Re: freeradius conf.
I assume you are using user file.
the simple entry should resemble like this:
murali Auth-Type := System,
User-Password == "murali"
Reply-Message = "Hello, Murali you are Authenticated! Go
ahead!!",
Service-Type = Login-User,
Login-Service = Telnet,
Login-IP-Host = 127.0.0.1,
Login-TCP-Port <= 65536
Try removing Auth-Type and proceed, it should work
In case you are searching for the credentials from the system, i.e.,
/etc/passwd file or shadow
make sure that you have uncommented the respective entries for your
client entry
Ex : client 127.0.0.1
{
.
.
.
passwd = /etc/passwd
}
Hope you should able to cross your hurdle now ...
Otherwise some one else should help us
Bye
Murali.
Pradeep Nevatia wrote:
hello can you explain me in detail...where to make change..
Thanks
-Original Message-
From: Murali Krishna G <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Date: Fri, 04 Mar 2005 12:24:47 +0530
Subject: Re: freeradius conf.
Hello,
Check out Stefan's solution for this :: its working for me.
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Stefan Winter :
how about omitting Auth-Type := System? The files section already
properly
authorized your user, but the later checks with Auth-Type System led to
the
failure.
Bye
Murali.
Pradeep Nevatia wrote:
dear please help me out where i have to make change & in wich conf.
fils
pradeep..
-Original Message-
From: Doug Hardie <[EMAIL PROTECTED]>
To: freeradius-users@lists.freeradius.org
Date: Wed, 2 Mar 2005 23:12:29 -0800
Subject: Re: freeradius conf.
rad_check_password: Found Auth-Type System
rlm_unix: [pradeep]: invalid password
You are configured for Unix password validatation and the password
you
gave is not the one the system has for that user id.
On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote:
Dear i haven't solved my problem please help me out..
pradeep..
Dear
Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i
have
some problem in password auth.
i have created new user:pradeep with pass:123456
when i tried to test the auth. enabling Debug mod.
using command > radtest pradeep 123456 localhost:1812 0 testing123
it generate following massage :
rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176,
length=59
User-Name = "pradeep"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "eap" returns noop for request 1
rlm_realm: No '@' in User-Name = "pradeep", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 1
rlm_unix: [pradeep]: invalid password
modcall[authenticate]: module "unix" returns reject for request 1
modcall: group authenticate returns reject for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
=
=
Please help me where i have made mistake in conf.
Regards
Pradeep..
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Post Proxy Authorize
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello We assign VPN profiles based on LDAP group membership and the devices that users enter from. The users are authenticated via an ACE server that we proxy to and get replies from. In an older version of FreeRadius (0.8.1), the following types of entries in the 'users' file worked by the check-items/etc getting checked during one authorize pass. DEFAULT Huntgroup-Name == "Staff-Devices", LDAP-Group == "staff", Proxy-To-Realm := 'ace' Class:="OU=staff_vpn;", Fall-Through = No DEFAULT Huntgroup-Name == "Client-Devices", LDAP-Group == "clients", Proxy-To-Realm := 'ace' Class:="OU=client_vpn;", Fall-Through = No The Class attribute was then assigned by another pass through the users file after the home servers returned their result. The current version we are using (1.0.1) also works this way if 'post_proxy_authorize = yes' is set in proxy.conf. However, this means that the LDAP group is unnecessarily checked twice, once during each pass of the 'authorize' section. This is inefficient and takes time. Is there a better way of assigning the Class attribute so that it can be added to the attributes returned by the ACE server, without traversing the file twice? If post_proxy_authorize = no' is set in proxy.conf, LDAP is called only once, but the CLASS attribute does not get returned to the calling NAS. As there are many such DEFAULT entries (we have a very large number of combinations of user types and NAS types), I couldn't think of a way to do this with rlm_attr_filter or attr_rewrite. Regards -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkIoChAACgkQmw4BJyaatJ3O8wCgma51EvaN/Vv7MCdGEVhpD7SvXAMA ni92y9EEsdDD8eRnHDvrl4CJ3sEK =R6Qe -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
hello can you explain me in detail...where to make change.. Thanks -Original Message- From: Murali Krishna G <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: Fri, 04 Mar 2005 12:24:47 +0530 Subject: Re: freeradius conf. > Hello, > > Check out Stefan's solution for this :: its working for me. > > >> modcall[authorize]: module "files" returns ok for request 0 > >> modcall: group authorize returns ok for request 0 > >> rad_check_password: Found Auth-Type System > >> auth: type "System" > > > > > > Stefan Winter : > > how about omitting Auth-Type := System? The files section already > properly > authorized your user, but the later checks with Auth-Type System led to > the > failure. > > > Bye > Murali. > > > > Pradeep Nevatia wrote: > > >dear please help me out where i have to make change & in wich conf. > fils > > > >pradeep.. > > > >-Original Message- > >From: Doug Hardie <[EMAIL PROTECTED]> > >To: freeradius-users@lists.freeradius.org > >Date: Wed, 2 Mar 2005 23:12:29 -0800 > >Subject: Re: freeradius conf. > > > > > > > >>> rad_check_password: Found Auth-Type System > >>>rlm_unix: [pradeep]: invalid password > >>> > >>> > >>You are configured for Unix password validatation and the password > you > >>gave is not the one the system has for that user id. > >> > >> > >>On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: > >> > >> > >> > >>>Dear i haven't solved my problem please help me out.. > >>> > >>>pradeep.. > >>> > >>> > >>> > >>>Dear > >>> > >>>Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i > >>>have > >>>some problem in password auth. > >>>i have created new user:pradeep with pass:123456 > >>> > >>>when i tried to test the auth. enabling Debug mod. > >>>using command > radtest pradeep 123456 localhost:1812 0 testing123 > >>> > >>>it generate following massage : > >>> > >>> > >>>rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, > >>>length=59 > >>>User-Name = "pradeep" > >>>User-Password = "123456" > >>>NAS-IP-Address = 255.255.255.255 > >>>NAS-Port = 0 > >>>modcall: entering group authorize for request 1 > >>> modcall[authorize]: module "preprocess" returns ok for request 1 > >>> modcall[authorize]: module "chap" returns noop for request 1 > >>> modcall[authorize]: module "eap" returns noop for request 1 > >>>rlm_realm: No '@' in User-Name = "pradeep", looking up realm > NULL > >>>rlm_realm: No such realm "NULL" > >>> modcall[authorize]: module "suffix" returns noop for request 1 > >>>users: Matched DEFAULT at 152 > >>> modcall[authorize]: module "files" returns ok for request 1 > >>> modcall[authorize]: module "mschap" returns noop for request 1 > >>>modcall: group authorize returns ok for request 1 > >>> rad_check_password: Found Auth-Type System > >>>auth: type "System" > >>>modcall: entering group authenticate for request 1 > >>>rlm_unix: [pradeep]: invalid password > >>> modcall[authenticate]: module "unix" returns reject for request 1 > >>>modcall: group authenticate returns reject for request 1 > >>>auth: Failed to validate the user. > >>>Delaying request 1 for 1 seconds > >>>Finished request 1 > >>> > >>> > >>> > >>= > = > >> > >> > >>>Please help me where i have made mistake in conf. > >>> > >>>Regards > >>>Pradeep.. > >>> > >>> > >>>- > >>>List info/subscribe/unsubscribe? See > >>>http://www.freeradius.org/list/users.html > >>> > >>> > >>> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
