Realms setup
We are trying to set up a pass through radius to send requests for another domain to a different server. The main server kingmanaz.net and the second server freedomnetusa.com We want all requests for freedomnetusa.com to be forwarded from the kingmanaz.net machine when the request to authenticate comes in. When we can run # radtest [EMAIL PROTECTED] password free-host 55 secrete 0 and it does fine But if we send the realm to the kingman server first, it does not send the request to the freedom server. On the kingman server: We have the proxy_requests set to yes. we have the host IP in clients we have it in the hints file we have it in the proxy.conf to send all acct and auth to the ip of the freedom server. We have it listed in the realms. We get a little lost what is needed on the freedom server but we have all the the same files with the kingman server and the freedom server listed. When we radtest direct to the freedom server it does fine. But to send the request first to the kingman server, it does not send the request to the freedom server. We have the freedom radius running with -x Any help to get this working would be great. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 1.0.1 Compile Error
Ryan Bourgeois wrote: Hiya guys. I'm having an odd error when compiling FreeRadius on my Gentoo machine (using the Gentoo emerge package system). The error occurs when trying to compile the rlm_unix module. Here's the full output from this: snip I'm not entirely sure why it's doing this. I assume there is something wrong with my libshadow? Some help would be greatly appreciated, as I'm not sure where to procede from here. Thanks. -Ryan Bourgeois The error does not occur in version 1.0.2. After a bit of looking around I suspect the error to be related to the Gentoo package system, emerge. Perhaps I'll post a bug report on it, but with the release of the 1.0.2 package, it's almost pointless... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Manip.pm can't be located??
When I try to run the log_badlogins script (perl log_badlogins) the following output appear: _ [EMAIL PROTECTED] bin]# perl log_badlogins Can't locate Date/Manip.pm in @INC (@INC contains: /usr/local/lib/perl5/5.8.6/i686-linux /usr/local/lib/perl5/5.8.6 /usr/local/lib/perl5/site_perl/5.8.6/i686-linux /usr/local/lib/perl5/site_perl/5.8.6 /usr/local/lib/perl5/site_perl .) at log_badlogins line 15. BEGIN failed--compilation aborted at log_badlogins line 15. Where is the @INC located? Manip.pm is already located at the /Date directory. I'm sure it is there. But what is the @INC and why its contain the path to some directories.What should this directory contain that make it used by the log_badlogin scripts? Please help. thanks in advanced. P/S-My totaccts and mtotaccts run successfully. thank you to any help on that. __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dialupadmin
Thx for the comments. The following link made me to think that dialupadmin comes with freeradius. http://www.nwfusion.com/links/Downloads/Security/Remote_access/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcin Jessa Sent: Tuesday, March 08, 2005 8:17 PM To: freeradius-users@lists.freeradius.org Subject: Re: dialupadmin Freeradius is not dialupadmin. Check freshmeat for the project site and the doc is most propably in the dir of dialupadmin when you unpack it. Use your head, will you? And google.com as well.. On Tue, 8 Mar 2005 19:45:46 -0500 "Janakan Rajendran" <[EMAIL PROTECTED]> wrote: > Kostas, > > You mean the doc folder in the local machine or on the free radius page? > I couldn't find anything called dialup admin on the local server and also > the website is not opening (www.freeradius.org/doc: Page can not be > displayed). > Am I looking in the right place? > Thx in advance. > Regards, > Janakan Rajendran > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kostas > Kalevras > Sent: Tuesday, March 08, 2005 8:21 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: dialupadmin > > On Mon, 7 Mar 2005, Janakan Rajendran wrote: > > > Hello, > > > > I couldn't find out any documentation on how to configure/run dialupadmin > on > > free radius. Would appreciate any links or info on this. > > You just need to take a look at the doc folder in dialupadmin > > > > > Thank you, > > Regards, > > Janakan Rajendran > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupadmin
Freeradius is not dialupadmin. Check freshmeat for the project site and the doc is most propably in the dir of dialupadmin when you unpack it. Use your head, will you? And google.com as well.. On Tue, 8 Mar 2005 19:45:46 -0500 "Janakan Rajendran" <[EMAIL PROTECTED]> wrote: > Kostas, > > You mean the doc folder in the local machine or on the free radius page? > I couldn't find anything called dialup admin on the local server and also > the website is not opening (www.freeradius.org/doc: Page can not be > displayed). > Am I looking in the right place? > Thx in advance. > Regards, > Janakan Rajendran > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kostas > Kalevras > Sent: Tuesday, March 08, 2005 8:21 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: dialupadmin > > On Mon, 7 Mar 2005, Janakan Rajendran wrote: > > > Hello, > > > > I couldn't find out any documentation on how to configure/run dialupadmin > on > > free radius. Would appreciate any links or info on this. > > You just need to take a look at the doc folder in dialupadmin > > > > > Thank you, > > Regards, > > Janakan Rajendran > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa Software developer/System Administrator http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dialupadmin
