Authentication Problem With Freeradius WinXP
=
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
Thread 3 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.2.51:1042, id=0, length=206
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Message-Authenticator = 0xf98c29925901893c4b99531cc3fa5cbb
Service-Type = Framed-User
User-Name = "wireless"
Framed-MTU = 1488
Called-Station-Id = "00-0F-3D-AB-70-51:xserverAP"
Calling-Station-Id = "00-0C-F1-13-3F-29"
NAS-Identifier = "D-link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020d01776972656c657373
NAS-IP-Address = 192.168.2.51
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050305'
rlm_detail:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/radius/var/log/radius/radacct/192.168.2.51/auth-detail-20050305
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry wireless at line 1
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to 192.168.2.51:1042
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x0a5bd7de654329100c8bdb28aa496a75
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 192.168.2.51:1042, id=1, length=217
Waking up in 31 seconds...
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
Message-Authenticator = 0x41f00fa9d910fcac403dfa6cd1e364ae
Service-Type = Framed-User
User-Name = "wireless"
Framed-MTU = 1488
State = 0
Accounting with a proxy radius server and primary server
Hello , In the past, i had one server radius and acounnting was configured . No problem No, I would like to have : Proxy radius (it just proxy all request to other radius) -> Primary radius -> Secondary radius -> Default Radius In order to setup the proxy radius on the same pc,i have paste all my conf file of the server radius in a new directory and i have just modify : raddbdir to change the directory of the files for my new proxy radius. Nothing else to change for accounting ? The prmary radius is already started and when i launch the proxy radius (with radiusd -d /proxy -x), it tells me that permission was denied on users, db.daily etc... there are all permissions on these files. Why ? When i comment all the line of accounting, it works fine ! i would like to know why it d'oenst work with accounting ? What i have to do in order to have all accounting ? make accounting on proxy or accounting on primary ? help me Thanks welcome for your suggestion Nans delrieu Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Called-Station-Id value??
Hi, I want to retrive Called-Station-Id value before the access accept. I am using : Exec-Program-Wait = "/usr/local/etc/ctime.pl" in radreply table to return the value for h323-credit-time all thing is going very well. i have a function inside ctime.pl to retrive the rate for the paritucalar called noumber. I am little confuise how i can get the value of Called-Station-Id in my script. You reply will be very high approciated. Thank You __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Kris Efland <[EMAIL PROTECTED]> wrote: > I am simply trying to log who is trying to auth against the rad > server, valid or not. Right now only postauth is being logged to > sql and I'm trying to rectify that. That's fine. > I would assume that someone trying to check authentic credentials > would be logged to the 'authcheck_table' but feel free to correct > that assumption. No... the "radcheck" table contains information that tells the server how to check authentication for the user. sql.conf clearly shows that the only authenticating logging query is the post-auth one. It also clearly shows that the authcheck_table compares the check items for the user. This is all documented in the comments in the file. > I already have a 'sql' directive under the accounting block in > radiusd.conf (line 1906). Currently the only table that has > _anything_ is radpostauth. The your NAS isn't sending accounting requests to the server. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem With Freeradius WinXP
Badrul Anuar <[EMAIL PROTECTED]> wrote: > after change the eap.conf from tls to peap ... > > i have solved the problem (refer to the mail. before)... > TLS_accept:error in SSLv3 read client certificate A > > But still can't authenticate betwen the server, SP2 has known inter-operability problems with non-Microsoft RADIUS servers. http://support.microsoft.com/default.aspx?scid=kb;en-us;885453 The "cause" they list is bullsh*t. The debug log you posted clearly shows this. SP2 is NOT sending any data inside of the TLS tunnel, and FreeRADIUS keeps asking for more. Eventually SP2 gives up, and starts the authentication process again. Install the hotfix, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-Id value??
