to the dialup admin README file) the .php3 extension, which may or may not be mapped to php in your installation. Again, refer to the php website to add a handler in apache for .php3 files. hope this helps... Morgan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
You need to check the archives. But I'll answer anyway. Here's an explanation from one of Novell's forums. It's talking about Novells' Edirectory, but would apply to any other LDAP server. You are correct that the FreeRADIUS LDAP module cannot authenticate a MS-CHAP password against eDirectory. This is because the RADIUS server receives only a hash of the password from the client. To verify the password, the server must lookup a clear-text version of the password, then compute a hash using the clear-text password with a nonce provided in the access-request packet. If the server generated hash matches the hash provided by the client, then authentication is accepted. The password is not sent, therefore is not available to the Radius server to use for a bind against the LDAP server. Mearl >>> [EMAIL PROTECTED] 02/03 11:53 AM >>> Thanks for the fast answer! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] schrieb: > That means if the LDAP Server would be somehow configured > to send out the > Attribute UserPassword in cleartext, it would work with > MSCHAP? Yes. If Radius gets the cleartext password from somewhere, it can check if the MSCHAP stuff which the user did send is correct. If it doesn't get the cleartext password, no check is possible. > Is there definitely at use of MSCHAP no chance to get it > work by Radius Server > sends a bind message to LDAP Directory like i did > successful in the log with > radtest? Binding to LDAP requires that the person/program sending the bind message knows the cleartext password. You can't obtain that from MSCHAP information, so there's no way this can work. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
Thanks for the fast answer!
The person who is responsible for the LDAP Server told me that our LDAP does
not send a Password out, for security reasons, but accepts "bindings" with
password (see log with radtest,down).
That means if the LDAP Server would be somehow configured to send out the
Attribute UserPassword in cleartext, it would work with MSCHAP?
Is there definitely at use of MSCHAP no chance to get it work by Radius Server
sends a bind message to LDAP Directory like i did successful in the log with
radtest?
rad_recv: Access-Request packet from host X:32768, id=71, length=58
User-Name = "XX"
User-Password = "XXX"
NAS-IP-Address = 255.255.255.255
NAS-Port =
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat: '/var/log/radius/radacct/X/auth-detail-20050125'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct//auth-detail-20050125
modcall[authorize]: module "auth_log" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "XX", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 8
users: Matched DEFAULT at 158
users: Matched DEFAULT at 160
modcall[authorize]: module "files" returns ok for request 8
rlm_ldap: - authorize
rlm_ldap: performing user authorization for XXX
radius_xlat: '(cn=XX)'
radius_xlat: 'cn=X,dc=XXX,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=X,dc=,dc=de, with filter
(cn=XX)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 8
modcall: group authorize returns ok for request 8
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
rlm_ldap: - authenticate
rlm_ldap: login attempt by "XX" with password "XX"
rlm_ldap: user DN: cn=XX,cn=X, dc=,dc=de
rlm_ldap: (re)connect to .X.XX.de:389, authentication 1
rlm_ldap: bind as cn=XXX,cn=XXX, dc=XXX,dc=de/XPasswordX to
XX.X..de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user XX authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 8
modcall: group Auth-Type returns ok for request 8
Sending Access-Accept of id 71 to :32768
Finished request 8
> [EMAIL PROTECTED] wrote:
> > If i understood it right, the Radius Server should do a bind to LDAP Server
> > with DN and Password provided.
>
> What password? There's no password in MSCHAPv2, and LDAP doesn't do
> MSCHAPv2.
>
> > The success answer from LDAP tells the Radius Server authentication
> > successful finished.
>
> LDAP servers are not authentication servers. RADIUS servers are
> authentication servers. That's the root cause of your confusion.
>
> > Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
> > directory?
>
> No. See any number of posts on this list about this topic.
>
> LDAP has to provide a clear-text, or NT password to FreeRADIUS.