Kostas, You mean the doc folder in the local machine or on the free radius page? I couldn't find anything called dialup admin on the local server and also the website is not opening (www.freeradius.org/doc: Page can not be displayed). Am I looking in the right place? Thx in advance. Regards, Janakan Rajendran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Tuesday, March 08, 2005 8:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: dialupadmin On Mon, 7 Mar 2005, Janakan Rajendran wrote: > Hello, > > I couldn't find out any documentation on how to configure/run dialupadmin on > free radius. Would appreciate any links or info on this. You just need to take a look at the doc folder in dialupadmin > > Thank you, > Regards, > Janakan Rajendran > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile problem
Sirs, Due compilation I've got the following result: === gcc .libs/radiusdS.o -O9 -funroll-loops -ffast-math -malign-double -fomit-frame-pointer -fno-exceptions -march=pentium4 -DOPENSSL_NO_KRB5 -I../include -DHOSTINFO=\"i686-pc-linux-gnu\" -DRADIUSD_VERSION=\"1.1.0-pre0\" -o .libs/radiusd radiusd.o files.o util.o acct.o nas.o log.o valuepair.o version.o proxy.o exec.o auth.o conffile.o modules.o modcall.o session.o xlat.o threads.o smux.o radius_snmp.o client.o request_list.o mainconfig.o request_process.o -Wl,--export-dynamic -L/root/archives/radius/freeradius-snapshot-20050308/src/lib -lnsl -lresolv /root/archives/radius/freeradius-snapshot-20050308/src/lib/.libs/libradius.s o /usr/lib/libsnmp.so /usr/lib/libltdl.so -lcrypt -L/usr/lib -lssl -lcrypto -Wl,--rpath -Wl,/usr/local/lib/freeradius radiusd.o(.text+0x623): In function `main': : undefined reference to `total_active_threads' radiusd.o(.text+0x821): In function `main': : undefined reference to `thread_pool_clean' request_list.o(.text+0x179d): In function `refresh_request': : undefined reference to `pthread_cancel' collect2: ld returned 1 exit status gmake[4]: *** [radiusd] Error 1 gmake[4]: Leaving directory `/root/archives/radius/freeradius-snapshot-20050308/src/main' gmake[3]: *** [common] Error 1 === Some info: OS: RedHat 3.0 Enterprise Server CFLAGS= -O9 -funroll-loops -ffast-math -malign-double -fomit-frame-pointer -fno-exceptions -march=pentium4 GCC: [EMAIL PROTECTED] freeradius-snapshot-20050308]# gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/3.2.3/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --host=i386-redhat-linux Thread model: posix gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-49) LD: [EMAIL PROTECTED] freeradius-snapshot-20050308]# ld -v GNU ld version 2.14.90.0.4 20030523 freeradius-snapshot-20050308: Config: ./configure --libdir=/usr/local/lib/freeradius --enable-shared --enable-strict-dependencies --with-logdir=/billing/cdr --with-raddbdir=/billing/raddb --without-threads --with-snmp --with-large-files --with-experimental-modules --with-udpfromto --with-openssl-includes=/usr/include/openssl --with-openssl-libraries=/usr/lib --without-rlm_krb5 --without-rlm_sql_postgresql --without-rlm_eap --without-rlm_peap --without-rlm_sql_mysql --without-rlm_python --without-rlm_smb --without-pap --without-rlm_example --without-rlm_ns_mta_md5 --without-rlm_x99_token --without-rlm_sql_counter --without-rlm_dbm --without-rlm_ldap Can somebody give me a clue. How can I build the version with --without-threads flag. I don't need threads. Best regards, Serg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Upgrade problems.
I have an old Freeradius 0.8.1-1 server on RH 7.2 which I wisd to upgrade to 1.02 on Whitebox EL3.1 Freeradius is just being used as a proxy, the setup on 0.8 seems quite simple, but using similar settings with 1.02 it keeps reporting an error with huntgroups which exists but is the default file. I can't see anything in the changelog that suggests I now have to have entries in huntgroups. Any help appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 1.0.1 Compile Error
Hiya guys. I'm having an odd error when compiling FreeRadius on my Gentoo machine (using the Gentoo emerge package system). The error occurs when trying to compile the rlm_unix module. Here's the full output from this: Making static dynamic in rlm_unix... gmake[6]: Entering directory `/var/tmp/portage/freeradius-1.0.1/work/freeradius-1.0.1/src/modules/rlm_unix' gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c rlm_unix.c -o rlm_unix.o rlm_unix.c: In function `groupcmp': rlm_unix.c:194: warning: unused parameter `req' rlm_unix.c: In function `unix_instantiate': rlm_unix.c:301: warning: cast discards qualifiers from pointer target type rlm_unix.c:303: warning: cast discards qualifiers from pointer target type rlm_unix.c:305: warning: cast discards qualifiers from pointer target type rlm_unix.c:307: warning: cast discards qualifiers from pointer target type rlm_unix.c: In function `unix_detach': rlm_unix.c:346: warning: cast discards qualifiers from pointer target type rlm_unix.c:348: warning: cast discards qualifiers from pointer target type rlm_unix.c:350: warning: cast discards qualifiers from pointer target type rlm_unix.c:352: warning: cast discards qualifiers from pointer target type rlm_unix.c: In function `unix_accounting': rlm_unix.c:715: warning: comparison between signed and unsigned gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c cache.c -o cache.o gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c