Hello, Check out Stefan's solution for this :: its working for me. > modcall[authorize]: module "files" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" Stefan Winter : how about omitting Auth-Type := System? The files section already properly authorized your user, but the later checks with Auth-Type System led to the failure. Bye Murali. Pradeep Nevatia wrote: dear please help me out where i have to make change & in wich conf. fils pradeep.. -Original Message- From: Doug Hardie <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: Wed, 2 Mar 2005 23:12:29 -0800 Subject: Re: freeradius conf. rad_check_password: Found Auth-Type System rlm_unix: [pradeep]: invalid password You are configured for Unix password validatation and the password you gave is not the one the system has for that user id. On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: Dear i haven't solved my problem please help me out.. pradeep.. Dear Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i have some problem in password auth. i have created new user:pradeep with pass:123456 when i tried to test the auth. enabling Debug mod. using command > radtest pradeep 123456 localhost:1812 0 testing123 it generate following massage : rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, length=59 User-Name = "pradeep" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "eap" returns noop for request 1 rlm_realm: No '@' in User-Name = "pradeep", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate for request 1 rlm_unix: [pradeep]: invalid password modcall[authenticate]: module "unix" returns reject for request 1 modcall: group authenticate returns reject for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 == Please help me where i have made mistake in conf. Regards Pradeep.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
dear please help me out where i have to make change & in which conf. files pradeep.. -Original Message- From: Doug Hardie <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: Wed, 2 Mar 2005 23:12:29 -0800 Subject: Re: freeradius conf. > > rad_check_password: Found Auth-Type System > > rlm_unix: [pradeep]: invalid password > > You are configured for Unix password validatation and the password you > gave is not the one the system has for that user id. > > > On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: > > > Dear i haven't solved my problem please help me out.. > > > > pradeep.. > > > > > > > > Dear > > > > Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i > > have > > some problem in password auth. > > i have created new user:pradeep with pass:123456 > > > > when i tried to test the auth. enabling Debug mod. > > using command > radtest pradeep 123456 localhost:1812 0 testing123 > > > > it generate following massage : > > > > > > rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, > > length=59 > > User-Name = "pradeep" > > User-Password = "123456" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 0 > > modcall: entering group authorize for request 1 > > modcall[authorize]: module "preprocess" returns ok for request 1 > > modcall[authorize]: module "chap" returns noop for request 1 > > modcall[authorize]: module "eap" returns noop for request 1 > > rlm_realm: No '@' in User-Name = "pradeep", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 1 > > users: Matched DEFAULT at 152 > > modcall[authorize]: module "files" returns ok for request 1 > > modcall[authorize]: module "mschap" returns noop for request 1 > > modcall: group authorize returns ok for request 1 > > rad_check_password: Found Auth-Type System > > auth: type "System" > > modcall: entering group authenticate for request 1 > > rlm_unix: [pradeep]: invalid password > > modcall[authenticate]: module "unix" returns reject for request 1 > > modcall: group authenticate returns reject for request 1 > > auth: Failed to validate the user. > > Delaying request 1 for 1 seconds > > Finished request 1 > > > == > > > > > > Please help me where i have made mistake in conf. > > > > Regards > > Pradeep.. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius conf.
dear please help me out where i have to make change & in wich conf. fils pradeep.. -Original Message- From: Doug Hardie <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: Wed, 2 Mar 2005 23:12:29 -0800 Subject: Re: freeradius conf. > > rad_check_password: Found Auth-Type System > > rlm_unix: [pradeep]: invalid password > > You are configured for Unix password validatation and the password you > gave is not the one the system has for that user id. > > > On Mar 2, 2005, at 23:10, Pradeep Nevatia wrote: > > > Dear i haven't solved my problem please help me out.. > > > > pradeep.. > > > > > > > > Dear > > > > Recently I have installed freeradius (freeradius-0.9.3-1.i386.rpm),i > > have > > some problem in password auth. > > i have created new user:pradeep with pass:123456 > > > > when i tried to test the auth. enabling Debug mod. > > using command > radtest pradeep 123456 localhost:1812 0 testing123 > > > > it generate following massage : > > > > > > rad_recv: Access-Request packet from host 127.0.0.1:32783, id=176, > > length=59 > > User-Name = "pradeep" > > User-Password = "123456" > > NAS-IP-Address = 255.255.255.255 > > NAS-Port = 0 > > modcall: entering group authorize for request 1 > > modcall[authorize]: module "preprocess" returns ok for request 1 > > modcall[authorize]: module "chap" returns noop for request 1 > > modcall[authorize]: module "eap" returns noop for request 1 > > rlm_realm: No '@' in User-Name = "pradeep", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 1 > > users: Matched DEFAULT at 152 > > modcall[authorize]: module "files" returns ok for request 1 > > modcall[authorize]: module "mschap" returns noop for request 1 > > modcall: group authorize returns ok for request 1 > > rad_check_password: Found Auth-Type System > > auth: type "System" > > modcall: entering group authenticate for request 1 > > rlm_unix: [pradeep]: invalid password > > modcall[authenticate]: module "unix" returns reject for request 1 > > modcall: group authenticate returns reject for request 1 > > auth: Failed to validate the user. > > Delaying request 1 for 1 seconds > > Finished request 1 > > > == > > > > > > Please help me where i have made mistake in conf. > > > > Regards > > Pradeep.. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reload NAS table on freeradius after record update
> Thinking of something.. > If the NAS list is check from time to time. The restart might not be > required... > > Am I dreaming somehow? > No, you're not dreaming, but currently the NAS list is only read at startup (or HUP)... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippool From the Connecting NAS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greeting, I've a few ip pool, and for a better control I would like to know if there is a way to assign Ip address according tot he NAS connected. What is the correct way todo it? Is there a way to add another subnet into one pool OR I've to have one subnet per pool? And What about ippool fail over ;) Regards, Chan Min Wai -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJ93gV0p9slMZLW4RAs1zAJ9ehQOsDI7GAUguF07m5ZOYQi164ACg6FVd GstZE/eQsqQsXnxbPkrn/As= =tuwi -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reload NAS table on freeradius after record update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: > "Luca Lafranchi" <[EMAIL PROTECTED]> wrote: > >>Mmmhh... with a HUP signal the radius server reload the config data, but >>the server may drop a few authentication requests at that time... > > > No, it won't. > > Alan DeKok. Thinking of something.. If the NAS list is check from time to time. The restart might not be required... Am I dreaming somehow? Regards. Chan Min Wai > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFCJ905V0p9slMZLW4RAgHwAJjU6IIcTEjDKwtlnorNyD3TE4JnAJ9b5tUx Sm8RLD8ndvh2UQjjhVRIyA== =GuVh -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