> FreeRADIUS will then do the work.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] wrote: > If i understood it right, the Radius Server should do a bind to LDAP Server > with DN and Password provided. What password? There's no password in MSCHAPv2, and LDAP doesn't do MSCHAPv2. > The success answer from LDAP tells the Radius Server authentication > successful finished. LDAP servers are not authentication servers. RADIUS servers are authentication servers. That's the root cause of your confusion. > Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP > directory? No. See any number of posts on this list about this topic. LDAP has to provide a clear-text, or NT password to FreeRADIUS. FreeRADIUS will then do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Part is not working
"Sarkis Gabriel" <[EMAIL PROTECTED]> wrote: > In the last couple of days i have noticed that the part of > accounting is not working, I am using mikrotik as a NAS, when a user > logs on and gets authenticated all works fine but when the user logs > off the user never gets to Radius to stop the accounting. FreeRADIUS logs whatever accounting data the NAS sends. If the NAS isn't sending data, FreeRADIUS can't log it. Fix the NAS. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Convert from gnu-radius to freeradius 1.0.1
"Hans-Peter Fuchs" <[EMAIL PROTECTED]> wrote: > I want to change from gnu-radius to freeradius 1.0.1. I'm not going to complain. > if (%[User-Name] =3D=3D "" && *%[Acct-Session-Id]) > %[Orig-User-Name] =3D %[Acct-Session-Id]; > else > %[Orig-User-Name] =3D %[User-Name]; > return 0; You can do this in the current CVS snapshot, using rlm_policy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Timeout with freeradius1.0.1 on redhat-AS-3.1
"Hans-Peter Fuchs" <[EMAIL PROTECTED]> wrote: > I test freeradius1.0.1 on redhat-AS-3. If I run freeradius in debug > mode (radiusd -X) there are no problems (running 15 hours). If I run > freeradius in normal mode (radiusd -y) after several hours all rad- > access-requests which are processed via pam lead to a timeout: I'm not too surprised. PAM isn't really intended to be used in a long-lived server. Hmm... maybe someone should check mod_auth_pam, and see if they do anything different than rlm_pam. But no one has looked at the PAM code in quite a while, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with Freeradius, how to check locality ?
Riccardo Veraldi <[EMAIL PROTECTED]> wrote: > do you know where in the source code freeradius check for certificates ? > could you give me a hint about where is located the C file to modify ? src/modules/rlm_eap/types/rlm_eap_tls/* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange Error
"Brad Dixon" <[EMAIL PROTECTED]> wrote: > I don't presume anyone has seen the following error and I presume I have > pulled the whole process below. > Maybe however one who knows the code a little better than myself will point > me in the right direction. ... > Thu Feb 3 18:22:34 2005 : Error: rlm_sql_unixodbc: 'HY000 > [unixODBC][Informix][Informix ODBC Driver][Informix]Routine (unix_timestamp) > can not be resolved. ' That's not nice. It sounds like the Informix system the drivers need isn't complete. > This occurs from an Ericsson Tigris unit. I used to happen on one we > had on a remote site and not the one here, but now it has started on > this one to. It's not a property of the NAS, it's the Informix back-end. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redhat9 and freeradius1.0.1
dominique dalponte <[EMAIL PROTECTED]> wrote: > dict.c:579: =AB errno =BB non d=E9clar=E9 (premi=E8re utilisation dans ce= > tte fonction) "errno" is defined by the system header files. If errno isn't found, that means your system cannot compile anything. Please install standard development tools. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PEAP/MSCHAPv2 and LDAP Server
Hi everybody!
I´m doing a Bachelor-thesis about setting up a secure WLAN Access with a
Freeradius Server for my University.
Because i have to give away my thesis at 1. of March this is urgent.
Now description of my problem:
Clients sends Username/Password through PEAP/MSCHAPv2 to Radiusserver, which
uses an LDAP Server for authentication.
If i understood it right, the Radius Server should do a bind to LDAP Server
with DN and Password provided.
The success answer from LDAP tells the Radius Server authentication successful
finished.
The point is, i got a successful authentication with the programm radtest by a
bind to LDAP Server. And i get success with PEAP/MSCHAPv2 using a Testuser on
local configfile users
But the whole "chain" does not work. I cant figure out what error message(see
end) means and how to stop?
Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
directory?
Here is my log that is successful in authorize with LDAP, but fails to
authenticate with LDAP:
(private information replaced with X)
Ready to process requests.
rad_recv: Access-Request packet from host XXX:1301, id=211,
length=126
NAS-IP-Address = xxx
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "xx"
Calling-Station-Id = "000fb5377adc"
Called-Station-Id = "0001f47afc19"
NAS-Identifier = "RoamAbout3000"
EAP-Message = 0x0201000b016e6639353532
Message-Authenticator = 0xffc4a4fa474a2827dad8ad1e2bf4905e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/xx/auth-detail-20050203'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/x/auth-detail-20050203
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "xx", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 162
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for xx
radius_xlat: '(uid=xx)'
radius_xlat: 'cn=xxx,ou=xxx,o=x,c=DE'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as / to xx
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=x,ou=xx,o=x,c=DE,
with filter (uid=xx)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 211 to :1301
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x8119cf34fdc7ff9e112a9d51a6e9f6a9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host :1302, id=212, length=213
NAS-IP-Address =
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "XX"
Calling-Station-Id = "000fb5377adc"
Called-Station-Id = "0001f47afc19"
NAS-Identifier = "RoamAbout3000"
State = 0x8119cf34fdc7ff9e112a9d51a6e9f6a9
EAP-Message =
0x0202005019800046160301004101000
Re: Dialip_admin ?
Joel Eddy wrote: Could someone give me a link to a howto and faq on dialup_admin? Having issues with the page displaying correctly on apache 2.0 with MySql 3.23.58-9.1 left column is html markup only. No buttons or anything. I've installed by the howto in dialup_admin. But need help finishing up. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The problem you are seeing is most likely not a dialup admin problem, but an apache/php config problem. Make sure you have mod_php installed and working in your apache install. To test php, make a file named "test.php" with only this in it: <---cut---> <---cut---> put that in your webserver html dir, and try to view it from a web browser. You should see a bunch of tables describing your php install. If you see only the text, something is very wrong with your mod_php install, or apache config. Check with the php website to fix this. (http://www.php.net) If that works, try renaming the file to "test.php3" and see if it still works. Dialup admin still uses (for historical reasons, according to the dialup admin README file) the .php3 extension, which may or may not be mapped to php in your installation. Again, refer to the php website to add a handler in apache for .php3 files. hope this helps... Morgan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redhat9 and freeradius1.0.1
hello I wont to compile freeradius on a redhat9, the make stop with this error somebody can help me best regards dom gmake[4]: Entre dans le répertoire `/usr/src/redhat/BUILD/freeradius-1.0.1/src/lib' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LIBRADIUS -I../include -DHMAC_SHA1_DATA_PROBLEMS -c dict.c -o dict.o dict.c:89: AVERTISSEMENT: aucun prototype précédent pour « dict_free » dict.c: Dans la fonction « my_dict_init »: dict.c:579: « errno » non déclaré (première utilisation dans cette fonction) dict.c:579: (Chaque identificateur non déclaré est rapporté une seule fois dict.c:579: pour chaque fonction dans laquelle il apparaît.) gmake[4]: *** [dict.o] Erreur 1 gmake[4]: Quitte le répertoire `/usr/src/redhat/BUILD/freeradius-1.0.1/src/lib' gmake[3]: *** [common] Erreur 1 gmake[3]: Quitte le répertoire `/usr/src/redhat/BUILD/freeradius-1.0.1/src' gmake[2]: *** [all] Erreur 2 gmake[2]: Quitte le répertoire `/usr/src/redhat/BUILD/freeradius-1.0.1/src' gmake[1]: *** [common] Erreur 1 gmake[1]: Quitte le répertoire `/usr/src/redhat/BUILD/freeradius-1.0.1' make: *** [all] Erreur 2 begin:vcard fn:Dominique Dal Ponte n:Dal Ponte;Dominique org:U.T.B.M.;C.R.I adr:;;;Belfort;;90010 ;France email;internet:[EMAIL PROTECTED] tel;quoted-printable;work:Equipe Syst=C3=A8me et R=C3=A9seau tel;home:03 84 58 31 49 version:2.1 end:vcard
RE: Dialip_admin ?