compat.c -o compat.o /var/tmp/portage/freeradius-1.0.1/work/freeradius-1.0.1/libtool --mode=link ld \ -module -static -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include rlm_unix.o cache.o compat.o -o rlm_unix.a mkdir .libs ar cru rlm_unix.a rlm_unix.o cache.o compat.o ranlib rlm_unix.a /var/tmp/portage/freeradius-1.0.1/work/freeradius-1.0.1/libtool --mode=compile gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c rlm_unix.c gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I../../include -c rlm_unix.c -fPIC -DPIC -o rlm_unix.lo rlm_unix.c: In function `groupcmp': rlm_unix.c:194: warning: unused parameter `req' rlm_unix.c: In function `unix_instantiate': rlm_unix.c:301: warning: cast discards qualifiers from pointer target type rlm_unix.c:303: warning: cast discards qualifiers from pointer target type rlm_unix.c:305: warning: cast discards qualifiers from pointer target type rlm_unix.c:307: warning: cast discards qualifiers from pointer target type rlm_unix.c: In function `unix_detach': rlm_unix.c:346: warning: cast discards qualifiers from pointer target type rlm_unix.c:348: warning: cast discards qualifiers from pointer target type rlm_unix.c:350: warning: cast discards qualifiers from pointer target type rlm_unix.c:352: warning: cast discards qualifiers from pointer target type rlm_unix.c: In function `unix_accounting': rlm_unix.c:715: warning: comparison between signed and unsigned /var/tmp/portage/freeradius-1.0.1/work/freeradius-1.0.1/libtool --mode=compile gcc -pipe -O3 -march=pentium3 -fomit-frame-pointer -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_
quick question
Lo everyone, Just a quick question... Whilst I know and use simultaneous use based on username authentication, is there any way to only allow one login from one CLI? We use PPPoE on a Wireless scenario. Basically, I want to allow any MAC address to connect, but I want to limit one login per MAC address, instead of the normal one login per username... Anything like this possible at all? Whilst using PPPoE, it uses the Client MAC address for the CLI, so in Radius terms, I am presuming that I want to use something like one login per CLI from the clients... -- Chris. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get rlm_sql to authorize, what's wrong with my query?
Matthew Schumacher wrote:
Can someone look at my query and tell me what is wrong?
---
db=> select id, username, attribute, value, op from radstart('username');
id | username |attribute| value | op
+--+-+--+
1 | username | User-Password | password | ==
5 | username | Auth-Type | Local| :=
6 | username | Session-Timeout | 600 | =
---
Ok, I'm replying to myself to let others know what the fix is
The authorize_check_query only expects comparison attributes, and
authorize_reply_query only expects set attributes. In my query above I
combined them and used the same query for both.
In order for this to work you must use something like this:
db=> select * from radstart('username', 'check');
id | username | attribute | value | op
+--+---+--+
1 | username | User-Password | password | ==
2 | username | Auth-Type | Local| :=
(2 rows)
db=> select * from radstart('username', 'reply');
id | username | attribute |value| op
+--++-+
6 | username | Session-Timeout| 600 | =
schu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi, I had a similar problem and the solution was the mapping, such as Edvin says. I add the following entries to ldap.atrrmap: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Now it's working but using clear-text passwords, so I have a question, can I have encrypted passwords in the LDAP database if I am using PEAP with mschapv2? Regards, Raul Tamayo Seferovic Edvin wrote: Hi, probably you are using MS CHAP? Right? Well MS CHAP protocol asks for User-Password attribute which cannot be found in your LDAP directory. You probably have attribute called userPassword. This attribute may be encrypted or in clear text. But what you actually need is sambaNTPassword attribute that uses the MS encryption. So you have to "map" the attribute User-Password to attribute sambaNTPassword. This can be done by editing the ldap_attr.map in your freeradius directory. Take a look at that file and you'll understand it. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of guest01 Sent: Dienstag, 08. März 2005 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_ldap - Attribute "User-Password" is required for authentication hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DialupAdmin and Usernames
That did it! Thank you very much. I'd like to thank you all for the hard work that you have put in to both DialupAdmin and FreeRadius. They are both excellent programs! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kostas Kalevras Sent: Tuesday, March 08, 2005 9:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: DialupAdmin and Usernames On Mon, 7 Mar 2005 [EMAIL PROTECTED] wrote: > > I've run in to a snag with dialupadmin 1.0.1. Our usernames have spaces. > I did not see that as a limitation in the docs. The only place it > seems to be a problem is when administering group membership. A space > as well as a new line defines the username to be assigned. I'd like to > eliminate the space delimiter, but I just don't see how to do it. Can > someone please help me? The attached change should do the trick then > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get rlm_sql to authorize, what's wrong with my query?
Can someone look at my query and tell me what is wrong?
