How to Decrypt cipher text of md5 on freeradius?
List Step before inster password into MySQL database: 1. Input password. 2. Encrypt password by md5 [ md5(password) ] 3. Insert data to database and encode password by PASSWORD() on mysql again (INSERT into VALUES(, PASSWORD(md5(password))); But, it dosen't works. How I fix this case? Please let me know Regrads, -- Chanin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
any check item available while doing EAP/TLS?
Hi, all I don't want my user get a certificate from me and have access to all of our AP. I already tried to add NAS-IP-Address,NAS-Identifier as check item but none works. No mater which AP I assign as check item for certificate, They still have access to all our access points. It is not very secure, isn't it? Here is request log from AP: rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95 User-Name = "Presario 2135AD" NAS-IP-Address = 10.1.2.5 NAS-Identifier = "AWL500" State = 0x520972a7955c03b6ae1090d3b8e32c36 EAP-Message = 0x022a00060d00 Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46 I tried these 2 different user profile, they all have full access to all AP. Check item NAS-IP-Address seems ignored. "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 Session-Timeout = 300 "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 Session-Timeout = 300 As you can see, certificate issued to "Presario 2135AD" accepted by freeradius, no mater which AP it was limited to has access. It bothered me for weeks, did I do anything wrong? Please help!!! Thanks, Vincent Chen - Yahoo!奇摩造型精靈 最新的造型精靈簽名檔,讓信件獨具個人色彩! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is it possible to authenticate RADIUS users just on Username with no password?
Yes, It is possible and I use it for authenticating routers and IP phones. These devices don't respond a login request with login/passwd. a solution is, if your NAT supports it, put as login = device MAC address and as PASSWORD = nothing. Obviusly, your have to declare this user=MAC in radcheck, radreply, radgroupcheck tables as a normal user. Hi All, I am using radius for my personal wireless ISP venture. I got some pre-paid cards used for long distance voice calls and I want to use them for occasional wi-fi users. Though radius needs a username/pwd pair for authentication they have only PIN printed on them. Can I use these PINs as RADIUS username? Each PIN is 16 digits long. In short how can I make password un-necessary for RADIUS authentication? Thanks, Sagar _ ¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! http://latino.msn.com/autos/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient: no response from server
Hi,
I installed freeradius-1.0.2 on my Redhat7.3 Server.
when i am trying to test using my linux root and
password. the server is giving no response.
radtest root 123456 127.0.0.1 3030 testing123
Re-sending Access-Request of id 174 to 127.0.0.1:1812
User-Name = "root"
User-Password =
"'\025\257_\377m\250\312\330U\3561\313\213wb"
NAS-IP-Address = localhost.localdomain
NAS-Port = 3030
radclient: no response from server for ID 174
if anyone can redirect me it will be very high help.
Here is debbug message:
radiusd-X
=
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
"/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile =
"/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:3030
Listening on accounting *:3031
Listening on proxy *:3032
Ready to process requests.
[EMAIL PROTECTED] root]#
==
__
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient: no response from server
The answer is right there in front of you... radtest is sending the request to "127.0.0.1:1812" In your radtest line replace the space between the 127.0.0.1 and 3030 with a ':'. regards, Mike Abdul Lateef wrote: radtest root 123456 127.0.0.1 3030 testing123 Re-sending Access-Request of id 174 to 127.0.0.1:1812 Ready to process requests. [EMAIL PROTECTED] root]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active directory + users files
Hi, I want to connect Active directory users with freeradius and PEAP. I use samba with winbind to do this. In fact i use ntlm_auth command. But now i don't know how to configure users files to connect Active directory users I try a static user like this: test User-Password == "testing", MS-Chap-Use-NTLM-Auth := 0 and it works fine. Now how to consider my Active Directory users ?
Re: radclient: no response from server
Hi
My freeradius-1.0.1 is running. when i am trying to test using
127.0.0.1, the server response was "access-reject", not "no response
from server". I am not sure what happened to your radius server
because i am new even in linux, but i suggest you to try using server
ip address other than localhost.
Wassalam
Ery
On Tue, 22 Feb 2005 02:48:59 -0800 (PST), Abdul Lateef
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I installed freeradius-1.0.2 on my Redhat7.3 Server.
> when i am trying to test using my linux root and
> password. the server is giving no response.
>
> radtest root 123456 127.0.0.1 3030 testing123
>
> Re-sending Access-Request of id 174 to 127.0.0.1:1812
>User-Name = "root"
>User-Password =
> "'\025\257_\377m\250\312\330U\3561\313\213wb"
>NAS-IP-Address = localhost.localdomain
>NAS-Port = 3030
> radclient: no response from server for ID 174
>
> if anyone can redirect me it will be very high help.
>
> Here is debbug message:
> radiusd-X
> =
>
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups =
> "/usr/local/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile =
> "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id,
> NAS-IP-Address, Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename =
> "/usr/local/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:3030
> Listening on accounting *:3031
> Listening on proxy *:3032
> Ready to process requests.