500 Cool points to whoever can help me!! No Lie!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here's my situation. Our business runs Active Directory, and we have a huge assortment of Cisco products. I want to run Freeradius on my Debian box for AAA so we can authenticate and do accounting on our network (WAP's, Firewalls, VPN's, etc.). I know that FreeRadius can use LDAP to connect to AD for the user account database. Does anyone have a guide, or links to something like my situation? Please help, I swear you'll get those 500 cool points. - -Cory -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQifSvwyLQhEy4iYSAQJHxA/9FwxQN43FHb0XRDSrE5sOkgx/MYWWLW7I Fm2vsgdFuvMnVTsk37SjlwYBCmtHjjoxWp7AfnTyNmyzfe2KGGa4BsYRb8LueVC7 Jq4ItxBPrEIrsXn7gyE6DkNibThlEvnKig/4MDxBkfp3VCvBGLwHp4rCKOIHR5BL sIIaKgSSwvrcHPFNfu0+H3bRdjlMtMeat2xD+mKijGmWBhbP4WdBRcbZwRpKfIBI UqvREg5Q4bC72nl8PkoA14+Q00NIDgiC5fE8FUNxm/S1oUZCxun/322JLxkC82eN 97CHAZ1WCdNLPby6e4mI/R8ei2BwgE0pCtt+RBF/rVyh+pWrvrVDTYB4+2L3c48U AvQFDNqhurm2pIxAeVSBgTNDUREUXAMTywkcJYRxtImz+rB+nQ2Ke5E+SqK8VWBO iGSL5uloDUlsgRdh9n2rK7ND4GUM7h3R5uJ9p92Crebvx/LjQd+6h3gATeGpEuST ZA3hH7avDRj5dBTb8c4djLFAVsmGlXdR9nOSJQ/eBeXJMaUAP/wwFPvS4ux1PfmE m4gOmQadOfA/56ZmGBu19teW0/SdHyfKGPhINt8ny1KdtX5dlceoNJeeSFloQmkv IjR9HfcrUT68H7iZvxh1GpYZQKPAvMs+zfZ0s7aOspvJXKvnYuXK1lhTnE2bdcuB lMBJfan0CyM= =XGLN -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Nick Bright wrote: Alan DeKok wrote: Nick Bright <[EMAIL PROTECTED]> wrote: I'm having trouble coming up with anything on google about this. Does it help to say that the passwords stored in /etc/shadow appear to be MD5Crypt passwords? They all start with $1$ . . . Then using those passwords in Crypt-Password should work. I must have something else set incorrectly then, because I'm still getting the error about user supplied password not matching the password in the database - yet if i change the password in the database (and nothing else, I left it as Crypt-Password) it matches sucessfully and approves the request. Sorry, that wasn't exactly clear. If I change it in the database password to be the clear text password instead of the MD5Crypt password, leaving all else the same, it approves the request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radsqlrelay for 1.0.2
Hi Bart, On Thu, 2005-03-03 at 15:36 +0100, Bart Van Daal wrote: > Hi Nicolas, hi Roy, > > Nicolas I'm currently using your radsqlrelay.c with the 1.0.2 release and > I've patched the makefile. I'm very new to this whole patching and > code-hacking > thing. I'm getting the following error message while making radsqlrelay: > thanks for any pointers how to compile radsqlrelay. The patches were already committed on the current CVS. You may try building from it. I've done some stress tests on the version and it looks OK so far. Regards, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Alan DeKok wrote: Nick Bright <[EMAIL PROTECTED]> wrote: I'm having trouble coming up with anything on google about this. Does it help to say that the passwords stored in /etc/shadow appear to be MD5Crypt passwords? They all start with $1$ . . . Then using those passwords in Crypt-Password should work. I must have something else set incorrectly then, because I'm still getting the error about user supplied password not matching the password in the database - yet if i change the password in the database (and nothing else, I left it as Crypt-Password) it matches sucessfully and approves the request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Nick Bright <[EMAIL PROTECTED]> wrote: > I'm having trouble coming up with anything on google about this. Does it > help to say that the passwords stored in /etc/shadow appear to be > MD5Crypt passwords? They all start with $1$ . . . Then using those passwords in Crypt-Password should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Alan DeKok wrote: Nick Bright <[EMAIL PROTECTED]> wrote: At this point, the output of radiusd -X has now changed (for the better I think). It's identifying the user properly in SQL now and getting the error: "auth user supplied User-Password does NOT match local User-Password" Does your system support MD5-crypt authentication? See "man crypt" After lookin at that man page, I think that the problem is likely that the system does /not/ support MD5-crypt authentication - there are no mentions of md5 anywhere in the man page of crypt. I will investigate this further. I'm having trouble coming up with anything on google about this. Does it help to say that the passwords stored in /etc/shadow appear to be MD5Crypt passwords? They all start with $1$ . . . As an aside, I'm using White Box Enterprise Linux. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP2-Response is incorrect
Hi,
I am having troubles too.
I have the same environment. I am using Poptop with the latest ppp-2.4.3, and I
get an error while pppd is reading dictionary.microsoft. the first attribute is
MS-CHAP-Response and the error appears on that line. I am using SuSE9.2 on
64bit AMD system. I have my users in a LDAP directory, but radtest never fails,
and I also have sambaNTpassword attributes for my users.
Any ideas??
Besides –
freeRadius package was broken on SuSE 9.1 ( 64bit ) and I lost 3 weeks just
seeking for the source of the failure...
Regards,
Edvin Seferovic
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeYoung, Brandon
Sent: Freitag, 04. März 2005 01:32
To: freeradius-users@lists.freeradius.org
Subject: MS-CHAP2-Response is
incorrect
Hi All,
I am running FreeRADIUS Version 1.0.0 on Suse 9.2 Pro to provide 802.1x
authentication for wireless users. I have PEAP / MSChap V2 working from my
Windows XP clients utilizing ntlm_auth as well as local users in the
/etc/raddb/users file.
I am attempting to add hand held clients running Win CE 4.2 with the Aegis
2.1.2 client. I initially had a TLV error in radiusd’s debug output, this
was solved by setting:
use_mppe = no
in /etc/raddb/radiusd.conf. The error I am now getting
is this:
---snip---
Processing the authenticate section of
radiusd.conf
modcall: entering group Auth-Type for request 75
rlm_mschap: Told to do MS-CHAPv2 for test with
NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is
incorrect
modcall[authenticate]: module
"mschap" returns reject for request 75
modcall: group Auth-Type returns reject for request
75
---snip-
I’m thinking it’s a client-side bug, but
was wondering even if this is the case whether or not there was a work-around
on the server side.
Thanks in advance!
~Brandon
Users file:
snip--
test User-Password ==
"testing", MS-Chap-Use-NTLM-Auth := 0
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU
= 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
---snip--
raidiusd.conf (I tried to cut out relevant
portions)
--snip--
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
tls {
private_key_password = "this is a secret"
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
use_mppe = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
--snip--
Full debug output:
rad_recv: Access-Request packet from host
43.191.112.164:21650, id=200, length=264
User-Name
= "test"
Framed-MTU
= 1400
Called-Station-Id = "000f.8fda.481c"
Calling-Station-Id = "00a0.f860.1949"
Message-Authenticator
= 0x52f1752456aab0d1b43e5790012896c8
EAP-Message =
0x0208008019001703010020f08caa6e5c14a57351962cdcf393ac89eab0df4b964ad2ae1b073b7a7ad73020170301005021305f63d314665895b400f1bdc073352791c4d9beb1d142db8b7929210e69dea87a46c5bc9f4548471dde9eaf4dfeaddc60f1dc729bf5296c98e0414fa2c82523410bc1c4f5e97f09cc9bc634543f08
NAS-Port-Type = Wireless-802.11
NAS-Port =
321
State =
0x95e558bf10568d557b5155bff9f6a189
Service-Type = Framed-User
NAS-IP-Address = 43.191.112.164
NAS-Identifier = "SDB5Test"
Processing the authorize section of
radiusd.conf
modcall: entering group authorize for request 75
modcall[authorize]: module
"preprocess" returns ok for request 75
modcall[authorize]: module
MS-CHAP2-Response is incorrect
Hi All,
I
am running FreeRADIUS Version 1.0.0 on Suse 9.2 Pro to provide 802.1x
authentication for wireless users. I have PEAP / MSChap V2 working from my
Windows XP clients utilizing ntlm_auth as well as local users in the /etc/raddb/users
file.