---
db=> select id, username, attribute, value, op from radstart('username');
id | username |attribute| value | op
+--+-+--+
1 | username | User-Password | password | ==
5 | username | Auth-Type | Local| :=
6 | username | Session-Timeout | 600 | =
---
From what I am reading that should be everything I need to authorize a
user, but I keep getting:
---
radius_xlat: 'select id, username, attribute, value, op from
radstart('username')'
rlm_sql_postgresql: query: select id, username, attribute, value, op
from radstart('username')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
rlm_sql (sql): No matching entry in the database for request from user
[username]
---
What specifically does FR need to authorize against a sql module?
Thanks,
schu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius logging lots of duplicates?
That appears to have been exactly the problem. I did a quick:
touch /var/log/radwtmp
chown radiusd.radiusd /var/log/radwtmp
And now the unix module is returning OK, and it appears (according
to the logs) that it's sending the account response packets that it
wasn't before. Thanks!!
-
radius_xlat: '/var/log/radacct/10.45.0.9/detail-20050308'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radacct/10.45.0.9/detail-20050308
modcall[accounting]: module "detail" returns ok for request 81
modcall[accounting]: module "unix" returns ok for request 81
radius_xlat: '/var/log/radutmp'
radius_xlat: 'black'
modcall[accounting]: module "radutmp" returns ok for request 81
modcall: group accounting returns ok for request 81
Sending Accounting-Response of id 237 to 10.45.0.9:7015
Finished request 81
Alan DeKok wrote:
Scott Baker <[EMAIL PROTECTED]> wrote:
errors. Maybe someone on the list can help me. The only thing I see
is that it's complaining about no NULL realm, and that the module
"unix" returns "fail" What should I be looking for?
That the server doesn't send an Accounting-Response to the client.
This is because the "unix" module returns "fail".
The short answer is to delete "unix" from "accounting".
From looking at the source code to rlm_unix, this happens because it
can't write to the "radwtmp" file. It SHOULD be printing out a
descriptive error message, though.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Scott Baker
Canby Telephone - Network Administrator - RHCE
Ph: 503.266.8253
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
Hi, probably you are using MS CHAP? Right? Well MS CHAP protocol asks for User-Password attribute which cannot be found in your LDAP directory. You probably have attribute called userPassword. This attribute may be encrypted or in clear text. But what you actually need is sambaNTPassword attribute that uses the MS encryption. So you have to "map" the attribute User-Password to attribute sambaNTPassword. This can be done by editing the ldap_attr.map in your freeradius directory. Take a look at that file and you'll understand it. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of guest01 Sent: Dienstag, 08. März 2005 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_ldap - Attribute "User-Password" is required for authentication hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
I think Steve is right ... This damned ppp-radius-plugin sends bad packets to my radiusserver ... packets without the required user-password ... And so it must be this damned plugin ... I testet a little bit with the windows radius test program and I sent packets with and without user-password to my server ... packets with password works fine, my radius server reacts with a correct access-accept-packet. And without user-password, its the same problem again :-( So I think I have to try another ppp version :-( Anyway, thank you very much guys! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Sébastien Cantos wrote: >So maybe it's a NAS problem. Are you sure that the NAS is sending the >userpassword in the request ? > > > hm, maybe, how can I test that? I am currently trying some tests with the windowsxp radius test program ... But I am not very optimistic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the
userpassword in the request ?
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de guest01
> Envoyé : mardi 8 mars 2005 16:16
> À : freeradius-users@lists.freeradius.org
> Objet : Re: rlm_ldap - Attribute "User-Password" is required
> for authentication
>
> Sébastien Cantos wrote:
>
> >>I had the same problem a few weeks ago. In fact the ldap
> wasn't returning
> >>the user-password so it wasn't working. Chack with
> ldapsearch to make the
> >>querry directly to the ldap as if you were the radius and I
> think that you
> >>will see that the userpassword is not returned.
> >
> >
> Thxs for your help, but it still doesn't work :-(
>
> Ok, I store the passwords in cleartext (just base64encoded),
> ldapsearch
> works:
>
> ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret
> "(&(objectclass=gibraltaruser)(uid=testuser))" userPassword
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (&(objectclass=gibraltaruser)(uid=testuser))
> # requesting: userPassword
> #
>
> # testuser, users, gibraltar.local
> dn: uid=testuser,ou=users,dc=gibraltar,dc=local
> userPassword:: MTIzNDU2
>
> # search result
> search: 2
> result: 0 Success
>
>
> >Make sure that the user/password in radiusd.conf for the
> user that will make
> >the search in the ldap is valid. I think that the radius is binding
> >anonymously on the ldap so it can read passwords. Another
> thing to note is
> >that you have to store passwords in clear text into the ldap.
>
> >ldap {
> >server = "myserver.mydomain.com"
> >identity =
> >"cn=some_user_that_can_read_passwords_on_the_ldap"
> >password = "password_for_this_user"
> >
>
> hm, my LDAP is still in testing, therefor everyone is allowed
> everthing... But I also tried it
> with the rootdn, but no difference. But I don't think thats
> the problem,
> because the
> authorization-part works fine, "user testuser authorized to use remote
> access",
> just that damned authentication part ...