>
> [EMAIL PROTECTED] root]#
>
> ==
>
>
> __
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory + users files
On Tue, Feb 22, 2005, Alexandre Durand wrote: >Hi, > >I want to connect Active directory users with freeradius and PEAP. I use >samba with winbind to do this. In fact i use ntlm_auth command. > >But now i don't know how to configure users files to connect Active >directory users You don't have to configure anything in the users file to make AD authentication work. You can even disable the "files" module. What you should enable and/or configure is eap, tls, peap and mschap. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
On Tue, Feb 22, 2005 at 10:44:08AM +1100, Tom wrote: > I've setup freeradius 1.0.1 on debian (sarge 2.6 kernel). > I've included all the modules and set freeradius to use PEAP. > When my authenticator passes the request over to the freeradius server > I get (among other things): > freeradius: relocation error: > /usr/lib/freeradius/rlm_eap_peap-1.0.1.so: undefined symbol: > eaptls_process > After which the server immediately crashes. > I've found this link: > http://lists.cistron.nl/pipermail/freeradius-users/2004-December/038781.html > which I believe relates to my situation. > The reply there is - > >Yes. The libltdl in Debian includes a patch from the CVS version of > >libtool, which breaks the linkage used by rlm_eap_ttls and rlm_eap_peap > >into rlm_eap_tls. Try 1.1.0, which should work with the libltdl in > >Debian/sarge or Debian/sid. > I've installed the latest version of libtool (1.5-something) using > apt-get but I still have the same problem. I'm not too sure where to > link where to what - what is it that freeradius is looking for and > what should I do to point it in the right direction? > I'm not familiar with libltdl at all so it hasn't been easy to google > this out, any help is greatly appreciated :) Just upgrading libtool won't work, as libtool 1.5 requires a more recent version of autoconf than is used in FreeRADIUS 1.0.1. As the above post suggests, try 1.1.0 (eg. CVS head) which builds with libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. (Although I've not tested them myself) -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsqlrelay for 1.0.2
ROY wrote: > > This version can be built in the 1.0.x source tree. It has been modified > > to fix the detail file locking issue under heavy load. Since you are > > running tests on radsqlrelay, I'd be grateful if I could receive some > > feedback from you on this version. > > There were a lot off differences between v1.3 against your v1.1.2.4 > (code wise). I'm no C coder myself so I can't tell from the diff output > what functionalities were changed. If there's a big advantage using the > 1.1.2.4 I'd be happy to test it for you. Under heavy load you can see the following error message many times in the file /var/log/freeradius/radius.log Error: rlm_detail: Failed to aquire filelock for /var/log/freeradius/radacct/detail-relay, giving up It's a known problem of radrelay, and it was reported on the mailing list by different people. I've had exactly the same errors with radsqlrelay (which shares a lot of code with radrelay). http://lists.cistron.nl/archives/freeradius-users/2004/09/frm00877.html http://lists.cistron.nl/archives/freeradius-users/2004/10/frm00864.html The changes I made to radsqlrelay.c fix this. My own tests are OK, but I'm interested to get other people's opinion. Even if you've never seen the "Failed to aquire filelock" message, just tell me if the new version works exactly like before. That will help, too. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using Free Radius with Microsoft Stored Proccedures for Authentication
What exactly does freeradius expect back?
For instance:
authenticate_query = "SELECT Value,Attribute FROM
${authcheck_table} WHERE UserName = '%{User-Name}' AND ( Attribute =
'User-Password' OR Attribute = 'Password' OR Attribute =
'Crypt-Password' ) ORDER BY Attribute DESC"
Or if I were to put a stored proccedure in there
What exactly is it looking to get back? It seems it wants the
password back so it can verify that the information the user entered
is correct... but:
A) How do I use a stored proccedure with freeradius?
B) How do I go about setting radius attributes through this?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pre-acct processing and Proxy-To-Realm
On Tue, 22 Feb 2005, Michael Mitchell wrote: Thanks for the reply Kostas! Kostas Kalevras wrote: On Mon, 21 Feb 2005, Mitchell, Michael J wrote: Latest cvs versions of rlm_preprocess do huntgroup processing. Great! I'll take a look at the latest rlm_preprocess! I am not sure you need to run rlm_ldap again in pre-accounting. You could probably add a Class attribute in the home server access-accept (if you get an access-accept that probably means the ldap server already contains the username) and also use that in acct_users when deciding on whether to proxy the request. Yep, I've considered using the Class attribute, which I will do. However, we do not have control over some of the NAS's and proxies in between them and our radius servers, and I've been told that I should not rely on them being "well behaved". Maybe the 80% solution is good enough though to reduce the number of lookups on ldap for pre-accounting to an acceptable level. Who knows, it may even turn out to be 100%.. If anyone has any other thoughts, please keep them coming! As a last note, you probably don't need to perform any changes to rlm_ldap either. Just use rlm_policy and ldap_xlat in the pre-acct section to perform user lookups and you should be ok. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsuscriber please
[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsuscriber please
Re: Grouping accounts
> On Fri, Feb 18, 2005 at 12:32:54PM -0500, Alan DeKok wrote:
> > From: "Alan DeKok" <[EMAIL PROTECTED]>
> > To: freeradius-users@lists.freeradius.org
> > Subject: Re: Grouping accounts
> > Date: Fri, 18 Feb 2005 12:32:54 -0500
> >
> > Steven Wayne <[EMAIL PROTECTED]> wrote:
> > > joeuser logs into the system and is authenticated by Radius.
> > >
> > > He then logs onto the ftp server. Can this be authorized by Radius using
> > > a different id/password but as a subset of "joeuser" so he can still be
> > > tracked and billed using just the main Radius account?
> >
> > If you have some way to tie that id to "joeuser". There's no
> > standard way to do that, though.
> >
> > Alan DeKok.
>
> Another thought.
>
> How about authentication based on source address.
>
> If the FreeRadius server gets an authentication request from
> 192.168.0.4 use userida/passworda, from
> 192.168.0.5 use userida/passwordb
> and so on.
>
> I'll stop thinking soom, honest.
>
Hmm, you could do that if you store the users in a different area. I
don't know if you want to go through the trouble of scattering your data
all over the place, but it could work.
Imagine you setup your users like this in ldap.
ou=ftpusers,dc=yourdomain
uid=someuser,ou=ftpusers,dc=yourdomain
ou=dialusers,dc=yourdomain
uid=sameuser,ou=dialusers,dc=yourdomain
Then you create two ldap instances in radiusd.conf (or a seperate file and
include it)
ldap ftpldap {
normal config stuff
basedn = "ou=ftpusers,dc=yourdomain"
more config stuff
}
ldap dialldap {
configs
basedn = "ou=dialusers,dc=yourdomain"
more config stuff
}
Then in the huntgroups file you do this.
ftp NAS-IP-Address == ipofftpserver1
ftp NAS-IP-Address == ipofftpserver2
dialNAS-IP-Address == ipofdialnas1
dialNAS-IP-Address == ipofdialnas2
and so on...
Then in the users file you have only these.
DEFAULT Huntgroup-Name == ftp, Autz-Type := ftpldap
DEFAULT Huntgroup-Name == dial, Autz-Type := dialldap
That would say, if the packet comes from one of the ftp servers, then use
ftpldap instance to authorize the user, which would have the ftpuser
basedn. If the request comes from a dial nas, then use the dialldap
instance with a different basedn.
This would work for you as far as authentication goes. The only problem
is you'd have the same user in two areas in ldap, which would cause
redundant data and ldap wouldn't really know that the two are related.