I
am attempting to add hand held clients running Win CE 4.2 with the Aegis 2.1.2
client. I initially had a TLV error in radiusd’s debug output, this was
solved by setting:
use_mppe = no
in /etc/raddb/radiusd.conf. The error I am now getting is
this:
---snip---
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 75
rlm_mschap: Told to do MS-CHAPv2 for test with
NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap"
returns reject for request 75
modcall: group Auth-Type returns reject for request 75
---snip-
I’m thinking it’s a client-side bug, but was
wondering even if this is the case whether or not there was a work-around on
the server side.
Thanks in advance!
~Brandon
Users file:
snip--
test User-Password == "testing",
MS-Chap-Use-NTLM-Auth := 0
DEFAULT Service-Type == Framed-User
Framed-IP-Address
= 255.255.255.254,
Framed-MTU = 576,
Service-Type =
Framed-User,
Fall-Through =
Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol =
PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol =
SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol =
SLIP
---snip--
raidiusd.conf (I tried to cut out relevant portions)
--snip--
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug
= no
md5 {
}
leap {
}
tls {
private_key_password = "this is a secret"
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
use_mppe
= no
with_ntdomain_hack
= no
ntlm_auth
= "/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
--snip--
Full debug output:
rad_recv: Access-Request packet from host
43.191.112.164:21650, id=200, length=264
User-Name =
"test"
Framed-MTU = 1400
Called-Station-Id
= "000f.8fda.481c"
Calling-Station-Id = "00a0.f860.1949"
Message-Authenticator = 0x52f1752456aab0d1b43e5790012896c8
EAP-Message =
0x0208008019001703010020f08caa6e5c14a57351962cdcf393ac89eab0df4b964ad2ae1b073b7a7ad73020170301005021305f63d314665895b400f1bdc073352791c4d9beb1d142db8b7929210e69dea87a46c5bc9f4548471dde9eaf4dfeaddc60f1dc729bf5296c98e0414fa2c82523410bc1c4f5e97f09cc9bc634543f08
NAS-Port-Type =
Wireless-802.11
NAS-Port = 321
State =
0x95e558bf10568d557b5155bff9f6a189
Service-Type =
Framed-User
NAS-IP-Address =
43.191.112.164
NAS-Identifier =
"SDB5Test"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 75
modcall[authorize]: module "preprocess"
returns ok for request 75
modcall[authorize]: module "chap" returns
noop for request 75
modcall[authorize]: module "mschap" returns
noop for request 75
rlm_realm: No '@' in User-Name =
"test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns
noop for request 75
rlm_realm: No '\' in User-Name =
"test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain"
returns noop for request 75
rlm_eap: EAP packet type response id 8 length 128
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns
updated for request 75
users: Matched test at 93
modcall[authorize]: module "files" returns
ok for request 75
modcall: group authorize returns updated for request 75
rad_chec
Re: Supported password types [mysql authorization]
Nick Bright <[EMAIL PROTECTED]> wrote: > At this point, the output of radiusd -X has now changed (for the better > I think). It's identifying the user properly in SQL now and getting the > error: > > "auth user supplied User-Password does NOT match local User-Password" Does your system support MD5-crypt authentication? See "man crypt" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Of significant note if I change id 3 username user, attribute Crypt-Password, op :=, value to id 3 username user, attribute Crypt-Password, op :=, value It authenticates the user properly. Odd, eh? - Nick On Thu, 2005-03-03 at 16:45, Nick Bright wrote: > On Thu, 2005-03-03 at 16:14, Alan DeKok wrote: > > Nick Bright <[EMAIL PROTECTED]> wrote: > > > What I would like to do is be able to use MD5 passwords. > > > > I think they're MD5-crypt'd passwords. Do they have $1$ at the > > start? If so, they're not just MD5 hashes. > > Uh yes, it is the MD5-crypt'd password (it has $1$ at the start) > > > > > > radcheck: > > > > > > id 3, username user, attribute Password, op ==, value > > > > Which doesn't match the password in the request. > > Sorry, I think I wasn't clear with this. I copied the password of a user > out of /etc/shadow and pasted it into the value for this user. That is > what I need to be able to authenticate against. > > > > > If the passwords do have $1$ at the start, then change radcheck to > > say: > > > > id 3 username user, attribute Crypt-Password, op :=, value > > > > You should set Auth-Type := Local for this to work. > > > > Alan DeKok. > > Ok, I removed all refrences in the database to MD5, basically put it > back how it was working with my plain-text passwords. I'm using the same > radgroupcheck line for plain text AND md5 now. (Auth-Type := Local) > > Now, after doing that I set the attribute in radcheck for the user to > Crypt-Password and changed the op to := as you suggested. > > At this point, the output of radiusd -X has now changed (for the better > I think). It's identifying the user properly in SQL now and getting the > error: > > "auth user supplied User-Password does NOT match local User-Password" > > > I'm not exactly sure where to procede from here. If it helps, the point > of all this is that I need to import /etc/shadow from one computer to > the SQL database on my radius server, and have the users authenticate. > > Thanks for your help Alan, I appreciate it. > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_mschap: No User-Password configured. Cannot create LM-Password.
ocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 158.97.150.22:21660, id=252,
length=128
User-Name = "luisvi"
Framed-MTU = 1400
Called-Station-Id = "000e.d7b0.f761"
Calling-Station-Id = "0004.237c.b8c6"
Message-Authenticator = 0x3681f59b614651995891d9681d88bc90
EAP-Message = 0x0202000b016c7569737669
NAS-Port-Type = Wireless-802.11
NAS-Port = 384
Service-Type = Framed-User
NAS-IP-Address = 158.97.150.22
NAS-Identifier = "ap-dt"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/158.97.150.22/auth-detail-20050303'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/158.97.150.22/auth-detail-20050303
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "luisvi", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 166
users: Matched DEFAULT at 170
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for luisvi
radius_xlat: '(uid=luisvi)'
radius_xlat: 'dc=cicese,dc=mx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=cicese,dc=mx, with filter (uid=luisvi)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user luisvi authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 252 to 158.97.150.22:21660
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x55ab7eb308ce236bfd16d117dcfcfa99
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_
rlm_mschap: No User-Password configured. Cannot create LM-Password.
proxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1645
Listening on accounting *:1646
Listening on proxy *:1647
Ready to process requests.