Could someone give me a link to a howto and faq on dialup_admin? Having issues with the page displaying correctly on apache 2.0 with MySql 3.23.58-9.1 left column is html markup only. No buttons or anything. I've installed by the howto in dialup_admin. But need help finishing up. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Part is not working
Hello! >> In the last couple of days i have noticed that the part of accounting is >> not working, >> I am using mikrotik as a NAS, when a user logs on and gets authenticated >> all works fine >> but when the user logs off the user never gets to Radius to stop the >> accounting. >> >> If i reboot MT NAS it kicks all user off, I dont know what is causing it, >> if my >> database is big will it do that ? if so how do i sort it out? > If you find out let me know I'm doing the same thing... same problem.. In my early days of experimenting with accounting I had a similar problem. In my case it was a misconfiguration of the NAS. I used a Cisco NAS and told it to send "dot1x" accounting start-stop messages. This lead to it sending the tickets only when a dot1x action took place, i.e. on a proper user login and a EAPoL-Logoff. This does not apply when a user just disconnects without logging off, i.e. just unplugging the cable or powering his system down. Do enable the NAS to send acct packets then as well, I had to activate "system" accounting start-stop messages as well, which send Acct messages on system events, i.e.: cable unplugged, lost association etc. Hope that helps, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting Part is not working
If you find out let me know I'm doing the same thing... same problem.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sarkis Gabriel Sent: Thursday, February 03, 2005 10:08 AM To: freeradius-users@lists.freeradius.org Subject: Accounting Part is not working Hi all In the last couple of days i have noticed that the part of accounting is not working, I am using mikrotik as a NAS, when a user logs on and gets authenticated all works fine but when the user logs off the user never gets to Radius to stop the accounting. If i reboot MT NAS it kicks all user off, I dont know what is causing it, if my database is big will it do that ? if so how do i sort it out? sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 2/1/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Part is not working
Hi all In the last couple of days i have noticed that the part of accounting is not working, I am using mikrotik as a NAS, when a user logs on and gets authenticated all works fine but when the user logs off the user never gets to Radius to stop the accounting. If i reboot MT NAS it kicks all user off, I dont know what is causing it, if my database is big will it do that ? if so how do i sort it out? sarky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroup "GROUP"?
Mensaje citado por Alan DeKok <[EMAIL PROTECTED]>: > "Cris Boisvert" <[EMAIL PROTECTED]> wrote: > > I have this in the users file > > > > pork1 Client-IP-Address != 208.243.100.5, Auth-Type := reject, Password == here yo say "Client-IP-Address" > > "test" > > > > When I test from that nas I get a reject every time. but here you say you are testing from a nas maybe is better to use NAS-IP-Address insted of Client-IP-Address, it suppose to be the same but roger -- Nodo central de la red Infomed (http://www.sld.cu) Usuario linux: 97152 (http://counter.li.org) Miembro del grupo de coordinacion de LinuxCuba (http://www.linux.cu) "Whatever you do will be insignificant, but it is very important that you do it." Gandhi -- - Este mensaje fue enviado usando el servicio de correo en web de Infomed http://webmail.sld.cu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Troubles with EAP-TTLS
Thanks Guy. You are right. We installed the server's (and root's) certificate in the client and now, at least, he sees the PRIVATE VLAN, but can´t connect into that VLAN. It seems that the problems are related to the certificates. We are working on it and we'll see. Regards. At 17:22 02/02/05 +, you wrote: Hi Francisco, Are you authenticating the RADIUS server or just ignoring the validity (or otherwise) of the certificate it sends? If you are trying to authenticate the RADIUS server and it's either sending an invalid (or self signed) certificate or the root certificate authority that signed the RADIUS server's certificate is not known to the client, then the client will not recognise the server and