You'd also have to build something to manage those two different sets of
data for the users, as far as changing passwords and stuff goes.
You could try that to start and then try to start syncing the passwords
later until they are all the same and then just remove one tree and have
radius just hit that one tree.
Hope that makes sense.
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: any check item available while doing EAP/TLS?
> Hi, all > > I don't want my user get a certificate from me and have access to all of > our AP. I already tried to add NAS-IP-Address,NAS-Identifier as check > item but none works. No mater which AP I assign as check item for > certificate, They still have access to all our access points. It is not > very secure, isn't it? > > Here is request log from AP: > rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95 > User-Name = "Presario 2135AD" > NAS-IP-Address = 10.1.2.5 > NAS-Identifier = "AWL500" > State = 0x520972a7955c03b6ae1090d3b8e32c36 > EAP-Message = 0x022a00060d00 > Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46 > > I tried these 2 different user profile, they all have full access to all AP. > Check item NAS-IP-Address seems ignored. > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 > Session-Timeout = 300 > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 > Session-Timeout = 300 > > As you can see, certificate issued to "Presario 2135AD" accepted by > freeradius, no mater which AP it was limited to has access. It bothered > me for weeks, did I do anything wrong? Please help!!! > > I don't quite understand what the problem is. That radius packet came from 10.1.2.5 and was the Presario 2135AD user, that should match your first users file line. Why would you expect it not to match? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Customize RadPosAuth table
Using Freeradius 1.1 and would like to customize the radpostauth table in MYSQL, I'd like it to not record the plain text passwords on successful authentications is the most important and also I'd like to see failed logins as well. Any help is appreciated. Thanks Eric Gregory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problém authenticaton EAP-LEAP (Eap-leap will not be in production but in test currently)
hello, I have a problem on Freeradius 1.0.2. I have two configuration: 1- PDA microsoft pocket PC ---> AP Cisco ---> Freeradius 1.0.2 2- PDA microsoft pocket PC 2003 ---> AP Cisco --> Freeradius 1.0.2 The configuration one functions without problem in EAP-LEAP. An error on the configuration two saying to me that the request EAP is not recognized whereas my configuration PDA is the same as that which functions. Have an idea ?? herewith the debug DEBUG SOLUTION ONE > OK rad_recv: Access-Request packet from host 200.0.110.200:21647, id=22, length=134 User-Name = "interne" Framed-MTU = 1400 Called-Station-Id = "000d.eded.7584" Calling-Station-Id = "0002.b3e1.534e" Service-Type = Login-User Message-Authenticator = 0x0dcf19abbdaed8fa099bd9090ce51cb8 EAP-Message = 0x0202000c01696e7465726e65 NAS-Port-Type = Wireless-802.11 NAS-Port = 227 NAS-IP-Address = 200.0.110.200 NAS-Identifier = "AP_Radius" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 30 modcall[authorize]: module "preprocess" returns ok for request 30 modcall[authorize]: module "chap" returns noop for request 30 modcall[authorize]: module "mschap" returns noop for request 30 rlm_realm: No '@' in User-Name = "interne", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 30 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 30 users: Matched entry interne at line 99 modcall[authorize]: module "files" returns ok for request 30 modcall: group authorize returns updated for request 30 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 30 rlm_eap: EAP Identity rlm_eap: processing type leap rlm_eap_leap: Stage 2 rlm_eap_leap: Issuing AP Challenge rlm_eap_leap: Successfully initiated modcall[authenticate]: module "eap" returns handled for request 30 modcall: group authenticate returns handled for request 30 Sending Access-Challenge of id 22 to 200.0.110.200:21647 EAP-Message = 0x01030017110100085783023ddd6fd37c696e7465726e65 Message-Authenticator = 0x State = 0x434ed93c4c2ead59aaf5ee2be8776661 Finished request 30 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 200.0.110.200:21647, id=23, length=179 User-Name = "interne" Framed-MTU = 1400 Called-Station-Id = "000d.eded.7584" Calling-Station-Id = "0002.b3e1.534e" Service-Type = Login-User Message-Authenticator = 0x614b20ae77549b698d6fe190920da0ce EAP-Message = 0x0203002711010018602e7d34fec6d96d618c57176c86e4b9558daaedcd5f8fe4696e7465726e65 NAS-Port-Type = Wireless-802.11 NAS-Port = 227 State = 0x434ed93c4c2ead59aaf5ee2be8776661 NAS-IP-Address = 200.0.110.200 NAS-Identifier = "AP_Radius" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 31 modcall[authorize]: module "preprocess" returns ok for request 31 modcall[authorize]: module "chap" returns noop for request 31 modcall[authorize]: module "mschap" returns noop for request 31 rlm_realm: No '@' in User-Name = "interne", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 31 rlm_eap: EAP packet type response id 3 length 39 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 31 users: Matched entry interne at line 99 modcall[authorize]: module "files" returns ok for request 31 modcall: group authorize returns updated for request 31 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 31 rlm_eap: Request found, released from the list rlm_eap: EAP/leap rlm_eap: processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: NtChallengeResponse from AP is valid rlm_eap: Underlying EAP-Type set EAP ID to 4 modcall[authenticate]: module "eap" returns ok for request 31 modcall: group authenticate returns ok for request 31 Sending Access-Challenge of id 23 to 200.0.110.200:21647 EAP-Message = 0x03040004 Message-Authenticator = 0x State = 0x07329ecca5fa59a8c3ced0e46567536e Finished request 31 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 200.0.110.200:21647, id=24, length=163 User-Name = "interne" Framed-MTU = 1400
Re: Customize RadPosAuth table
- Original Message - From: "Eric Gregory" <[EMAIL PROTECTED]> > Using Freeradius 1.1 and would like to customize the radpostauth table > in MYSQL, I'd like it to not record the plain text passwords on > successful authentications is the most important and also I'd like to > see failed logins as well. Any help is appreciated. Have a look in raddb/sql.conf, the queries are there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
force eap-type
Hello world I would like to force EAP-Type according to an ldap attribute . That is to say between authorize ant authenticate. Is it possible and how ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client Configuration
Is there a step by step configuration guide for configuring a pam.d (for a radius client). I want to use that for system login /etc/pam.d/login on Red Hat 9 (2.4). Thanks -Jack - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to reject/erase a user a day after his/her first login
Hello, We have set up a radius server to manage user access from a hotel. Users are connected via PLC or WiFi. By now, we are using freeradius 1.0.1 running on a Debian 3.0 r3, and rlm_mysql module. I'd like to know if there is some way to clean a user from the database one day after his first connection, or at least reject him. What we want is, for example: - A user called "user1" is created on January 1st. - This user first logs in on January 5th at 11:00 am. - We want this user to be rejected (if there is some way to clean him from the auth-users database it would be great) from January 6th at 11:00, regardless the time he has been logged in. That is: One day after his first connection. I've been reading info about Expiration item and the rlm_sqlcounter module, but they seem to be of no help. Thanks in advance, -- Antonio J. Soler Admin. de red Plug-On S.L. Web: www.plug-on.net E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grouping accounts
I'm not sure that Steven ever mentioned that his user database is ldap
(perhaps Steven could clarify this for us?)??