>
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=55, length=54
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> NAS-IP-Address = 69.25.27.173
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> users: Matched DEFAULT at 153
> users: Matched DEFAULT at 172
> users: Matched DEFAULT at 185
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: performing search in
> uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
> (objectclass=radiusprofile)
> rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 55 to 127.0.0.1:1025
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 55 with timestamp 422dc076
> Nothing to do. Sleeping until we see a request.
>
> Any other ideas? How did you solve your problem?
>
>
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi Thxs for your fast and informative answer ... Indeed, a very good argument! So I think I have to try another ppp version ... A strange problem, damned ppp radiusplugin!! Why can't life be easier? ;-) thxs peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Sébastien Cantos wrote:
>>I had the same problem a few weeks ago. In fact the ldap wasn't returning
>>the user-password so it wasn't working. Chack with ldapsearch to make the
>>querry directly to the ldap as if you were the radius and I think that you
>>will see that the userpassword is not returned.
>
>
Thxs for your help, but it still doesn't work :-(
Ok, I store the passwords in cleartext (just base64encoded), ldapsearch
works:
ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret
"(&(objectclass=gibraltaruser)(uid=testuser))" userPassword
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
>Make sure that the user/password in radiusd.conf for the user that will make
>the search in the ldap is valid. I think that the radius is binding
>anonymously on the ldap so it can read passwords. Another thing to note is
>that you have to store passwords in clear text into the ldap.
>ldap {
>server = "myserver.mydomain.com"
>identity =
>"cn=some_user_that_can_read_passwords_on_the_ldap"
>password = "password_for_this_user"
>
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats the problem,
because the
authorization-part works fine, "user testuser authorized to use remote
access",
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testuser"
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter (&(objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DialupAdmin and Usernames
On Mon, 7 Mar 2005 [EMAIL PROTECTED] wrote:
I've run in to a snag with dialupadmin 1.0.1. Our usernames have spaces.
I did not see that as a limitation in the docs. The only place it seems to
be a problem is when administering group membership. A space as well as a
new line defines the username to be assigned. I'd like to eliminate the
space delimiter, but I just don't see how to do it. Can someone please help
me?
The attached change should do the trick then
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' GandalfIndex: lib/sql/create_group.php3
===
RCS file: /source/radiusd/dialup_admin/lib/sql/create_group.php3,v
retrieving revision 1.12
diff -u -r1.12 create_group.php3
--- lib/sql/create_group.php3 27 Oct 2004 11:22:41 - 1.12
+++ lib/sql/create_group.php3 8 Mar 2005 15:14:20 -
@@ -15,7 +15,7 @@
$op_val2 = '';
$link = @da_sql_pconnect($config);
if ($link){
- $Members = preg_split("/[\n\s]+/",$members,-1,PREG_SPLIT_NO_EMPTY);
+ $Members = preg_split("/[\n]+/",$members,-1,PREG_SPLIT_NO_EMPTY);
if (!empty($Members)){
foreach ($Members as $member){
$member = da_sql_escape_string($member);
Index: lib/sql/group_admin.php3
===
RCS file: /source/radiusd/dialup_admin/lib/sql/group_admin.php3,v
retrieving revision 1.6
diff -u -r1.6 group_admin.php3
--- lib/sql/group_admin.php318 Apr 2004 14:28:14 - 1.6
+++ lib/sql/group_admin.php38 Mar 2005 15:14:21 -
@@ -17,7 +17,7 @@
}
}
if ($new_members != ''){
- $Members =
preg_split("/[\n\s]+/",$new_members,-1,PREG_SPLIT_NO_EMPTY);
+ $Members =
preg_split("/[\n]+/",$new_members,-1,PREG_SPLIT_NO_EMPTY);
if (!empty($Members)){
foreach ($Members as $new_member){
$new_member = da_sql_escape_string($new_member);
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hello, you already got this reply earlier, but here goes... > this is the logfile output after testing with radexample: > > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 > User-Name = "testuser" > User-Password = "123456" > Service-Type = Authenticate-Only > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 This is a "good" Access-Request packet. It contains a User-Name and a User-Password. That way a RADIUS server can check if the user is valid, i.e. he compares the User-Password attribute for that user with the password he has stored internally. The outcome of this is a binary decision: either the user entered the correct password and may access the network or he entered a wrong one and may not. > and this is the output after trying to connect via pptpd with winxp prof. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 66.150.161.140 > NAS-Port = 0 This is a "bad" Access-Request. _Please_ note that this packet does not contain the user's password; the User-Password attribute is just missing. Because of that, the server cannot determine whether this user may enter the network or not. There is absolutely nothing you can do about this _on the RADIUS server side_ (well, maybe except admitting blindly everybody without checking passwords). You will have to fix the pptpd so that it sends the User-Password to the RADIUS server so that the server has a chance of verifying the user's identity. And this is exactly the reason why you got the error message from the FR server: > rlm_ldap: Attribute "User-Password" is required for authentication. Note the word "required". Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = "myserver.mydomain.com"
identity =
"cn=some_user_that_can_read_passwords_on_the_ldap"
password = "password_for_this_user"
Regards,
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de guest01
> Envoyé : mardi 8 mars 2005 15:44
> À : freeradius-users@lists.freeradius.org
> Objet : Re: rlm_ldap - Attribute "User-Password" is required
> for authentication
>
> hm, radius is very strange Can anyone please help me?