will not send any credentials. Rgds, Guy > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Francisco Sampalo > Sent: 02 February 2005 17:04 > To: freeradius-users@lists.freeradius.org > Subject: Troubles with EAP-TTLS > > > Hi, this our first message to the list. We are trying > to deploy a Wireless > LAN based on 802.1X EAP-TTLS. > > We have have built an authentication infraestructure > with the following > components: > - A Radius server (Linux SuSe 9.0 + FreeRadius CVS > version from March'2004). > - Access Point Aironet 1100 (Cisco). > - SecureW2 EAP-TTLS supplicant (on the client side, > over Windows XP). > > We have created two VLANS for wireless access: the > GUESTs VLAN and the > PRIVATE VLAN (with authentication required for our users). We > are having > some troubles with some laptops (not all) working with > XP-SP2, because they > only "can see" the GUEST VLAN, but "can´t see" the PRIVATE > VLAN. We sniffed > the traffic between the client and the AP and we saw the following: > - First, the user tries to get in the PRIVATE VLAN. > - Then the AP answers him, trying to establish the > connection and ask him > for the authentication information (user and password). > - But in this point it seems like the client can't > understand the request > and send back null packets; so the AP doesn't validate the > connection and > the user is sent to the GUEST VLAN. > > We are in a mess, because we don´t know if this problem > is due to the > Wireless NIC of the client (hardware), the drivers, or even > caused by the > opperating system. > > May anybody help us? Thants to all. > > > * > Francisco J. Sampalo Lainz > ([EMAIL PROTECTED]) > Jefe del Servicio de Informática > Universidad Politécnica de Cartagena > Tlf: 968-325717 / 5730 > * > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Paco Sampalo Lainz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Convert from gnu-radius to freeradius 1.0.1
Hello,
I want to change from gnu-radius to freeradius 1.0.1.
For some old shiva-nases I had a rewrite rule for accounting
requests:
integer
foo()
{
if (%[User-Name] == "" && *%[Acct-Session-Id])
%[Orig-User-Name] = %[Acct-Session-Id];
else
%[Orig-User-Name] = %[User-Name];
return 0;
}
This means:
If User-name empty and Acct-Session-Id is given then
take Acct-Session-Id as User-Name
else Take given User-name
How can I do this with freeradius?
Grüße
Hans-Peter Fuchs
Hans-Peter Fuchs - RZKR, Zimmer 20
Zentrum fuer angewandte Informatik - Universitaetsweiter Service RRZK
Universität zu Köln - Tel: 0221-470-6972
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Timeout with freeradius1.0.1 on redhat-AS-3.1
Hello, I test freeradius1.0.1 on redhat-AS-3. If I run freeradius in debug mode (radiusd -X) there are no problems (running 15 hours). If I run freeradius in normal mode (radiusd -y) after several hours all rad- access-requests which are processed via pam lead to a timeout: Wed Feb 2 04:02:07 2005 : Info: Using deprecated naslist file. Support fo s will go away soon. Wed Feb 2 04:02:07 2005 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Feb 2 04:02:07 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm _sql_mysql) loaded and linked Wed Feb 2 04:02:07 2005 : Info: rlm_sql (sql): Attempting to connect to radiusa [EMAIL PROTECTED]:/freeradius Wed Feb 2 04:02:07 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Wed Feb 2 04:02:07 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Wed Feb 2 04:02:07 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Wed Feb 2 04:02:07 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Wed Feb 2 04:02:07 2005 : Info: rlm_sql_mysql: Starting connect to MySQL server 3026 Wed Feb 2 05:02:25 2005 : Error: Killing unresponsive thread for request 23027 Wed Feb 2 05:02:31 2005 : Error: Killing unresponsive thread for request 23028 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23029 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23030 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23031 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23032 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23033 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23034 Wed Feb 2 05:03:08 2005 : Error: Killing unresponsive thread for request 23035 Wed Feb 2 05:03:13 2005 : Error: Killing unresponsive thread for request 23036 Wed Feb 2 05:03:21 2005 : Error: Killing unresponsive thread for request 23037 Wed Feb 2 05:03:29 2005 : Error: Killing unresponsive thread for