But for what is it worth we use a very similar scheme as described by
Dustin below. For us however, our billing system is the authoritative
database, and LDAP is only used for authentication. The billing system
automagically knows which "service records" belong to each account in
the database. It aides itself in this process by adding an account id
attribute to each of the user's service records in LDAP.
If you get your LDAP tree right, you don't even need two instances of
the ldap module. We do this:
ldap {
basedn = "ou=%{Huntgroup-Name},dc=yourdomain"
}
which works really nicely, as long as you keep your huntgroups up to
date ;-)
I'm sure you could do a very similar thing with sql - have an "Account"
table for billing purposes, and a "Service" table for authentication
purposes, with each service linked back to the "Account" via an "Account
ID".
You may have to play with the accounting queries in the sql module
configuration a little if you want the accounting records to reference
the "Account ID"...
regards,
Mike
Dustin Doris wrote:
Imagine you setup your users like this in ldap.
ou=ftpusers,dc=yourdomain
uid=someuser,ou=ftpusers,dc=yourdomain
ou=dialusers,dc=yourdomain
uid=sameuser,ou=dialusers,dc=yourdomain
Then you create two ldap instances in radiusd.conf (or a seperate file and
include it)
ldap ftpldap {
normal config stuff
basedn = "ou=ftpusers,dc=yourdomain"
more config stuff
}
ldap dialldap {
configs
basedn = "ou=dialusers,dc=yourdomain"
more config stuff
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VPN and Freeradius
How can I do authetication of the users in VPN using FreeRadius. I want that freeradius make authetication. Before my users use VPN, Freeswan would need to do authentication in freeradius. Is this possible? Is FreeSwan the best to work with FreeRadius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radrelay and coredumps...
Okay, Per Alan i compiled up 1.0.2 and moved the radrelay binary. (i didn't move everything into version 1.0.2 just the 1.0.2 binary into my 1.0.0 install). Modified all the dictionary files to the way they are in 1.0.2 and it still cores. with pretty much the same output in a strings of the core. would there be differences in the CVS that might help? my config string was as follows: CC=/path/to/gcc3 -m64 ./configure --prefix=/usr/local --with-rlm-dbm=/path/to/berkeley4 then a make no errors in either configure or make... i'm also willing to post/send the data from the core if need be. -- Terry J Fike Jr System Administrator MTA Solutions 907-793-4100 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Preventing roaming with multiple NAS
Hi, I am new to the list, and did a search before posting this question, but I couldnt find anything related to this. I have multiple NASs, all using a single FreeRadius server to validate the users. Everything is working fine, if I create a user in mysql, you can login to any of the NASs with this username and password. My problem is this: I need to set up a NAS that uses this same FreeRadius Server to validate users, but I have to be able to create users that can only login to this NAS (and also the users that can login to the other NASs shouldnt log in to this NAS). I imagine that Groups can be used somehow to accomplish this, but I can´t figure out how to do this. Any help would be appreciated Thanks a lot Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
Thanks very much for your reply I appreciate your help and I've just got a couple of followup questions. >Just upgrading libtool won't work, as libtool 1.5 requires a more recent >version of autoconf than is used in FreeRADIUS 1.0.1. >As the above post suggests, try 1.1.0 (eg. CVS head) which builds with By 1.1.0 does that mean I should download the radiusd module using CVS? (Not sure if you're referring to that or 1.1.0 of something else?). >libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. >(Although I've not tested them myself) So the hypothesis is download the CVS "head", re-package+compile it and try again? Sorry about the relatively simple questions but I didn't know there was a version of freeradius higher than 1.0.1 - I guess looking at the CVS tree there are a number of files updated there but I'm not sure if that constitutes v1.1.0 so I'm a bit lost as to what I'm looking for. Thanks again for your help. cc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 1.0.2 on MacOS X 10.3.8 failing
Hello,
I made a fresh install on a machine running MacOS X 10.3.8 which didn't
had freeradius before.
I configured this way:
./configure --with-mysql --with-large-files=yes --disable-shared
after the make install, I modified /usr/local/etc/radius/clients.conf
to include my Access Point in the following way:
client 1.1.1.1 {
secret = xxx
shortname = some-name
}
I also copied over my own sql.conf from another machine.
I then started radius by doing:
mini:/usr/local/etc/raddb root# /usr/local/sbin/rc.radiusd start
Starting FreeRADIUS:Mon Feb 21 12:24:56 2005 : Info: Starting - reading
configuration files ...
radiusd
mini:/usr/local/etc/raddb root#
but radiusd wasnt running anymore. So I looked at the logfile and I
only see this:
Wed Feb 16 02:25:36 2005 : Error: FATAL: Failed to initialize
semaphore: Function not implemented
Wed Feb 16 02:39:56 2005 : Info: Using deprecated naslist file.
Support for this will go away soon.
Wed Feb 16 02:39:56 2005 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql
(module rlm_sql_mysql) loaded and linked
Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Attempting to connect
to [EMAIL PROTECTED]:/radius
Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
MySQL server for #0
Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
MySQL server for #1
Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
MySQL server for #2
Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
MySQL server for #3
Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
MySQL server for #4
Wed Feb 16 02:39:56 2005 : Error: FATAL: Failed to initialize
semaphore: Function not implemented
Mon Feb 21 12:24:56 2005 : Info: Using deprecated naslist file.