> this is the logfile output after testing with radexample:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=40, length=66
> User-Name = "testuser"
> User-Password = "123456"
> Service-Type = Authenticate-Only
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "testuser" with password "123456"
> rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as
> uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user testuser authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Sending Access-Accept of id 40 to 127.0.0.1:1025
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 40 with timestamp 422db560
> Nothing to do. Sleeping until we see a request.
>
> and this is the output after trying to connect via pptpd with
> winxp prof.
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=41, length=54
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> NAS-IP-Address = 66.150.161.140
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 152
> users: Matched DEFAULT at 171
> users: Matched DEFAULT at 183
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap:
Re: rlm_ldap - Attribute "User-Password" is required for authentication
hm, radius is very strange Can anyone please help me? this is the logfile output after testing with radexample: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 User-Name = "testuser" User-Password = "123456" Service-Type = Authenticate-Only NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "123456" rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 40 to 127.0.0.1:1025 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 422db560 Nothing to do. Sleeping until we see a request. and this is the output after trying to connect via pptpd with winxp prof. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 66.150.161.140 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 41 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID
Re: FreeRadius logging lots of duplicates?
Do you have logdir = syslog? On Mon, 2005-03-07 at 15:12, Alan DeKok wrote: > Scott Baker <[EMAIL PROTECTED]> wrote: > > errors. Maybe someone on the list can help me. The only thing I see > > is that it's complaining about no NULL realm, and that the module > > "unix" returns "fail" What should I be looking for? > > That the server doesn't send an Accounting-Response to the client. > This is because the "unix" module returns "fail". > > The short answer is to delete "unix" from "accounting". > > From looking at the source code to rlm_unix, this happens because it > can't write to the "radwtmp" file. It SHOULD be printing out a > descriptive error message, though. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eDirectory and FreeRadius HowTo version 0.
This is version 0 because well... my technical writing skills are a bit lacking. Those of you trying to implement this, please feel free to give me a shout via email. This is a procedure that works with the following: 1. Red Hat Enterprise Server 3 (but this SHOULD work with any linux distro) 2. A replica is ON the Linux box (this still SHOULD work with replicas on novell boxes) 3. Nterprise Services for Linux, not Open Enterprise Server, is installed on the server. Open Enterprise Server is really a SUSE distro product. This procedure MIGHT work with OES. I've tried to include many of the gotcha's that I encountered. I would LOVE to have someone work with me on getting this turned into a real HowTo because frankly using an eDirectory back end with FreeRadius is an incredibly scalable way to take care of authentication for really huge networks. Here it is, version 0.01. Oh, and those of you not familiar with Linux should consider using CygWin to get an X windows session on your PC while doing this. It really saved me some trouble because I didn't have to move the test box from the lab to my office. Email me if you want that procedure. Version 0.01 of this document... Listen, this really isn't as much of a document as it is a place to start. I realize it's not in the best of shape and that it's not the easiest thing to read compared to some other mature HowTo's out there. Anyone who wants to give this a shot, please try this procedure out and let me know how it goes. Dennis Comeaux [EMAIL PROTECTED] That email address is valid until the spambots collect it. This procedure has worked. EDIRECTORY WITH FREERADIUS Software you'll need: 1. ConsoleOne 1.36d. 2. freeradius 1.0.2. 3. Sun Java 1.5.0.01. 4. Novell's scrub utility for linux (removes netware, handy for when disasters happen). 5. The imanager snap-in for imanager (available from forge.novell.com - it's the only tar file for the FreeRadius project and it's a *.npm file inside of the tar) Documents that are helpful: 1. Novell's freeradius integration guide (radadmin.pdf) 2. Anything that will give you a good background on what 802.11x authentication is all about. I suggest googling for some information before continuing. One little type-o and this document will not help. Files that you will spend time editing: 1. /etc/raddb/radiusd.conf (the main radius configuration) 2. /etc/raddb/users (a list of users who can use radius) 3. /etc/raddb/clients.conf (a list of radius clients by IP) 4. /etc/init.d (a directory of startup scripts) Install FreeRadius 1.02 This step is relatively easy provided that the compiler on your Linux box is functional. As with many Linux apps, you first get the files, then untar and unzip them, then you run a configure script, then make, then make install. 