Abdul Lateef <[EMAIL PROTECTED]> wrote: > I am little confuise how i can get the value of > Called-Station-Id in my script. Read doc/variabls.txt, and scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
I do believe that the NAS needs the return packet. Do they have the same acctsessionid and acctuniqueid? --Steve - Original Message - From: "Scott Baker" <[EMAIL PROTECTED]> To: Sent: Friday, March 04, 2005 6:40 PM Subject: Re: FreeRadius logging lots of duplicates? > I have three different modem banks that are all logging duplicate > stuff. I have a Portmaster 3, Max 4000, and two Max TNTS. All of > which are logging things 100 times. > > If I tcpdump while it's repeating the logging the NAS box is repeat > sending a bunch of the requests. So I'm guessing it's never hearing > back "I got your Accounting packet" even though the server is > logging it. Do the accounting packets require an acknowledge? > > Scott > > Scott Baker wrote: > > That would make sense, except every packet or session or whatever you > > wanna call each entry in the logfile for each session has the same > > "Acct-Session-Time" > > > > I would expect it to increment if it was doing interval accounting? > > > > Stephen D. Bechard wrote: > > > >> Sounds like your NAS is sending Acct Interim Interval packets, > >> mine is configured to send them every 5-10 minutes during an > >> active session. You should be able to configure your NAS to only > >> send this information during Start/Stop. > >> > >> Enjoy, > >> Steve > >> > >> - Original Message - From: "Scott Baker" <[EMAIL PROTECTED]> > >> To: > >> Sent: Friday, March 04, 2005 3:00 PM > >> Subject: FreeRadius logging lots of duplicates? > >> > >> > >> > >>> I just noticed that in the detail log files I'm seeing LOTS of > >>> duplicates of sessions. If I grep the log files for a specific > >>> "Acct-Unique-Session-Id" it's showing up 72 times!!! Even assuming > >>> one for start and one for stop it's still logging each entry rougly > >>> 36 times. The weird part is that the times for all these entries are > >>> spread across the WHOLE day. So if the sessions occured at 10am, it > >>> will log it them, and randomly throughout the next 24 hours log them > >>> over and over. I haven't checked if it logs the same entry over a > >>> couple of days. > >>> > >>> I'm assuming this is because the NAS box is sending the same > >>> accounting packet over and over again, but I don't know why it would > >>> be doing that. Does the radius need to acknowledge to the NAS box > >>> that it received the packet? What would cause the radius server not > >>> to do that? > >>> > >>> Where can I start to troubleshoot this? > >>> > >>> -- > >>> Scott Baker > >>> Canby Telephone - Network Administrator - RHCE > >>> Ph: 503.266.8253 > >>> > >>> - > >>> List info/subscribe/unsubscribe? See > >> > >> > >> http://www.freeradius.org/list/users.html > >> > >>> > >> > >> > >> > >> - List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >> > > > > -- > Scott Baker > Canby Telephone - Network Administrator - RHCE > Ph: 503.266.8253 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
Stephen D. Bechard wrote: > I do believe that the NAS needs the return packet. When the NAS sends a packet to the server, the server should respond with an accounting ack packet back to the NAS. Check that the server indeed sends an ack packet and that the NAS receives the ack packet. Also, on the NAS you should be able to configure how many times the NAS has to retry to send the packet and at which interval. The settings you should choose depend greatly on the connection between your NAS and your server. -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more detailed sql logging
Alan DeKok <[EMAIL PROTECTED]> wrote:> No... the "radcheck" table contains information that tells the> server how to check authentication for the user. Ok. > sql.conf clearly shows that the only authenticating logging query is> the post-auth one. It also clearly shows that the authcheck_table> compares the check items for the user. Clearly... As I said in my first email. There are no insert statements that coincide to what I am looking for and thus my original question about crafting my own sql statements. Moving on... I will break this down simply so that we do not drift. The data i need is being logged to the log file: $prefix/var/log/radius/radacct//auth-detail-mmdd with contents: Packet-Type = Access-RequestSat Mar 5 15:04:02 2005 User-Name = "user" User-Password = "password" NAS-IP-Address = 1.2.3.4 Client-IP-Address = 1.3.4.5 Module-Failure-Message = "rlm_ldap: User not found"_I would like this information logged to sql instead, how do I do that?_> This is all documented in the comments in the file. Sure it is...> The your NAS isn't sending accounting requests to the server. See the FAQ. The information is already at my disposal, hence the log file. I dont want to rely on the NAS to send the request or have to manage that in any way. Can I force the logging to SQL? I want to log ALL authentication requests to SQL, this seems like a pretty primitive feature. Thanks for the help. Kris
Re: How to set FreeRADIUS auth via POP3?
HI,I want FreeRADIUS use pop3 as an authentication method in FreeBSD $ radtest -d /usr/local/etc/raddb [user] [password] localhost 10 testing123 == rad_check_password: Found Auth-Type PAM auth: type "PAM" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string for pam.conf lookup pam_pass: function pam_acct_mgmt FAILED for . Reason: error in service module modcall[authenticate]: module "pam" returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. it seems work fine between pam_pop3 and pop3 box, but has problem between FreeRADIUS and pam_pop3... Thanks On Fri, 04 Mar 2005 11:21:35 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > CNCA CNCA <[EMAIL PROTECTED]> wrote: > > i tried to use pam_pop3 to do this, but fail. > > So.. what failed, and why? > > > please give me some advice, thanks a lot:P > > Please describe what you're trying to do. I'm not sure if you're > using FreeRADIUS to authenticate pop3 users, or are trying to have > FreeRADIUS use pop3 as an authentication method. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Called-Station-Id value??
HI, Thank you for your time. Already i read the both files (variables.txt,Exec-Program-Wait) but i did not found any information about how to retrive the value of Called-Station-Id in perl file. If possible can you give me a little hint so i can fix my problem. Abdul Lateef __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