Support for this will go away soon.
Mon Feb 21 12:24:57 2005 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Mon Feb 21 12:24:57 2005 : Error: FATAL: Failed to initialize
semaphore: Function not implemented
I've seen this error once before with some other package but I couldnt
remember what was the fix for it. There's some semaphore initialisation
function which actually returns not implemented.
in src/main/threads.c I find the code which fails:
/*
* Initialize the queue of requests.
*/
rcode = sem_init(&thread_pool.semaphore, 0, SEMAPHORE_LOCKED);
if (rcode != 0) {
radlog(L_ERR|L_CONS, "FATAL: Failed to initialize
semaphore: %s",
strerror(errno));
exit(1);
}
by the way there is a file /usr/include/semaphore.h
Anyway having a hint?
Andreas Fink
Fink Consulting GmbH
---
Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail: [EMAIL PROTECTED]
Homepage: http://www.finkconsulting.com
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.2 on MacOS X 10.3.8 failing
Andreas,
Edit rc.radiusd to have it include the "-s" argument and see if the
server starts. There is a patch from Andreas Wolf to allow running
radiusd without the -s argument on Mac OS X, but I haven't updated it
to work with 1.0.2.
Justin
On Wed, 23 Feb 2005 00:29:47 +0100, Andreas Fink <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I made a fresh install on a machine running MacOS X 10.3.8 which didn't
> had freeradius before.
> I configured this way:
> ./configure --with-mysql --with-large-files=yes --disable-shared
> after the make install, I modified /usr/local/etc/radius/clients.conf
> to include my Access Point in the following way:
>
> client 1.1.1.1 {
> secret = xxx
> shortname = some-name
> }
>
> I also copied over my own sql.conf from another machine.
> I then started radius by doing:
>
> mini:/usr/local/etc/raddb root# /usr/local/sbin/rc.radiusd start
> Starting FreeRADIUS:Mon Feb 21 12:24:56 2005 : Info: Starting - reading
> configuration files ...
> radiusd
> mini:/usr/local/etc/raddb root#
>
> but radiusd wasnt running anymore. So I looked at the logfile and I
> only see this:
>
> Wed Feb 16 02:25:36 2005 : Error: FATAL: Failed to initialize
> semaphore: Function not implemented
> Wed Feb 16 02:39:56 2005 : Info: Using deprecated naslist file.
> Support for this will go away soon.
> Wed Feb 16 02:39:56 2005 : Info: rlm_exec: Wait=yes but no output
> defined. Did you mean output=none?
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql
> (module rlm_sql_mysql) loaded and linked
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Attempting to connect
> to [EMAIL PROTECTED]:/radius
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #0
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #1
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #2
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #3
> Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> MySQL server for #4
> Wed Feb 16 02:39:56 2005 : Error: FATAL: Failed to initialize
> semaphore: Function not implemented
> Mon Feb 21 12:24:56 2005 : Info: Using deprecated naslist file.
> Support for this will go away soon.
> Mon Feb 21 12:24:57 2005 : Info: rlm_exec: Wait=yes but no output
> defined. Did you mean output=none?
> Mon Feb 21 12:24:57 2005 : Error: FATAL: Failed to initialize
> semaphore: Function not implemented
>
> I've seen this error once before with some other package but I couldnt
> remember what was the fix for it. There's some semaphore initialisation
> function which actually returns not implemented.
>
> in src/main/threads.c I find the code which fails:
>
> /*
> * Initialize the queue of requests.
> */
> rcode = sem_init(&thread_pool.semaphore, 0, SEMAPHORE_LOCKED);
> if (rcode != 0) {
> radlog(L_ERR|L_CONS, "FATAL: Failed to initialize
> semaphore: %s",
> strerror(errno));
> exit(1);
> }
>
> by the way there is a file /usr/include/semaphore.h
>
> Anyway having a hint?
>
> Andreas Fink
> Fink Consulting GmbH
>
> ---
> Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333
> Address: Clarastrasse 3, 4058 Basel, Switzerland
> E-Mail: [EMAIL PROTECTED]
> Homepage: http://www.finkconsulting.com
> ---
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Justin Guidroz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject/erase a user a day after his/her first login
On Tue, 22 Feb 2005, Antonio J. Soler wrote: Hello, We have set up a radius server to manage user access from a hotel. Users are connected via PLC or WiFi. By now, we are using freeradius 1.0.1 running on a Debian 3.0 r3, and rlm_mysql module. I'd like to know if there is some way to clean a user from the database one day after his first connection, or at least reject him. What we want is, for example: - A user called "user1" is created on January 1st. - This user first logs in on January 5th at 11:00 am. - We want this user to be rejected (if there is some way to clean him from the auth-users database it would be great) from January 6th at 11:00, regardless the time he has been logged in. That is: One day after his first connection. Since you 're using sql you could the following. When creating a user, add a Post-Auth-Type = set_expire attribute in the user entry. Then create a corresponding Post-Auth-Type subsection in the postauth section where you 'll add two mysql module instances. The first one will take care of removing the Post-Auth-Type attribute from the user entry and the second will add an Expiration attribute with a calculated value of login_day+1day. You will need to edit the postauth_query in the module instances to achieve that. Afterwards, you can schedule a cron job which will delete all user accounts with an Expiration older than current_time. I've been reading info about Expiration item and the rlm_sqlcounter module, but they seem to be of no help. Thanks in advance, -- Antonio J. Soler Admin. de red Plug-On S.L. Web: www.plug-on.net E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force eap-type
On Tue, 22 Feb 2005, Marc Boisis wrote:
Hello world
I would like to force EAP-Type according to an ldap attribute . That is to
say between authorize ant authenticate.
Is it possible and how ?