1. Download freeradius-1.0.2.tar.gz to /usr/src. 2. Run tar -zxf /usr/src/freeradius-1.0.2.tar.gz 3. cd into /usr/src/freeradius-1.0.2. 4. Run ./configure --with-edir --localstatedir=/var --sysconfdir=/etc 5. Run make 6. Run make install The â-localstatedir and â-sysconfdir options are worth looking into. I configured freeradius this way because it was how the last radius box was configured. You may not want to use these options. See INSTALL and ./configure â-help for more information. This document assumes that you used the above switches. Debugging freeradius can be done by stopping freeradius (/etc/init.d/radiusd -stop) and then running /usr/sbin/radiusd -X in a console window. If you do not have a radiusd script in /etc/init.d, then I suggest looking into the freeradius-1.0.2/ directory and editing and copying an appropriate script. Install Java This is fairly straight forward. I have one caution though - do not do an rpm -e jre if you are currently running X. I have had my X session lock up from uninstalling Java from within X. Use your favorite ssh or telnet client to remove JRE if you need to. 1. Download jre-1_5_0_01-linux-i586.rpm from sun.com and save it to /usr/src. 2. run rpm -i /usr/src/jre-1_5_0_01-linux-i586.rpm. 3. This is important for java applications (including console one) run: export JRE_HOME=/usr/java/jre1.5.0_01 4. Make the environment variable JRE_HOME permanent by: a. Creating a file in /etc/profiles.d named JAVA b. run chmod +x /etc/profiles.d/JAVA c. edit the JAVA file and put the command from #3 in the file. The above commands and directories are for redhat, your flavor may have different ideas about how to set environment variables. Install the Red Carpet Daemon: 1. Download a version applicable to your distro. I used rcd-2.2.0-0.ximian.6.5.i386.rpm. Save it to /usr/src. 2. run rpm -i /usr/src/rcd-2.2.0-0.ximian.6.5.i386.rpm. You may need to use rpm âU to get this installed. Install eDirectory Note that you MUST NOT HAVE CONSOLEONE INSTALLED when you run the eDirectory installation. Having ConsoleOne installed has caused some of my installs to han
Re: checkrad.pl & MT Routers
diff for checkrad.pl
--
Chris.
- Original Message -
From: "Chris Knipe" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 08, 2005 3:55 PM
Subject: Re: checkrad.pl & MT Routers
I'll try and make a diff later on and send it through...
Newer MT's changed the commands for ppp active print...
checkrad.pl should be sending 'ppp active print without-paging detail',
not 'ppp active print column name detail'. The column parameter does not
exist anymore.
--
Chris.
- Original Message -
From: "Chris Knipe" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 08, 2005 3:43 PM
Subject: checkrad.pl & MT Routers
Lo all,
Something strange going on here (or I am forgetting something).
clients.conf:
client x.x.x.6 {
secret= mysecret
shortname = myshortname
nastype = mikrotik
}
Client is working, successfully authenticating and running accounting and
no problems with it what so ever.
naspasswd
x.6 username password
checkrad:
/usr/local/sbin/checkrad mikrotik x.6 PortId UserName AcctSessionID
I have taken PortID, UserName, and AcctSessionID from the accounting data
for a user currently logged into the system.
debug log:
Tue Mar 8 15:37:29 2005 checkrad mikrotik x.6 PortId UserName
AcctSessionID
Returning 0 (login ok)
HOWEVER,
1) The user is actually loged in at the time that I run this test...
Thus, it should be a duplicate user
2) The checkrad script NEVER actually logs into the NAS (I think this is
the problem)
This, also is not a permissions / firewall issue... I can telnet into the
NAS from the same location where I am testing checkrad from, with the
same credentials as specified in naspasswd...
Woud appreciate it if someone can possible just give some pointers on
what else to look out for...
--
Chris.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
checkrad.diff
Description: Binary data
Re: checkrad.pl & MT Routers
I'll try and make a diff later on and send it through...
Newer MT's changed the commands for ppp active print...
checkrad.pl should be sending 'ppp active print without-paging detail', not
'ppp active print column name detail'. The column parameter does not exist
anymore.
--
Chris.
- Original Message -
From: "Chris Knipe" <[EMAIL PROTECTED]>
To:
Sent: Tuesday, March 08, 2005 3:43 PM
Subject: checkrad.pl & MT Routers
Lo all,
Something strange going on here (or I am forgetting something).
clients.conf:
client x.x.x.6 {
secret= mysecret
shortname = myshortname
nastype = mikrotik
}
Client is working, successfully authenticating and running accounting and
no problems with it what so ever.
naspasswd
x.6 username password
checkrad:
/usr/local/sbin/checkrad mikrotik x.6 PortId UserName AcctSessionID
I have taken PortID, UserName, and AcctSessionID from the accounting data
for a user currently logged into the system.
debug log:
Tue Mar 8 15:37:29 2005 checkrad mikrotik x.6 PortId UserName
AcctSessionID
Returning 0 (login ok)
HOWEVER,
1) The user is actually loged in at the time that I run this test... Thus,
it should be a duplicate user
2) The checkrad script NEVER actually logs into the NAS (I think this is
the problem)
This, also is not a permissions / firewall issue... I can telnet into the
NAS from the same location where I am testing checkrad from, with the same
credentials as specified in naspasswd...
Woud appreciate it if someone can possible just give some pointers on what
else to look out for...