rad_recv: Access-Request packet from host 158.97.150.22:21660, id=252,
length=128
User-Name = "luisvi"
Framed-MTU = 1400
Called-Station-Id = "000e.d7b0.f761"
Calling-Station-Id = "0004.237c.b8c6"
Message-Authenticator = 0x3681f59b614651995891d9681d88bc90
EAP-Message = 0x0202000b016c7569737669
NAS-Port-Type = Wireless-802.11
NAS-Port = 384
Service-Type = Framed-User
NAS-IP-Address = 158.97.150.22
NAS-Identifier = "ap-dt"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/158.97.150.22/auth-detail-20050303'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/158.97.150.22/auth-detail-20050303
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "luisvi", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 166
users: Matched DEFAULT at 170
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for luisvi
radius_xlat: '(uid=luisvi)'
radius_xlat: 'dc=cicese,dc=mx'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=cicese,dc=mx, with filter (uid=luisvi)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user luisvi authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 252 to 158.97.150.22:21660
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x55ab7eb308ce236bfd16d117dcfcfa99
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 158.97.150.22:21660, id=253,
length=141
User-Name = "luisvi"
Framed-MTU = 1400
Called-Station-Id = "000e.d7b0.f761"
Calling-Station-Id = "0004.237c.b8c6"
Message-Authenticator = 0xef6ff85b5023f8a85ccfc1e8e81f7def
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 384
State = 0x55ab7eb308ce236bfd16d117dcfcfa99
Service-Type = Framed-User
NAS-IP-Address = 158.97.150.22
NAS-Identifier = "ap-dt"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
Re: Supported password types [mysql authorization]
On Thu, 2005-03-03 at 16:14, Alan DeKok wrote: > Nick Bright <[EMAIL PROTECTED]> wrote: > > What I would like to do is be able to use MD5 passwords. > > I think they're MD5-crypt'd passwords. Do they have $1$ at the > start? If so, they're not just MD5 hashes. Uh yes, it is the MD5-crypt'd password (it has $1$ at the start) > > > radcheck: > > > > id 3, username user, attribute Password, op ==, value > > Which doesn't match the password in the request. Sorry, I think I wasn't clear with this. I copied the password of a user out of /etc/shadow and pasted it into the value for this user. That is what I need to be able to authenticate against. > > If the passwords do have $1$ at the start, then change radcheck to > say: > > id 3 username user, attribute Crypt-Password, op :=, value > > You should set Auth-Type := Local for this to work. > > Alan DeKok. Ok, I removed all refrences in the database to MD5, basically put it back how it was working with my plain-text passwords. I'm using the same radgroupcheck line for plain text AND md5 now. (Auth-Type := Local) Now, after doing that I set the attribute in radcheck for the user to Crypt-Password and changed the op to := as you suggested. At this point, the output of radiusd -X has now changed (for the better I think). It's identifying the user properly in SQL now and getting the error: "auth user supplied User-Password does NOT match local User-Password" I'm not exactly sure where to procede from here. If it helps, the point of all this is that I need to import /etc/shadow from one computer to the SQL database on my radius server, and have the users authenticate. Thanks for your help Alan, I appreciate it. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Nick Bright <[EMAIL PROTECTED]> wrote: > What I would like to do is be able to use MD5 passwords. I think they're MD5-crypt'd passwords. Do they have $1$ at the start? If so, they're not just MD5 hashes. > radcheck: > > id 3, username user, attribute Password, op ==, value Which doesn't match the password in the request. If the passwords do have $1$ at the start, then change radcheck to say: id 3 username user, attribute Crypt-Password, op :=, value You should set Auth-Type := Local for this to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to verify user by "Calling-Station-Id" (formaly MAC addres)
On Thu, 03 Mar 2005 12:07:53 +0100, kolargol <[EMAIL PROTECTED]> wrote: > [heavy pre and post snippage] > How to verify user by "Calling-Station-Id" (beside MS-CHAPv2/PEAP auth). I'm trying to do the same for new accounts. If the username is in the 'verifyCallerIdOnce' table (my simple custom table), verify atleast one record matches the caller id connecting. Upon a match, proceed to normal authentication. Upon authentication, delete all rows matching that user (to remove caller id restrictions for that user). I assume/hope someone has used, or uses some form of call verification like this. My intention is to validate online sign ups for dial up accounts, and require one of the phone numbers on record connects to the account. (after that, it's unrestricted). Thank you, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
After posting I continued looking in to the problem, and searching the
list archives, and discovered that I really did not ask the right
question.
What I would like to do is be able to use MD5 passwords.
I've configured my radiusd.conf and database properly, as near as I can
tell, but it isn't working. The output of "radiusd -X" is:
rad_recv: Access-Request packet from host 64.254.34.5:1025, id=251,
length=116
User-Name = "[EMAIL PROTECTED]"
User-Password = "password"
NAS-IP-Address = 64.254.34.5
NAS-Port = 20205
NAS-Port-Type = Async
State = 0x
Calling-Station-Id = "6203312503"
Called-Station-Id = "3162606719"
Acct-Session-Id = "424765938"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/64.254.34.5/auth-detail-20050303'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/64.254.34.5/auth-detail-20050303
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "realm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "realm"
rlm_realm: Adding Stripped-User-Name = "user"
rlm_realm: Proxying request from user user to realm realm
rlm_realm: Adding Realm = "realm"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
radius_xlat: 'user'
rlm_sql (sql): sql_set_user escaped user --> 'user'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'user' AND Active = 1 ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'user' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'user' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'user' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): No matching entry in the database for request from user
[user]
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
My configuration file, relevant lines only:
modules {
pap {
encryption_scheme = crypt
}
pap md5 {
encryption_scheme = md5
}
}
authenticate {
Auth-Type MD5 {
md5
}
Auth-Type PAP {
pap
}
}
My database tables, relevant lines only:
radgroupcheck:
id 10, groupname MD5, attribute Auth-Type, op :=, Value MD5
id 11, groupname MD5, attribute Service-Type, op ==, Value Framed-User
^^^ added id #11 at the reccomendation of another mailing list post from
2003
radcheck:
id 3, username user, attribute Password, op ==, value
Now the odd part here is that it's basically saying it can't find the
username in the database (it's there). Now, get this, if I change
radgroupcheck id 10's Value back to "Dialup" (which was working fine
before i did this) it still didn't work, but when I removed the
Auth-Type MD5 from the configuration file, everything went back to
normal!
I'm scratchin my ass on this one, I clearly have no idea what to do, and
none of this is documented anywhere.
So far I've been pretty excited about this software. Very customizeable
and highly extensable. My one complaint? There's nearly ZERO
documentation on how to do that customization. This project REALLY needs
a wiki or something.
On Thu, 2005-03-03 at 15:11, Alan DeKok wrote:
> Nick Bright <[EMAIL PROTECTED]> wrote:
> > I'm using mysql for authorization, and have made everything work
> > wonderfully with plain text passwords. I'd like to find out, though,
> > what password
more detailed sql logging
Excuse me if this has already been discussed but I couldnt find anything after searching... I have FR successfully up and running. I have it "logging" through sql, and authenticating through ldap. How do I go about getting more detailed logs out of FR through sql? Currently it is only logging to postauth_table and is therefore only showing successful logins. I need it to log to authcheck_table (radcheck) to see if people are failing to login properly. These are being sent to the logfile but not to sql. I have broken down the sql config files but they dont seem to have any insert statements into the radcheck sql table. Do I have to write these myself? or is it more simplistic than that? Can you do this when seperating the authentication mechanism from sql? Thanks in advance. Kris
Re: Cisco WDS, WLSE and FreeRADIUS (SOLUTION!)
Hi folks, just to report back that I did eventually get this working.
Thanks again for your suggestions/advice!