I think you just need to map the EAP-Type attribute to an ldap attribute in
the user entry. That is, something like this:
dn: uid=user,ou=people,dc=company,dc=com
radiuscheckitem: EAP-Type := EAP-TTLS
authorize{
eap
[...]
ldap
}
authenticate{
eap
}
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest Authentication Configuration
"M.V. Jaga Mohan" <[EMAIL PROTECTED]> wrote: > I am using Freeradius1.0.1 with SER 8.0.14. Anybody > knows how toconfigure Freeradius to do digest > authentication which is sent by SER. I am using > Postgresql as my backend. FreeRADIUS comes configured to do digest authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP problem with Postgresql
Vincent Chen <[EMAIL PROTECTED]> wrote: > I am testing freeradius's PEAP these days. If files moudle used, everything > works well. But something wrong when switch to sql module, here is some log: Upgrade to 1.0.2, and see the "safe-characters" configuration item. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap test
Marc-Henri Boisis-Delavaud <[EMAIL PROTECTED]> wrote: > Hello I want to force my user who have Tunnel-Private-Group-ID =1 in > ldap, to use EAP tls authentication > > I have write this in users file > > DEFAULT Tunnel-Private-Group-ID == "1" > EAP-Type = EAP-TLS, EAP-Type belongs on the first line, along with Tunnel-Private-Group-Id. If you run the server in debugging mode, it will tell you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.2 on bsd 4.11
Hi there, Running freebsd 4.11 and compiled freeradius from the ports collection with support for rlm_perl. everything compiled alright, but everytime I start it (radiusd -X) I get the following. perl: func_xlat = "xlat" perl: perl_flags = "(null)" perl: func_start_accounting = "(null)" perl: func_stop_accounting = "(null)" DynaLoader object version 1.04 does not match $DynaLoader::VERSION 1.03 at /usr/libdata/perl/5.00503/DynaLoader.pm line 80. BEGIN failed--compilation aborted at /etc/raddb/rad_mod.pl line 28. rlm_perl: perl_parse failed: /etc/raddb/rad_mod.pl not found or has syntax errors. radiusd.conf[837]: pemod: Module instantiation failed. I have perl 5.6.2 installed (ports collection) and have the following in the perl script require 5.6.2; Doesn't matter what I do I keep getting the Dynaloader error. For whatever reason, radiusd wants to load perl 5.00503 instead of perl 5.6.2 perl, its modules and freeradius was compiled on the box rather than using the binary packages from the bsd ftp server. Just wondering if anyone else has come accross it and knows what the solution might be? Cheers cya Andrew -- Network Administrator / Manager Webzone Internet 1st Floor (Oakley Street Entrance) 167 Grote Street Adelaide SA, 5000 Phone 1300 303 932 Fax 08 8221 6204 Email [EMAIL PROTECTED] [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.2 on MacOS X 10.3.8 failing
Also, FreeRADIUS compiles fine on Mac OS X 10.3.x without the
--disabled-shared configuration option.
On Tue, 22 Feb 2005 17:41:42 -0600, Justin Guidroz
<[EMAIL PROTECTED]> wrote:
> Andreas,
>
> Edit rc.radiusd to have it include the "-s" argument and see if the
> server starts. There is a patch from Andreas Wolf to allow running
> radiusd without the -s argument on Mac OS X, but I haven't updated it
> to work with 1.0.2.
>
> Justin
>
>
> On Wed, 23 Feb 2005 00:29:47 +0100, Andreas Fink <[EMAIL PROTECTED]> wrote:
> > Hello,
> >
> > I made a fresh install on a machine running MacOS X 10.3.8 which didn't
> > had freeradius before.
> > I configured this way:
> > ./configure --with-mysql --with-large-files=yes --disable-shared
> > after the make install, I modified /usr/local/etc/radius/clients.conf
> > to include my Access Point in the following way:
> >
> > client 1.1.1.1 {
> > secret = xxx
> > shortname = some-name
> > }
> >
> > I also copied over my own sql.conf from another machine.
> > I then started radius by doing:
> >
> > mini:/usr/local/etc/raddb root# /usr/local/sbin/rc.radiusd start
> > Starting FreeRADIUS:Mon Feb 21 12:24:56 2005 : Info: Starting - reading
> > configuration files ...
> > radiusd
> > mini:/usr/local/etc/raddb root#
> >
> > but radiusd wasnt running anymore. So I looked at the logfile and I
> > only see this:
> >
> > Wed Feb 16 02:25:36 2005 : Error: FATAL: Failed to initialize
> > semaphore: Function not implemented
> > Wed Feb 16 02:39:56 2005 : Info: Using deprecated naslist file.
> > Support for this will go away soon.
> > Wed Feb 16 02:39:56 2005 : Info: rlm_exec: Wait=yes but no output
> > defined. Did you mean output=none?
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Driver rlm_sql_mysql
> > (module rlm_sql_mysql) loaded and linked
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql (sql): Attempting to connect
> > to [EMAIL PROTECTED]:/radius
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> > MySQL server for #0
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> > MySQL server for #1
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> > MySQL server for #2
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> > MySQL server for #3
> > Wed Feb 16 02:39:56 2005 : Info: rlm_sql_mysql: Starting connect to
> > MySQL server for #4
> > Wed Feb 16 02:39:56 2005 : Error: FATAL: Failed to initialize
> > semaphore: Function not implemented
> > Mon Feb 21 12:24:56 2005 : Info: Using deprecated naslist file.
> > Support for this will go away soon.
> > Mon Feb 21 12:24:57 2005 : Info: rlm_exec: Wait=yes but no output
> > defined. Did you mean output=none?
> > Mon Feb 21 12:24:57 2005 : Error: FATAL: Failed to initialize
> > semaphore: Function not implemented
> >
> > I've seen this error once before with some other package but I couldnt
> > remember what was the fix for it. There's some semaphore initialisation
> > function which actually returns not implemented.
> >
> > in src/main/threads.c I find the code which fails:
> >
> > /*
> > * Initialize the queue of requests.
> > */
> > rcode = sem_init(&thread_pool.semaphore, 0, SEMAPHORE_LOCKED);
> > if (rcode != 0) {
> > radlog(L_ERR|L_CONS, "FATAL: Failed to initialize
> > semaphore: %s",
> > strerror(errno));
> > exit(1);
> > }
> >
> > by the way there is a file /usr/include/semaphore.h
> >
> > Anyway having a hint?
> >
> > Andreas Fink
> > Fink Consulting GmbH
> >
> > ---
> > Tel: +41-61-332 Fax: +41-61-331 Mobile: +41-79-2457333
> > Address: Clarastrasse 3, 4058 Basel, Switzerland
> > E-Mail: [EMAIL PROTECTED]
> > Homepage: http://www.finkconsulting.com
> > ---
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> --
> Justin Guidroz
>
--
Justin Guidroz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: any check item available while doing EAP/TLS?