--
Chris.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco CLID AAA Preauth
On Tue, 8 Mar 2005, Thomas Boettge wrote: Hello, does anyone has some experience or could tell me if I can use freeradius for Cisco CLID AAA Preauthentication ? Yes it can be used just fine. We 've tested it in our installation (with callerids stored in ldap) and we 'll be puting it in production in a short while. Hope this helped Any information is welcome. Thank's, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
checkrad.pl & MT Routers
Lo all,
Something strange going on here (or I am forgetting something).
clients.conf:
client x.x.x.6 {
secret= mysecret
shortname = myshortname
nastype = mikrotik
}
Client is working, successfully authenticating and running accounting and no
problems with it what so ever.
naspasswd
x.6 username password
checkrad:
/usr/local/sbin/checkrad mikrotik x.6 PortId UserName AcctSessionID
I have taken PortID, UserName, and AcctSessionID from the accounting data
for a user currently logged into the system.
debug log:
Tue Mar 8 15:37:29 2005 checkrad mikrotik x.6 PortId UserName AcctSessionID
Returning 0 (login ok)
HOWEVER,
1) The user is actually loged in at the time that I run this test... Thus,
it should be a duplicate user
2) The checkrad script NEVER actually logs into the NAS (I think this is the
problem)
This, also is not a permissions / firewall issue... I can telnet into the
NAS from the same location where I am testing checkrad from, with the same
credentials as specified in naspasswd...
Woud appreciate it if someone can possible just give some pointers on what
else to look out for...
--
Chris.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco CLID AAA Preauth
Hello, does anyone has some experience or could tell me if I can use freeradius for Cisco CLID AAA Preauthentication ? Any information is welcome. Thank's, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialupadmin
On Mon, 7 Mar 2005, Janakan Rajendran wrote: Hello, I couldn't find out any documentation on how to configure/run dialupadmin on free radius. Would appreciate any links or info on this. You just need to take a look at the doc folder in dialupadmin Thank you, Regards, Janakan Rajendran -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_sql (sql)
*Can someone tell me how to fight with the following error?: Error: rlm_sql (sql): failed after re-connect Thank you! Edgars * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
guest01 wrote: Hi I have a problem with Radius-LDAP Authentication for PPTP, the log says: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=61, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 69.25.27.170 NAS-Port = 0 The Access-Accept packet is not sending a User-Password attribute - just as the message is telling you - thus LDAP cannot authenticate the user's password. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp radius-plugin
Hi I just upgraded to an actual unstable version, only for testing purposes ... ppp (2.4.3-20041231+1) has already built in this modul! With this package, it works. But now I have authentication problems ... It seems this is a neverending story! ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap - Attribute "User-Password" is required for authentication
Hi I have a problem with Radius-LDAP Authentication for PPTP, the log says: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=61, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 69.25.27.170 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=testclass)(uid=testuser)(isVPNUser=TRUE))' radius_xlat: 'ou=users,dc=test,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=testclass)(uid=testuser)(isVPNUser=TRUE)) rlm_ldap: Added password 123456 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 WTF does "Attribute "User-Password" is required for authentication" mean in that case. Radtest and radexample work, I get an Access-Accept-Packet when I try to test with this tools. Has anyone an idea? thxs peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp radius-plugin
On Tue, 08 Mar 2005 08:23:44 +0100, guest01 <[EMAIL PROTECTED]> wrote: > Hi > > I want to use radius authentication for pptp. Therefor I need the > radius.so-plugin, which isn't included > in the Debian default installation of ppp 2.4.2b3. So I compiled it > manually (thank god there was > a makefile) and copied it to the right path. (/usr/lib/pppd/2.4.2b3/). > Everything worked fine. > Then I added "plugin radius.so" to pptp-options, startet the pptp-server > and tried to connect but > I get the following error: > > /usr/sbin/pppd: /usr/lib/pppd/2.4.2b3/radius.so: undefined symbol: > chap_auth_hook > /usr/sbin/pppd: Couldn't load plugin radius.so > > I installed pppd as a binary packet and compiled the right version of > the radius-plugin. > Has anyone an idea or solution? > > thxs > best regards > peda > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > I think a better question, would be how to build a debian package of your own that supports this. I took a stab at it, but I'm stuck shortly after: apt-get source ppp As a dry run, I did dpkg-buildpackage -d -uc -us -nc, but it fails on missing deps (not the least bit surprised on this box). but I did find plenty of references for radius by: grep -ril radius ./ from that deb-src directory... I'll keep an eye on this thread, hopefully we'll both learn something. BTW, I've had good luck with most packages before by apt-get source, and tweaking the rules and control files to trim the fat, or add features I need. There's still room for improvement myself, but I hope that helps. Thank you, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Status-Type and Exec-Program-Wait
HI,
I am using mySQL db to accounting and authuntication.
I want to run one perl script when the Accounting will
be STOP. to calculate time and rate.
But i don't where i should put Exec-Program-Wait to
run my script.
Already i had run one script to return
h323-credit-time value from the the radreply table
and it is working very well.
I will be really thankfull if anyone tell me where i
should put it. i treid to use acct_users files but the
file is not going to execute, because i am using the
db?
here is the acct_users file format which i tested
DEFAULT Acct-Status-Type == Stop
Exec-Program-Wait = "../etc/update.pl %{User-Name}
%{Acct-Session-Time}"
Thank You
__
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
http://birthday.yahoo.com/netrospective/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