Here's a summary of what I had to do... Not saying that this is all
necessary or correct, but it worked for me :-)
First you need to have your APs talking Cisco WDS to each other. I
made one of my loaned APs into a WDS master, so my config looked like
this on the WDS slave APs:
wlccp ap username slave1 password 7 XX
And this on the WDS master AP:
aaa group server radius FOO
server-private 1.2.3.4 auth-port 1812 acct-port 1813 key 7
aaa authentication login FOO group FOO
aaa authorization network FOO group FOO
wlccp ap username slave1 password 7 XX
wlccp authentication-server infrastructure FOO
wlccp wds priority 254 interface BVI1
wlccp wnm ip address 4.3.2.1
The master WDS will try to authenticate the slave APs and the WLSE
via the RADIUS server and secret specified in FOO. It seems that
you need to put the "wlccp ap username" clause in on the master. I
don't see the slave APs or the WLSE contacting the RADIUS server,
although I think you can do WLSE Web user interface authentication
via RADIUS if you really want to.
The APs and the WLSE have entries in the 'users' file on the RADIUS
server which look like this:
slave1 User-Password == "X"
I actually put a separate user name and password in for each of the
APs and the WLSE, but you probably don't need to do this. If you're
having problems, it should be easier to debug this way.
You'll need to include your WDS master AP(s) in the RADIUS
clients.conf, as per:
client 1.2.3.4 {
secret = X
shortname = XX
nastype = other
}
I'm not sure whether the 'shortname' field has to be filled in. I
set this to be the same as my AP hostname as configured in IOS.
My eap.conf looks like this:
eap {
default_eap_type = leap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
mschapv2 {
}
}
And my radiusd.conf has:
instantiate {
exec
expr
}
authorize {
preprocess
eap
files
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
I also defined "with_cisco_vsa_hack = yes" in the preprocess section.
Now, the above is fine for the WDS side of things, but the WLSE side
needs the hack from Richard Timsit, i.e.
http://lists.cistron.nl/pipermail/freeradius-users/2004-September/035796.html
But note Richard's advice that it may need to be tweaked a little for
your installation:
> Once the patch applied, see the log an find such lines :
>rlm_eap_leap: Stage 6
>rlm_eap: RT Modif EAP-Type = 17 EAP-LENGTH = XX
>
> If XX not equal to 30, modify the test of the patch eap.c accordingly.
Will see if my contacts at Cisco can pass on this info to the developers
of the WLSE, as they should be able to fix the problem easily...
Cheers,
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supported password types [mysql authorization]
Nick Bright <[EMAIL PROTECTED]> wrote: > I'm using mysql for authorization, and have made everything work > wonderfully with plain text passwords. I'd like to find out, though, > what password types are supported for the mysql authorization system. None. :) The MySQL module doesn't look at, or use passwords. Instead, it pulls RADIUS attributes out of the database, and adds them to the request. > What I'd really like to know is what password types are supported > through this mechanism? Is there a list somewhere? In the latest CVS snapshots, see "man rlm_pap", which lists the password types it supports. > If I could simply put the users in with "md5-Password" and slap in their > md5'd password, that'd make my life really easy :) In the CVS head, that should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Supported password types [mysql authorization]
I'm using mysql for authorization, and have made everything work wonderfully with plain text passwords. I'd like to find out, though, what password types are supported for the mysql authorization system. On the notes paged referred to in the documentation (http://www.frontios.com/freeradius-old.html) it mentions using "Crypt-Password" to use unix Crypt()'d passwords, however it didn't work when I tried it. What I'd really like to know is what password types are supported through this mechanism? Is there a list somewhere? The reason I'm asking is related to the password-learning question I posted the other day. I can't get clear-text passwords, because the previous maintainer simply used PAM against system accounts for his authentication. Since he's using RedHat 9, that means his passwords are md5'd as opposed to Crypt()'d. If I could simply put the users in with "md5-Password" and slap in their md5'd password, that'd make my life really easy :) -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: "check_cert_cn" dows not work?
That's what CRLs are for. There is support for CRLs in FreeRADIUS now, so you can revoke the certs you no longer want used. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Manuel Schmitz wrote: Thank you very much. :-) I simply need a way to "turn off" certificates. Is there a possibility to reject single certificates? I would like to provide a file containing a list of certs to deny. Is that possible? --Manuel No, the only thing that check_cert_cn does is make sure that the CN in the certificate matches the User-Name attribute in the RADIUS request. It's basically just a sanity/security check on the request itself. It does *not* go looking on other autz sources for you. It is up to you to decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that user to authenticate. If you do nothing, the user will be allowed to authenticate by default. If, for some reason, you decide you don't want a user to be allowed to authenticate, you must specifically reject him. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Manuel Schmitz wrote: Hello, as far as I have understood, the "check_cert_cn" switch in raddb/eap.conf forces the certificate's Common Name to be in the raddb/users file. Otherwise there the request will be rejected. Now I've commented out the whole raddb/users file but the radius doesn't reject any request. I am running a WLAN with EAP-TLS authentication and need to "switch off" single certificates. --Manuel Schmitz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: "check_cert_cn" dows not work?
Thank you very much. :-) I simply need a way to "turn off" certificates. Is there a possibility to reject single certificates? I would like to provide a file containing a list of certs to deny. Is that possible? --Manuel > No, the only thing that check_cert_cn does is make sure that the CN in > the certificate matches the User-Name attribute in the RADIUS request. > It's basically just a sanity/security check on the request itself. It > does *not* go looking on other autz sources for you. It is up to you to > decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that > user to authenticate. If you do nothing, the user will be allowed to > authenticate by default. If, for some reason, you decide you don't want > a user to be allowed to authenticate, you must specifically reject him. > > --Mike > > --- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > Manuel Schmitz wrote: > > Hello, > > > > as far as I have understood, the "check_cert_cn" switch in > raddb/eap.conf > > forces the certificate's Common Name to be in the raddb/users file. > > Otherwise there the request will be rejected. > > > > Now I've commented out the whole raddb/users file but the radius doesn't > > reject any request. > > > > I am running a WLAN with EAP-TLS authentication and need to "switch off" > > single certificates. > > > > --Manuel Schmitz > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : jeudi 3 mars 2005 17:41 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > The problem is that it is complaining: > > rlm_ippool: could not find Pool-Name attribute > > The *module* is printing that message because the Pool-Name > attribute is not found in the list of check items. > > > For my *newbie* understanding, if the Pool-name is a check item it > > should be in the request I get from my clients. > > No. Nothing in the server documentation would lead you to that > conclusion. The documentation would lead you to the *correct* > conclusion, which is that the "check" items are not the > "request" items. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: "check_cert_cn" dows not work?