Thanks for your response. I am sorry that I didn't make myself clear. For account "Presario 2135AD", I first created this profile: "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 Session-Timeout = 300 As we can see, the request from 10.1.2.5 and profile say this account should connect from AP at 10.1.2.5. Everything matches and the request accepted. Then I deleted the above profile and replaced with this one, tried to limit this new profile only have access to another AP at 10.1.3.5. "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 Session-Timeout = 300 But when user who ownes "Presario 2135AD" certificate tried to connect AP at 10.1.2.5, freeradius still accept connection. Did the new profile say "Presario 2135AD" certificate owner only have access to AP at 10.1.3.5 now? Why freeradius still accept his requst from AP at 10.1.2.5? No mater what I do, this user can connect to both AP at 10.1.2.5 and 10.1.3.5. I can't limit this user connect to only one of these 2 APs. Any idea? Vincent Chen > Hi, all > > I don't want my user get a certificate from me and have access to all of > our AP. I already tried to add NAS-IP-Address,NAS-Identifier as check > item but none works. No mater which AP I assign as check item for > certificate, They still have access to all our access points. It is not > very secure, isn't it? > > Here is request log from AP: > rad_recv: Access-Request packet from host 10.1.2.5:1024, id=171, length=95 > User-Name = "Presario 2135AD" > NAS-IP-Address = 10.1.2.5 > NAS-Identifier = "AWL500" > State = 0x520972a7955c03b6ae1090d3b8e32c36 > EAP-Message = 0x022a00060d00 > Message-Authenticator = 0x3e4904287b7a5dfdf7f71e5400bc5f46 > > I tried these 2 different user profile, they all have full access to all AP. > Check item NAS-IP-Address seems ignored. > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.2.5 > Session-Timeout = 300 > > "Presario 2135AD" Auth-Type := EAP, NAS-IP-Address == 10.1.3.5 > Session-Timeout = 300 > > As you can see, certificate issued to "Presario 2135AD" accepted by > freeradius, no mater which AP it was limited to has access. It bothered > me for weeks, did I do anything wrong? Please help!!! > > I don't quite understand what the problem is. That radius packet came from 10.1.2.5 and was the Presario 2135AD user, that should match your first users file line. Why would you expect it not to match? - Yahoo!奇摩造型精靈 最新的造型精靈簽名檔,讓信件獨具個人色彩! http://tw.avatar.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+LDAP
Good morning to all!! He/she would like to know some of the friends he/she knows some referring documentation the freeradius implementation + LDAP or even same a possible "road of the stones" for the configuration in the debian sarge!!! at once I thank attention of all... Att. Anderson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius and LDAP
All, __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication using Windows via ntlm_auth and winbind d
Title: Message
Dear
All,
I installed
successfully freeradius-1.0.2 under Suse Linux 9.1 and one of the
features of freeradius is to enable the authentication using
Windows 2003 via ntlm_auth and winbindd. The smbd, nmbd and winbindd are
running successfully locally. All our Windows domain users can now
login successfully to Linux Suse server. Samba integration using winbindd can
authenticate to Linux Suse server.
Under in
radiusd.conf there's a line for ntlm_auth. I modified the entry and try to
change to "ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap-User-Name} --domain=%{nschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" to
enable to look to Windows 2003 domain. I try to use my users in Windows 2003 to
dial-in but so far it's failed. But using local user can successfully
login. Any idea what wrong in my configurations? And
what other area should I check? Please help how to work this
authentication. Attached debug logs when running "radiusd -X" and
during authentications using Windows 2003 user lists.
RADIUS
DEBUG LOGS:-
papillon:/usr/local/src/freeradius-1.0.2 #
/usr/local/freeradius/sbin/radiusd -XStarting - reading configuration files
...reread_config: reading radiusd.confConfig:
including file:
/usr/local/freeradius/etc/raddb/proxy.confConfig: including
file: /usr/local/freeradius/etc/raddb/clients.confConfig:
including file: /usr/local/freeradius/etc/raddb/snmp.confConfig:
including file: /usr/local/freeradius/etc/raddb/eap.confConfig:
including file: /usr/local/freeradius/etc/raddb/sql.conf main: prefix =
"/usr/local/freeradius" main: localstatedir =
"/usr/local/freeradius/var" main: logdir =
"/usr/local/freeradius/var/log/radius" main: libdir =
"/usr/local/freeradius/lib" main: radacctdir =
"/usr/local/freeradius/var/log/radius/radacct" main: hostname_lookups =
yes main: max_request_time = 30 main: cleanup_delay =
5 main: max_requests = 1024 main: delete_blocked_requests =
0 main: port = 1812 main: allow_core_dumps = no main:
log_stripped_names = no main: log_file =
"/usr/local/freeradius/var/log/radius/radius.log" main: log_auth =
no main: log_auth_badpass = no main: log_auth_goodpass =
no main: pidfile =
"/usr/local/freeradius/var/run/radiusd/radiusd.pid" main: user =
"(null)" main: group = "(null)" main: usercollide =
no main: lower_user = "no" main: lower_pass =
"no" main: nospace_user = "no" main: nospace_pass =
"no" main: checkrad =
"/usr/local/freeradius/sbin/checkrad" main: proxy_requests =
yes proxy: retry_delay = 5 proxy: retry_count =
3 proxy: synchronous = no proxy: default_fallback =
yes proxy: dead_time = 120 proxy: post_proxy_authorize =
yes proxy: wake_all_if_all_dead = no security: max_attributes
= 200 security: reject_delay = 1 security: status_server =
no main: debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated
naslist file. Support for this will go away
soon.read_config_files: reading clientsread_config_files:
reading realmsradiusd: entering modules setupModule: Library
search path is /usr/local/freeradius/libModule: Loaded exec exec:
wait = yes exec: program = "(null)" exec: input_pairs =
"request" exec: output_pairs = "(null)" exec: packet_type =
"(null)"rlm_exec: Wait=yes but no output defined. Did you mean
output=none?Module: Instantiated exec (exec)Module: Loaded
exprModule: Instantiated expr (expr)Module: Loaded PAP pap:
encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded
CHAPModule: Instantiated chap (chap)Module: Loaded
MS-CHAP mschap: use_mppe = yes mschap: require_encryption =
no mschap: require_strong = no mschap: with_ntdomain_hack =
yes mschap: passwd = "(null)" mschap: authtype =
"MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{mschap-User-Name} --domain=%{nschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"Module: Instantiated mschap
(mschap)Module: Loaded System unix: cache = no unix:
passwd = "(null)" unix: shadow = "(null)" unix: group =
"(null)" unix: radwtmp =
"/usr/local/freeradius/var/log/radius/radwtmp" unix: usegroup =
no unix: cache_reload = 600Module: Instantiated unix
(unix)Module: Loaded eap eap: default_eap_type =
"md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types =
no eap: cisco_accounting_username_bug = norlm_eap: Loaded and
initialized type md5rlm_eap: Loaded and initialized type leap gtc:
challenge = "Password: " gtc: auth_type = "PAP"rlm_eap: Loaded and
initialized type gtc mschapv2: with_ntdomain_hack = norlm_eap:
Loaded and initialized type mschapv2Module: Instantiated eap
(eap)Module: Loaded preprocess preprocess: huntgroups =
"/usr/local/freeradius/etc/raddb/huntgroups" preprocess: hints =
"/usr/local/freeradius/etc/raddb/hints" preprocess: with_ascend_hack =
no preprocess: ascend_channels_per_line = 23 preprocess:
Radius and LDAP
All, I am new to radius. I want to be able to perform basic 802.1X authentication on my network. I want to authenticate against my SunOne Directory server. What is the simplest radiusd.conf file I can use? The passwords are stored in crypt format in LDAP. I do not need any loging or other radius features. Thanks, Lou __ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force eap-type
Kostas Kalevras a écrit :
On Tue, 22 Feb 2005, Marc Boisis wrote:
Hello world
I would like to force EAP-Type according to an ldap attribute . That
is to say between authorize ant authenticate.
Is it possible and how ?
I think you just need to map the EAP-Type attribute to an ldap
attribute in the user entry. That is, something like this:
dn: uid=user,ou=people,dc=company,dc=com
radiuscheckitem: EAP-Type := EAP-TTLS
authorize{
eap
[...]
ldap
}
authenticate{
eap
}
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Kostas KalevrasNetwork Operations Center
[EMAIL PROTECTED]National Technical University of Athens, Greece
Work Phone:+30 210 7721861
'Go back to the shadow'Gandalf
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
In fact I want to associate eap-type to the private-group-id attribute
like this
if private-group-id==1
then EAP-Type=EAP-TTLS
if private-group-id==1
then EAP-Type=EAP-PEAP
but users file is not read between authorize and authenticate
How can I do ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql Authentication problems
I am using FreeRadius 1.0.2 with mySql on a Fedora Core3 machine. I am using the default encryption method. I have setup FreeRadius to successfully connect to mySql. I can successfully enter new users in through the dialup_admin web page, but when I "Check Password" the response I get, is "NO It is wrong." When I do the radtest the server responds back to the client with: Sending Access-Request of id 125 to 192.168.1.104:1812 User-Name = "test" User-Password = "test" NAS-IP-Address = localhost.localdomain NAS-Port = 1812 rad_recv: Access-Reject packet from host 192.168.1.104:1812, id=125, length=20 On the server side: rad_recv: Access-Request packet from host 192.168.1.104:32769, id=187, length=56 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall: group authorize returns ok for request 1 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [test/test] (from client localhost port 1812) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 187 to 192.168.1.104:32769 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 187 with timestamp 421a8970 Nothing to do. Sleeping until we see a request. I am not sure but I believe the problem is in this area: modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 If so, how can I fix the problem? I realize there must be an encryption setting that is wrong, so any help with is greatly appreciated. James Ecker MCSE + Internet, CNE, A+, Network+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restart Radius
Hi Guys, I am in little trouble. when i modified users file. i have to restart the machine to read the files. Is there any way to restarting radius without machine restarting? i tried using radiusd but it is not reading modified files. Thank You __ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Restart Radius
Are you on a unix box? Sending the radiusd process a HUP signal will tell the radius server to re-read its configuration files. Or: /etc/init.d/radiusd restart Or: /etc/init.d/radiusd reload Or wherever your init scripts live... >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of Abdul Lateef >Sent: Wednesday, 23 February 2005 6:01 PM >To: freeradius-users@lists.freeradius.org >Subject: Restart Radius > > >Hi Guys, > >I am in little trouble. when i modified users file. i have to >restart the machine to read the files. > >Is there any way to restarting radius without machine restarting? > >i tried using radiusd but it is not reading modified files. > > >Thank You > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Undefined symbol with eaptls / freeradius 1.0.1 (debian)
On Wed, Feb 23, 2005 at 10:24:45AM +1100, Tom wrote: > Thanks very much for your reply I appreciate your help and I've just > got a couple of followup questions. > >Just upgrading libtool won't work, as libtool 1.5 requires a more recent > >version of autoconf than is used in FreeRADIUS 1.0.1. > >As the above post suggests, try 1.1.0 (eg. CVS head) which builds with > By 1.1.0 does that mean I should download the radiusd module using > CVS? (Not sure if you're referring to that or 1.1.0 of something > else?). Yeah. 'eg' should have been 'ie' > >libtool 1.5 and autoconf 2.57 and where PEAP and TTLS _should_ work. > >(Although I've not tested them myself) > So the hypothesis is download the CVS "head", re-package+compile it > and try again? > Sorry about the relatively simple questions but I didn't know there > was a version of freeradius higher than 1.0.1 - I guess looking at the > CVS tree there are a number of files updated there but I'm not sure if > that constitutes v1.1.0 so I'm a bit lost as to what I'm looking for. Sorry. Yes, FreeRADIUS 1.1.0 doesn't exist per se, I meant the head branch of CVS. You should be able to just grab it from CVS or a snapshot, and dpkg-buildpackage -us -uc -rfakeroot -b and get a whole bunch of packages out. I'm considering going to dpatch in the CVS version, to make it easier to support in Debian, but I've not got the time to convert yet, and have to upload 1.0.2 to Debian first. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