request 23038 Wed Feb 2 05:03:41 2005 : Error: Killing unresponsive thread for request 23039 This leads to: Wed Feb 2 06:01:49 2005 : Error: Killing unresponsive thread for request 24384 Wed Feb 2 06:01:49 2005 : Error: Killing unresponsive thread for request 24385 Wed Feb 2 06:01:49 2005 : Error: FATAL: Thread create failed: Cannot allocate memory If I configure: max_requests_per_server = 50 in the thread pool section there are no problems for 24 hours and more. I append: radiusd.conf.gz users radiusd-X.gz Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RZKR, Zimmer 20 Zentrum fuer angewandte Informatik - Universitaetsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # # This file contains authentication security and configuration # information for each user. Accounting requests are NOT processed # through this file. Instead, see 'acct_users', in this directory. # # The first field is the user's name and can be up to # 253 characters in length. This is followed (on the same line) with # the list of authentication requirements for that user. This can # include password, comm server name, comm server port number, protocol # type (perhaps set by the "hints" file), and huntgroup name (set by # the "huntgroups" file). # # If you are not sure why a particular reply is being sent by the # server, then run the server in debugging mode (radiusd -X), and # you will see which entries in this file are matched. # # When an authentication request is received from the comm server, # these values are tested. Only the first match is used unless the # "Fall-Through" variable is set to "Yes". # # A special user named "DEFAULT" matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. # # If you use the database support to turn this file into a .db or .dbm # file, the DEFAULT entries _have_ to be at the end of this file and # you can't have multiple entries for one username. # # You don't need to specify a password if you set Auth-Type += System # on the list of authentication requirements. The RADIUS server # will then check the system password file. # # Indented (with the tab character) lines following the first # line indicate the configuration values to be passed back to # the comm server to allow the initiation of a user session. # This can include things like the PPP configuration values # or the host to log the user onto. # #
RE: mod_auth_radius
I'm sorry for this stupid question. I'm using VM-Ware and the source file was in a shared folder. I moved it and it works. Loïc > -Message d'origine- > De : TRANSLER Loic > Envoyé : mercredi 2 février 2005 16:44 > À : freeradius-users@lists.freeradius.org > Objet : mod_auth_radius > > Hi, > > I'm not sure I'm supposed to post about mod_auth_radius here. Sorry if I'm > not. > > My apache (2.0) server is installed with rpm's. DSO's are enabled. So, I > use apxs. > When I launch the command "apxs2 -i -a -c mod_auth_radius-2.0.c", the > result is : > > " > /usr/lib/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 > -fomit-frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame- > pointer -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT - > D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -O2 -fomit- > frame-pointer -pipe -march=i586 -mcpu=pentiumpro -fno-omit-frame-pointer - > pthread -DRECORD_FORWARD -I/usr/include/apache2 -I/usr/include/apache2 > -I/usr/include/apache2 -c -o mod_auth_radius-2.0.lo mod_auth_radius- > 2.0.c && touch mod_auth_radius-2.0.slo > > mod_auth_radius-2.0.c:560: warning: initialization from incompatible > pointer type > > ln: création d'un lien symbolique `mod_auth_radius-2.0.lo' vers > `mod_auth_radius-2.0.o': Operation not permitted > > apxs:Error: Command failed with rc=65536 > " > > Versions: > Linux Mandrake 10.0 Official > Apache 2.0.48-6 > Mod_auth_radius 1.5.7 > Freeradius 1.0.1 > > > > Can anyone help me? > > > Loïc. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with Freeradius, how to check locality ?
Hi, do you know where in the source code freeradius check for certificates ? could you give me a hint about where is located the C file to modify ? thanks Rick Alan DeKok wrote: Riccardo Veraldi <[EMAIL PROTECTED]> wrote: I would like to authenticate my users who have a certificate but I want to check the /L field (locality name) of the certificate and not the user name which is the /CN of the certificate. is there a way to do this with Freeradius ? Source code modifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