No, the only thing that check_cert_cn does is make sure that the CN in the certificate matches the User-Name attribute in the RADIUS request. It's basically just a sanity/security check on the request itself. It does *not* go looking on other autz sources for you. It is up to you to decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that user to authenticate. If you do nothing, the user will be allowed to authenticate by default. If, for some reason, you decide you don't want a user to be allowed to authenticate, you must specifically reject him. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Manuel Schmitz wrote: Hello, as far as I have understood, the "check_cert_cn" switch in raddb/eap.conf forces the certificate's Common Name to be in the raddb/users file. Otherwise there the request will be rejected. Now I've commented out the whole raddb/users file but the radius doesn't reject any request. I am running a WLAN with EAP-TLS authentication and need to "switch off" single certificates. --Manuel Schmitz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: adding module
Marc-Henri Boisis-Delavaud <[EMAIL PROTECTED]> wrote: > is it possible to compile version 1.0.1 with new module like rlm_policy , > if yes, how can i do it ? Perhaps. Copy the rlm_policy directory from a CVS snapshot to 1.0.x, and do: $ ./configure --with-experimental-modules $ make $ make install You may have to edit the module source, though, as some things in the server may have changed... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced Proxy
Armin Ranjbar <[EMAIL PROTECTED]> wrote: .. > but i never get any request on 192.168.0.4 . Perhaps you could try looking at the debug log of the server which is performing the proxying. It might tell you whether or not the request is proxied, and if not, why. I have no idea why you would not follow the debugging process described in the FAQ, README, and many, many other places in the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting invalid logins
"Chris Knipe" <[EMAIL PROTECTED]> wrote: > I'm trying to figure out why my NAS is receiving a radius timeout, instead > of a auth-reject for users with invalid passwords / non existing users / > etc... It's a bug in the server. Set "reject_delay=0" to work around it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting eap/ttls
Henning Evers <[EMAIL PROTECTED]> wrote: > Nobody answered yet. Is that a Problem nobody has or is my information > incomplete or is it even that it is obvious and i miss an important thing? The "anonymous" accounting problem is well known, and has not been solved by anyone. The standards bodies are working on proposals. As for why you get flooded with thousands of accounting entries in a few seconds, I have no idea. But it's definitely the NAS choosing to do that. See your NAS documentation for why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem validatng system pswd
Murali Krishna G <[EMAIL PROTECTED]> wrote: > murali Auth-Type := System, User-Password == "murali" Can you explain what you think this does, and why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > The problem is that it is complaining: > rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. > For my *newbie* understanding, if the Pool-name is a check item it > should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the "check" items are not the "request" items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radsqlrelay for 1.0.2
Hi Nicolas, hi Roy, Nicolas I'm currently using your radsqlrelay.c with the 1.0.2 release and I've patched the makefile. I'm very new to this whole patching and code-hacking thing. I'm getting the following error message while making radsqlrelay: thanks for any pointers how to compile radsqlrelay. Bart gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\"\" -DRADIUSD_VERSION=\"1.0.2\" -o xlat.o -c xlat.c gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\"\" -DRADIUSD_VERSION=\"1.0.2\" -c valuepair.c gcc -march=pentium3 -O3 -pipe -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../include -DHOSTINFO=\"\" -DRADIUSD_VERSION=\"1.0.2\" -c timestr.c gcc -L../lib radsqlrelay.o mainconfig.o util.o nas.o client.o log.o conffile.o files.o xlat.o valuepair.o timestr.o ../lib/.libs/libradius.so -o radsqlrelay radsqlrelay.o(.text+0xf26): In function `init_sql': : undefined reference to `lt_preloaded_symbols' radsqlrelay.o(.text+0xf2d): In function `init_sql': : undefined reference to `lt_dlpreload_default' radsqlrelay.o(.text+0xf32): In function `init_sql': : undefined reference to `lt_dlinit' radsqlrelay.o(.text+0xf53): In function `init_sql': : undefined reference to `lt_dlopenext' radsqlrelay.o(.text+0xf5e): In function `init_sql': : undefined reference to `lt_dlerror' radsqlrelay.o(.text+0xfa9): In function `init_sql': : undefined reference to `lt_dlsym' radsqlrelay.o(.text+0x1027): In function `init_sql': : undefined reference to `lt_dlclose' radsqlrelay.o(.text+0x1051): In function `init_sql': : undefined reference to `lt_dlerror' radsqlrelay.o(.text+0x10a9): In function `init_sql': : undefined reference to `lt_dlsetsearchpath' radsqlrelay.o(.text+0x10b3): In function `init_sql': : undefined reference to `lt_dlerror' ../lib/.libs/libradius.so: undefined reference to `crypt' collect2: ld returned 1 exit status make: *** [radsqlrelay] Error 1 -Original Message- From: Nicolas Baradakis [mailto:[EMAIL PROTECTED] Sent: dinsdag 22 februari 2005 14:35 To: freeradius-users@lists.freeradius.org Subject: Re: radsqlrelay for 1.0.2 ROY wrote: > > This version can be built in the 1.0.x source tree. It has been > > modified to fix the detail file locking issue under heavy load. > > Since you are running tests on radsqlrelay, I'd be grateful if I > > could receive some feedback from you on this version. > > There were a lot off differences between v1.3 against your v1.1.2.4 > (code wise). I'm no C coder myself so I can't tell from the diff > output what functionalities were changed. If there's a big advantage > using the > 1.1.2.4 I'd be happy to test it for you. Under heavy load you can see the following error message many times in the file /var/log/freeradius/radius.log Error: rlm_detail: Failed to aquire filelock for /var/log/freeradius/radacct/detail-relay, giving up It's a known problem of radrelay, and it was reported on the mailing list by different people. I've had exactly the same errors with radsqlrelay (which shares a lot of code with radrelay). http://lists.cistron.nl/archives/freeradius-users/2004/09/frm00877.html http://lists.cistron.nl/archives/freeradius-users/2004/10/frm00864.html The changes I made to radsqlrelay.c fix this. My own tests are OK, but I'm interested to get other people's opinion. Even if you've never seen the "Failed to aquire filelock" message, just tell me if the new version works exactly like before. That will help, too. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding module
Hello is it possible to compile version 1.0.1 with new module like rlm_policy , if yes, how can i do it ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced Proxy
Hello, > > Yes. Use the Proxy-To-Realm attribute, which forces the request to > can someone please send more info on this ? > my users file contain : > DEFAULT Service-Type == Framed-User,proxy-to-realm := NEW How about using the right capitalisation of the attribute name? Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advanced Proxy
On Tuesday 01 March 2005 21:25, Alan DeKok Wrote:
> Yes. Use the Proxy-To-Realm attribute, which forces the request to
> be proxied.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
can someone please send more info on this ?
my users file contain :
DEFAULT Service-Type == Framed-User,proxy-to-realm := NEW
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
and proxy conf :
realm NEW {
type= radius
authhost= 192.168.0.4:1812
accthost= 192.168.0.4:1813
secret = 1
}
but i never get any request on 192.168.0.4 .
--
Once, adv.:
Enough.
-- Ambrose Bierce, "The Devil's Dictionary"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: "check_cert_cn" dows not work?
Hello, as far as I have understood, the "check_cert_cn" switch in raddb/eap.conf forces the certificate's Common Name to be in the raddb/users file. Otherwise there the request will be rejected. Now I've commented out the whole raddb/users file but the radius doesn't reject any request. I am running a WLAN with EAP-TLS authentication and need to "switch off" single certificates. --Manuel Schmitz -- Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting invalid logins
auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/blah] (from client test port 23) Delaying request 6 for 1 seconds Ok, that was it. Solved it myself. Thanks -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP
Thomas Simmons wrote: passwords must be encrypted even when sent inside our LAN. I would like to use mschap v2, but it seems that it will not work with LDAP, is this correct? If I cannot use mschap v2, is there another way to encrypt the passwords or use some sort of challenge authentication? You can use mschapv2 if you're having NT hash password (in sambaNTPassword attribute) -- --beast - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy or not with NULL realm
Hi!
I've set up a server with FreeRadius 1.0.2 and would like to create the
following auth steps:
1. I receive an auth request with NULL realm
2. My server shoud check into local DB if there are any matches.
3. If there are a right entry the radius answer Access-Accept, BUT if
there are NO entries it should proxy the request to another (EXTERNAL)
Radius, connected to another DB.
The problem is, if there are NOT matches into local DB the radius answer
with an Access-Reject, instead to proxy the request to the second Radius
and wait an answer from it.
How set up this solution?
Any suggestions?
Thank's for advice!
proxy.conf:
-
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= 1.2.3.4:1645
accthost= 1.2.3.4:1646
secret = X
#nostrip
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to verify user by "Calling-Station-Id" (formaly MAC addres)
Hi, Just searching info about that on google but i am not satisfy, so my question is: How to verify user by "Calling-Station-Id" (beside MS-CHAPv2/PEAP auth). I want to prevent from authorize users that aren't on the list of allowed stations (before they even try to auth by username/password). clients.conf is not enought - becouse with single AP (single IP address) many users can authotize to AP - i want to allow only particular one. So Calling-Station-Id seams to be ideal for that (as long this is mac addres of "station"/wifi card) gretz! Zbigniew Zolkiewski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting invalid logins
Hi,
I'm trying to figure out why my NAS is receiving a radius timeout, instead
of a auth-reject for users with invalid passwords / non existing users /
etc...
A quick test with radtest, gave me the following for a invalid login.
--- Walking the entire request list ---
Cleaning up request 5 ID 219 with timestamp 4226ec6e
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 198.19.0.35:4481, id=137,
length=69
User-Name = "[EMAIL PROTECTED]"
User-Password = "blah"
NAS-IP-Address = 255.255.255.255
NAS-Port = 23
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: Looking up realm "ournet.co.za" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "ournet.co.za"
rlm_realm: Adding Stripped-User-Name = "blah"
rlm_realm: Proxying request from user blah to realm ournet.co.za
rlm_realm: Adding Realm = "ournet.co.za"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 6
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM RadiusCheck WHERE
Username = LOWER('[EMAIL PROTECTED]') ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 18
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
RadiusGroupCheck.id,RadiusGroupCheck.GroupName,RadiusGroupCheck.Attribute,RadiusGroupCheck.Value,RadiusGroupCheck.op
FROM RadiusGroupCheck,RadiusUsers WHERE RadiusUsers.Username =
LOWER('[EMAIL PROTECTED]') AND RadiusUsers.isActive='y' AND
RadiusUsers.GroupName = RadiusGroupCheck.GroupName ORDER BY
RadiusGroupCheck.id'
radius_xlat: 'SELECT
RadiusGroupReply.id,RadiusGroupReply.GroupName,RadiusGroupReply.Attribute,RadiusGroupReply.Value,RadiusGroupReply.op
FROM RadiusGroupReply,RadiusUsers WHERE RadiusUsers.Username =
LOWER('[EMAIL PROTECTED]') AND RadiusUsers.isActive='y' AND
RadiusUsers.GroupName = RadiusGroupReply.GroupName ORDER BY
RadiusGroupReply.id'
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 18
modcall[authorize]: module "sql" returns notfound for request 6
modcall[authorize]: module "files" returns notfound for request 6
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "NoResetCounter" returns noop for request 6
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "DailyCounter" returns noop for request 6
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
modcall[authorize]: module "MonthlyCounter" returns noop for request 6
modcall: group authorize returns ok for request 6
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/blah] (from client test port 23)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 137 to 198.19.0.35:4481
Waking up in 4 seconds...
Can anyone perhaps see something wrong? Radius is definately sending a Auth
Reject, but I'm not sure whether or not it is that my NAS does not
understand it, or that my Radius Server is taking to long to respond to the
NAS.
I'd appreciate it if anyone can help.
--
Chris.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting eap/ttls
ok, what did i do wrong what did i miss? Nobody answered yet. Is that a Problem nobody has or is my information incomplete or is it even that it is obvious and i miss an important thing? In any case, pls say something or give me a slap to the right source. thanks Henning Henning Evers wrote: Hi everybody, i got the following problem: I am using EAP (mschapv2)/TTLS tunnels for authentication on a Postgres database and it works fine so far. Then i tried to turn on accounting on userbase and thats where i am completely stuck. By default i get only [EMAIL PROTECTED] as username entries into my accounting table. I am using the default sql requests that came with my FreeRadius 0.9. Thats of course not what i want. If i switch the ttls options 'copy_request_to_tunnel' and 'use_tunneled_reply' both to yes. My accounting table gets flooded with thousands of accounting entries in a few seconds. But the username is in there even though a '.' is added at the end where i dont know where it is comming from. does anyone know how to do this the correct way? thanks in advance, Henning - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem validatng system pswd
Hello, > modcall[authorize]: module "files" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" how about omitting Auth-Type := System? The files section already properly authorized your user, but the later checks with Auth-Type System led to the failure. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem validatng system pswd
Hi, I had problem validating the password. i have my entry in users similar to murali Auth-Type := System, User-Password == "murali" Reply-Message = "Hello, Murali you are Authenticated! Go ahead!!", Service-Type = Login-User, Login-Service = Telnet, Login-IP-Host = 127.0.0.1, Login-TCP-Port <= 65536 I have created a user murali with pswd as murali here is my log : -- rad_recv: Access-Request packet from host 127.0.0.1:32773, id=241, length=58 User-Name = "murali" User-Password = "murali" NAS-IP-Address = 255.255.255.255 NAS-Port = 23 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "murali", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry murali at line 91 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_unix: [murali]: invalid password modcall[authenticate]: module "unix" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 241 to 127.0.0.1:32773 Reply-Message = "Hello, Murali you are Authenticated! Go ahead!!" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 241 with timestamp 4226db76 Nothing to do. Sleeping until we see a request. Any one can please give some idea. Bye Murali. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VoIP Billing System
Hi All, I want to take some suggestion to create VoIP Billing System. I configured freeRADIUS with cisco VSA and all are working successfully. I have a little confustion about h323-credit-time, I have tow tables in mySQL One is (radcheck) table for user registration with their balance Second table ( calling_rate ) for Country Code And their rate per minute. The main interesting part is how I can calculate for h323-credit-time from calling_rate under the balance of particular users balance from the radcheck table? I will be really appreciated if anyone can redirect me in right and easy way. Thank you, __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Q: How to use freeRADIUS + telnet
Hi, I am starting with Radius. I want : "FreeRADIUS to authenticate a user against the local/system password file, telnets him to and logs him in". I Have: Created a user "xyz" with passwd "abcd" I have Radius running on one shell and i want to connect to ( localhost ) machine with new user and psswd created from another shell ( Service-Type Telnet ). ( i want to test on standalone ) Please respond to my query if any one had attempted this. Thanks Murali.
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : mercredi 2 mars 2005 18:50 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > I've followed instructions in radiusd.conf : > > My users file looks like this: > > DEFAULT Service-Type == Framed-User > > Pool-Name := osiris-pool, > > You did not follow the instructions in radiusd.conf. The > "Pool-Name" attribute should go on the first line. > > If you had run the server in debugging mode, the server would have > told you this. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
